Re: IM upgrade automated social engineering attack

To: Dragos Ruiu <dr@xxxxxxx>
Subject: Re: IM upgrade automated social engineering attack
From: Roman Shirokov <insecure@xxxxxxxxx>
Date: Tue, 6 Nov 2007 10:37:50 +0000
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200711011908.43670.dr@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200711011908.43670.dr@xxxxxxx>
Reply-to: Roman <Shirokov@xxxxxxxxx>

Hey all

I confirm that, I received several messages as well. The text of
message is:

WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================

ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:

Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair
utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer 
malfunction.http://www.alertmonitor.org/?q=updatescan


> With all the proliferation of phone home for update systems in
> even trivial software packages these days, neophyte users 
> can easily get confused about legitimate upgrades and imposters. 
> So someone is trying to take advantage of this with an 
> automated version of an old school social engineering 
> attack via Skype spam.

> Someone/something/.someone's-botnet on skype last night 
> contacted users who reported it to me. The messages were
> formatted to resemble Microsoft update messages or an AV scan
> with a link to click to update and/or repair malware in a number 
> of Microsoft products. None of the users who reported it to me 
> clicked on the link so its not clear what the installed malware 
> was after.

> A series of users with the name "Scan Alert" followed by the registered
> trade mark sign originating from a numeric range of skype userids 
> following the form:
>         scan.alert.o<number>

> ...have been sending these unsolicited messages. These id's seem
> to be registered in the US. Please warn your users to ignore and be 
> wary of social engineering attacks purporting to be upgrades via 
> IM, because without doubt the persons behind this will try other 
> variants.

> A little bit of googling indicates these folks have been active for
> at least two weeks.

> cheers,
> --dr




-- 
Best regards,

Roman Shirokov

e-mail:insecure@xxxxxxxxx

Sic itur ad astra

Follow-Ups:
- Re: IM upgrade automated social engineering attack
  - From: Dragos Ruiu

References:
- IM upgrade automated social engineering attack
  - From: Dragos Ruiu

Prev by Date: [CVE-2007-5741] Plone: statusmessages and linkintegrity unsafe network data hotfix
Next by Date: SMF .htaccess bypass
Previous by thread: IM upgrade automated social engineering attack
Next by thread: Re: IM upgrade automated social engineering attack
Index(es):
- Date
- Thread