Outils pour utilisateurs

Outils du site

Panneau latéral




Ham Radio






Dissection of an Anti-Virus Scam Attempt

The following describes a scam attempt of the well-known “your computer is infected” type. It describes in some details the techniques used to give the rogue website the appearance of an highly honourable point-of-sale, and identify some safe practices every user should undertake to ensure their own security. Keep in mind that in addition to making the gullible user pay for useless piece of software, it is expected that these sorts of scams will have them willingly install a spy-ware turning their computer into a credit card number collector or a bot-net node, or both.

In the following, symbols :!: identifies details which a careful internet user should learn to recognise as dubious, and YES safe practices they should adopt.

A Skype Message

One shouldn't use Skype. It's a closed-source software and is based on proprietary an non-interoperable protocols. This already leaves plenty of latitude to the owners of the company to do whatever the hell they want with what they collect from their network while at the same time herding their users into a closed paddock from which they will not be able to escape.

That said, however, it is not part of the problem detailed here. A Skype client is running on one of our computers for experiments a colleague is currently running. Today, we received this message.

Ayyeeee! My computer is vulnerable!

  • :!: Why and how would Skype (or a user on there) know anything about the computer's current status. This is the job of the anti-virus! This already smells phishy.
  • :!: In some cases (like mine), one may not be running Windows at all, casting immediate discredit on the fake warning message.
  • YES The best reaction to have is of course NOT to click on the provided link, nor to do anything mentioned in the message (why should this purported security warning be added to your contacts?).
  • YES An even better reaction is to report the scam attempt. In this case (Skype) after blocking the user, don't forget to check the box to report abuse.

The “Update” Website

Disregarding any of the safety advice above, let's click on the link to see where it takes us to. Once again, a wise user would not even bother doing that. But we are curious!

The link leads to a website which starts scanning the computer for virus. Worse, it finds some… a lot! Or so it says.

Damn! It doesn't look good!

  • :!: Why is it running in my web browser window? Why would a website (now), scan my computer for viruses? Once again, this is the role of my anti-virus!
  • :!: (Maybe) Why doesn't the folder and windows decorations (title bar with minimise and close button) look like my normal Windows environment? If it were a real application, it should (apart for some crappy applications which shouldn't change their appearance anyway, enough confusing the user!).
  • :!: Do I even have a D: hard disk? Or a DVD-RAM drive?
  • YES Once again, the best reaction is to close this window.
  • YES An even better one (at least for Firefox users), is to go to the Help menu and select Report Web Forgery, thus helping others not getting scammed as well.

Ignoring this advice and letting the “scan” finish, we eventually “learn” that the computer is infected with oh so many threats.

The computer is infected.

  • :!: Do the windows decoration match the rest of my system?
  • :!: Why can't I move the “WARNING!!!” window just like any other?
  • YES Close the page
  • YES Report web forgery (see above)

Luckily, they have a solution to “Erase all threats.” For the sake of experiment, we eagerly click on it. It offers to pay twenty-odd bucks for a “Windows Software Patch” which appears to do everything except for making coffee.

Maybe the solution?

  • :!: Do I know the seller?
  • :!: Do I even know what I am buying?
  • :!: Since when are security updates for my operating system for a fee?
  • :!: Can I get more information about it anywhere?
  • YES Close the page
  • YES Report forgery

The Checkout and Payment Portal

By now, anybody sound of mind having followed the previous pieces of advice would have closed the scam window. We keep investigating to see if there is anything more. There is.

As we proceed to the checkout page, we are given the opportunity to pay for the software.

With such a big padlock, I sure feel safe.

Being about to give out a bank card number over the net, there are a few thing which always need to be checked.

For a long time, people have been instructed to check for padlocks in the window to make sure the connection was secure. This advice on its own should be taken with a bit of salt.

It would appear from this site that it is. There are four of those padlocks all around, including a very very big one. It's padlock galore! Unfortunately, three of them are just mere decoration and do not mean anything with respect to security or other matters.

  1. The two small padlocks towards the top: one on the left of the address bar, and its repetition in the tab name (left of “Secure Order Form”), is just an icon (commonly referred to as the favicon) that a webmaster can set up to help user identify their site. It could be anything else, and doesn't mean anything.
    • YES It is good to learn to recognise favicons in a browser in order not to mistake it for a security feature.
  2. The big padlock in the bottom of the page is part of the content of the page. Once again, it is in full control of the webmaster to put anything they want in the page, regardless of their meaning. In this case, this big padlock is actually there to create trust in the naive user. Yet again, this doesn't mean anything.
  3. The last padlock, at the very bottom right of the browser, is not in a webmaster-controlled space. It is in the status bar which the browser uses to give information to the user.
    • YES Knowing where this padlock is, and what it should look like is a must before considering starting to buy things online.

Recognising “genuine” padlocks is a thing, but it is important to also understand what they mean. In jargon, the padlock displayed by the browser means that an SSL connection has been established with the web server. It is secure in the sense that all communication with this server is encrypted, and an eavesdropper wouldn't be able to do anything with what they capture. This is desirable when one is about to send sensitive information (bank card number, logins and passwords, personal details, etc.) over the web.

:!: However, such a padlock doesn't mean that the site one is connected to is trustworthy at all! A scammer could easily create a secure web server (they do that all the time, including in this example) to collect information that they could use the way they like afterwards.

To get some more confidence in the trustworthiness of a site, further checks are necessary. YES Looking in the address bar (clicking in the coloured zone may be necessary) can provide some trust information.

The following table compares the result for our dubious scam website with that of a well established and trusted company.

Encrypted but not verified Encrypted and verified
An encrypted connection to an unverified websiteAn encrypted connection to the trusted website of a verified company
Blue background, base address of the websiteGreen background, name of the company
  • :!: This example is based on Mozilla Firefox, these criteria to verify may vary with other vendors
  • YES Learn how one's (your!) browser identifies these differences to the user
  • YES Don't be fooled by a debauchery of padlocks and other things that just look secure

Take Home Summary

  • YES One should make sure “security warnings” come from a source that can actually check the status of a computer (i.e. maybe Windows Update, but certainly not a random unknown Skype user), and learn to distinguish these warnings from fakes.
    • YES In short: know what to expect from your applications, and what not to expect. Discard anything unexpected.
  • :!: A padlock doesn't mean a website is trustworthy,
    • YES the company information has to be checked.
  • :!: A “Secure” badge doesn't mean a website is trustworthy,
    • YES the linked report should be consulted.
      • :!: Is the report from a trustworthy security company's website, or just the same scam one step deeper?
        • YES The same cautionary approach applies to the verifier's website.
  • YES If any doubt that it is a scam, don't go further: do not download anything, do not pay for anything, just close the page(s).
    • YES Even better, report the problem (menu Help/Report Web Forgery in Firefox).

Of course, before going through all the trouble of checking a website before buying anything from it, the first question one should ask themselves is “:!: Do I know what I am buying?” The second one is, of course “:!: Is it actually what unmistakably appears on the checkout form?”

See Also

  1. Brett Stone-Gross, Ryan Abman, Richard A. Kemmerer, Christopher Kruegel, Douglas G. Steigerwald, and Giovanni Vigna. “The Underground Economy of Fake Antivirus Software.” In WEIS 2011, 10th Workshop on Economics of Information Security.
divers/scamdissection.txt · Dernière modification: 2013-11-15 05:06 (modification externe)