The following describes a scam attempt of the well-known “your computer is infected” type. It describes in some details the techniques used to give the rogue website the appearance of an highly honourable point-of-sale, and identify some safe practices every user should undertake to ensure their own security. Keep in mind that in addition to making the gullible user pay for useless piece of software, it is expected that these sorts of scams will have them willingly install a spy-ware turning their computer into a credit card number collector or a bot-net node, or both.
In the following, symbols identifies details which a careful internet user should learn to recognise as dubious, and YES safe practices they should adopt.
One shouldn't use Skype. It's a closed-source software and is based on proprietary an non-interoperable protocols. This already leaves plenty of latitude to the owners of the company to do whatever the hell they want with what they collect from their network while at the same time herding their users into a closed paddock from which they will not be able to escape.
That said, however, it is not part of the problem detailed here. A Skype client is running on one of our computers for experiments a colleague is currently running. Today, we received this message.
Disregarding any of the safety advice above, let's click on the link to see where it takes us to. Once again, a wise user would not even bother doing that. But we are curious!
The link leads to a website which starts scanning the computer for virus. Worse, it finds some… a lot! Or so it says.
D:hard disk? Or a DVD-RAM drive?
Ignoring this advice and letting the “scan” finish, we eventually “learn” that the computer is infected with oh so many threats.
Luckily, they have a solution to “Erase all threats.” For the sake of experiment, we eagerly click on it. It offers to pay twenty-odd bucks for a “Windows Software Patch” which appears to do everything except for making coffee.
By now, anybody sound of mind having followed the previous pieces of advice would have closed the scam window. We keep investigating to see if there is anything more. There is.
As we proceed to the checkout page, we are given the opportunity to pay for the software.
Being about to give out a bank card number over the net, there are a few thing which always need to be checked.
For a long time, people have been instructed to check for padlocks in the window to make sure the connection was secure. This advice on its own should be taken with a bit of salt.
It would appear from this site that it is. There are four of those padlocks all around, including a very very big one. It's padlock galore! Unfortunately, three of them are just mere decoration and do not mean anything with respect to security or other matters.
Recognising “genuine” padlocks is a thing, but it is important to also understand what they mean. In jargon, the padlock displayed by the browser means that an SSL connection has been established with the web server. It is secure in the sense that all communication with this server is encrypted, and an eavesdropper wouldn't be able to do anything with what they capture. This is desirable when one is about to send sensitive information (bank card number, logins and passwords, personal details, etc.) over the web.
However, such a padlock doesn't mean that the site one is connected to is trustworthy at all! A scammer could easily create a secure web server (they do that all the time, including in this example) to collect information that they could use the way they like afterwards.
To get some more confidence in the trustworthiness of a site, further checks are necessary. YES Looking in the address bar (clicking in the coloured zone may be necessary) can provide some trust information.
The following table compares the result for our dubious scam website with that of a well established and trusted company.
|Encrypted but not verified||Encrypted and verified|
|Blue background, base address of the website||Green background, name of the company|
Of course, before going through all the trouble of checking a website before buying anything from it, the first question one should ask themselves is “ Do I know what I am buying?” The second one is, of course “ Is it actually what unmistakably appears on the checkout form?”