What happens when you update Windows via Skype.

Today I got a Skype alert saying, “Update Notice: WINDOWS REQUIRES IMMEDIATE ATTENTION URGENT SYSTEM SCAN NOTIFICATION ! PLEASE READ CAREFULLY !!”. Usually I just laugh, and block the sender. Today, I was feeling a little bit mischievous. I made sure that my system and browser were up to date with the latest security patches. I enable NoScript. Since, the message said that I should to go “updatevm.com” immediately – I did.

Once arriving at updatevm.com I saw that there was a simple redirection script. This is completely useless because it eventually attempts to redirect everything to the same page. This attack page was probably created for other uses (such as using OS/browser specific exploits), but was later rewritten for a much simpler social engineering purposes. This site is likely owned by someone with little coding knowledge (or with little time). From a coding standpoint, it has way too much extra code that would just decrease it’s efficiency (unfortunately not much). If those who say, “code is poetry” are right, then these guys are hardly able to write.

A quick whois shows that this site is registered to an “Alek Smith” from Prague (Czech Republic). A Smith from Prague? I doubt that is a real name.

The lack of beauty in the code probably doesn’t make that big of a difference. In fact. the simplicity in the attack vector is probably why these pages are so popular among cyber criminals. Upon following the redirection, I stumbled upon something interesting.

It seems that (even though I was viewing this page from Linux) Windows was packed full of viruses. Looking at the source code, all of the links use a simple javascript trick to hide the actual URI from the user.

<a onclick=”javascript:window.location=’https://cart.secureorderstore.com/secureorder/spcreg50511.php’;return false;” href=”#”>

On following the link, here is what I found:

https://cart.secureorderstore.com/… Contains a real looking order form. The whois says that this is registered to “Aliah Jakinag from Sibirski Russia”. Upon looking at the source once more, I found that it contained nothing but a full screen iframe pointing to:

https://usd.swreg.org/cgi-bin/s.cgi?s=43835&p=43835….

This page is a “legitimate” order form hosted by SWREG. There is no need to compromise a host and filter through a bunch of information that can be used for finical gain, if you can just trick users into sending you money.  Do you end up with a bot that you can sell on the black market – no.  Is it more likely to work – no. Do you get immediate payoff with less risk – yes.

Furthering this experiment…I went back to the secureorderstore.com and fired up wfuzz. Since this attack is still live, I figured there may be some more sites in the same ID range of this particular page.

for i in $(seq 50250 50800);do echo spcreg$i.php >> fuzz.ls ;done
./wfuzz.py -c -z file -f fuzz.ls –hc 404 –html https://cart.secureorderstore.com/secureorder/FUZZ 2>res.html

….unfortunately this didn’t find anything new. I suppose I could hit them a little harder and try and find something, but I suppose I don’t want to make anyone mad. Google searching shows that this site has been around for a while, and that it uses more than just the pattern I fuzzed.

As a note, I was going to report this issue to SWREG. Their site does not appear to have an abuse reporting system in place. I wouldn’t trust them for any of your purchases. Sorry – No hard feelings Alek and Aliah.

Moral of this article:

• Online criminals often use less technical techniques that are based on people’s lack of online knowledge/awareness (nothing new here).  As security professionals we should work on increasing community knowledge just as much as we should work on secure code.

• Never update Windows with links found in Skype notifications.