While botnets in the past had to run on systems that attackers owned or had compromised, they can now run on Skype and other cloud-based chat programs, providing an even lower-cost alternative for attackers. And that’s exactly what has happened in a widespread Skype solicitation phishing campaign.
Ronnie Tokazowski, a researcher at PhishMe, said in an analysis that the attack sent messages over Skype, where the attackers tried to call with a username that also contains a link to a domain, www.viewror[d]com. Once clicked, a voice directs the user to click the download link and install a “proprietary” video player in order to play the video.
Once the executable, VideoPlayer.exe, is opened, it asks to run as administrator, after which the user is presented with a screen to install the player. Tokazowski points out that there’s nothing proprietary about it. The media player is actually a real thing, called Media Player Classic, and it’s available as a free download online.
What it does do however, is provide an excuse for the program to install and run a bunch of different junk code, including several pieces of adware.
The campaign, carried out via botnet that spreads through the cloud, is, in fact, part of an affiliate program where the attacker receives money on a per-install or per-download basis.
But wait, there’s more: “One of the final steps is to install Search Protect, a very shady application that gives you protected searches,” the researcher said.
After a user alerted it to the campaign, PhishMe worked with Amazon Web Services and Microsoft to disrupt the botnet, it said, after compiling a list of domains and bot names that the attackers used.
“When users are trained to spot suspicious things, the amount of information you can get back increases one hundred-fold,” said Tokazowski. “And in this case, the user reported a small piece of information, which resulted in the disruption of a large adware campaign, on both the infrastructure and bot side of things.”