Friday, May 09, 2008

Skype Phishing Pages Serving Exploits and Malware

"Please, don't update your account information", at least not on recently spammed phishing pages which will not only aim at obtaining your accounting data, but will also infect with you malware through exploiting MS06-014. These phishing emails are a great example of blended threats, and while we're been witnessing the ongoing consolidation between phishers, spammers and malware authors for the last two years, this particular phishing campaign looks like a lone gunman operation.

Original message : "Dear valued skype member: It has come to our attention that your skype account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records on or before May 11, 2008. you are requested to update your account informations at the following link. To update your informations."

Phishing URL :, which is then forwarding to where the malware and the exploit are hosted.

Scanners result : Result: 3/31 (9.68%)
VBS/Small.W.1; Exploit-MS06-014
File size: 13569 bytes
MD5...: 4d6a559adf0602f7fd58b884e00894dc
SHA1..: 056f75e0dd94d03daeb04ae83d1b4a1b7476c0f2
SHA256: 3f08427228489edffd57e927db571aea06716c192ec72f91ea8115c0c7f978eb

The phishing page wasn't created, but copied from Skype's original login page. The phisher even left an email within the VBS, in this case - Virtual greed or contact point optimization for fraudulent purposes, passive phishing attacks can sometimes be quite active and leave the curious clicker with a false feeling of security.