Friday, July 10, 2015

Scams spreading through Skype



I got a message today on Skype to check out an eBay page with my name on. Sounds great!

Hey $name! Look http://www.ebay.com/new/$username





Another example is:






However, the link was not exactly pointing to eBay:

Not eBay, but what appears to be google.dj







Turns out the actual link behind the eBay one is pointing to:





What follows after is for tracking and to disable the Redirect notice message from Google. For those who are curious, google.dj is a legitimate website of Google for the African country Djibouti.

The what seems to be random numbers is actually just hex for:





When you click the link, you will simply do a Google search for that webpage and visit it. This does not mean google.dj is compromised in any way. As an example, you can use the same link but instead use google.com instead of google.dj.

On the lengthy site mentioned above, you'll get a Javascript which you can view on this Pastebin link:
Scams spreading through Skype
(In short, it does a simple math.random method to serve you a slightly different website each time.)



Fiddler capture






Eventually, you'll end up on a typical weight loss scam website:

Obviously not the real Women's Health website









Trying to leave the website










Long story short.....


Prevention

Install the WOT extension into your browser. (Compatible with most modern browsers)
WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.

Use a strong password for Skype and anything else for that matter.

Don't click on "funny" links. A trick is to "hover" on the link to reveal the actual website behind it.



Disinfection

Close your browser.

Change your Skype password immediately. How do I change my password?

If the message came from an unknown contact, How do I report abuse by someone in Skype?

If the message came from a friend, be sure to notify him/her and to follow the steps in this post.

To be sure, you can always run a scan with your favorite antivirus and/or antimalware product. (however, I have not seen any malware in this particular campaign)


Conclusion

In the past, malware has spread via Skype, but this is the first time I'm seeing a scam presented in this way. I have contacted Skype to ask how they were able to hide the actual website behind the eBay link, as I do not know - if you do, be sure to let me know in the comments.

Also, follow the steps above to stay safe.