Friday, 30 July 2010

Social Engineering Skype Trusted Contact Inquiry


Even if it was, I don’t care
Yesterday night, I was almost a victim of social engineering based on trusted connections with a contact on Skype.
The question came, “is this you on picc??..” Then a URL constructed to have Facebook in the address.
I should have been suspicious of this because my friend from whom this apparently came does his punctuation and rarely uses strange words, but my basic feeling of trust overrode the logic to my thinking.
I clicked on the link and rather than it going to a page it downloaded a file with the .exe extension, which really got me suspicious – How could he have asked if I was on a picc or picture and then send an executable file rather than a picture or a webpage?
Persuasion of the friendly kind
The genius of social engineering here is that I was first persuaded by reason of the fact that this message came from a trusted contact asking a question that would rouse ones curiosity regardless of if you were on Facebook or not.
He had apparently received this code through his Yahoo email from a trusted contact and inadvertently ran the code but not realised that he had infected his system despite the warning he received from his Antivirus utility. It is possible that the utility might just have said opening a file of that type is unsafe rather than that it was malicious.
The clean-up
We all have the tendency to override such warnings and almost always have to pay dearly for it. His Antivirus utility did not detect the problem after a full scan, however, I also asked him to download Destroy which is a free utility that inoculates web browsers and searches for malware.
The utility detected Bredolab.fb which is a kind of credential logger, it was removed and we can safely assume the system is clean. However, I happen to be one of two people whose Skype profile was online on my friend’s system who received this stuff and like me, we reacted before we questioned the real provenance.
The significance of the second link is that, when I did not fall for the redirect URL on the first inquiry it used the TinyURL link shrinker to give the same reference but deceptively named like a picture (JPG) on Facebook, but I was not taking that bait twice.
The graphic of the situation appears below.
Skype Malware

No comments: