By: Julien Sobrier

When Scammers Call You At Home

Malware

UPDATE: I've updated the post with a second Skype call I received on 1/17.

Scammers are always trying new ways to reach their targets to foil them into buying free software, sending credit card information, etc. Yesterday, they called me directly at home!

I was working on my computer when I got a Skype call from an unknown caller with a Skype ID of "NOTIFICATION® URGENT - WWW.SWNOW.COM - UPGRADE INSTRUCTIONS". The automated call explained that my "software protections" were disabled and I had to urgently go to www.swnow.com (spelled out in the call). I could not record the call, but it was very similar to what you hear when you visit hxxp://www.swnow.com/.

Skype call from a scammer

The call does not give any information about who is calling or what this "software protection" is supposed to be. It lasted 1 min. 50 secs. and basically just urged me to visit www.swnow.com.

Skype call information

When visited, hxxp://www.swnow.com/ displays a fake antivirus page. It looks different than the Fake AV sites that use Blackhat spam SEO to reach users. Of course, the site purports that numerous viruses are found on your computer...

Fake AV claim to have found viruses
The website is trying to sell the antivirus solution, rather than trying to get user's to install malware disguised as a free AV program. The website is well designed. The button "Activate Computer Protections" shows an "activation" form..

Check out form
Then, the website gathers some personal information (name, e-mail address, etc.) via the "activation" form.

Information gathering

Finally, the user is sent to a different website, securecheckouts.org, to process the payment.


Payment processing form

Looking at the HTML code, the page only contains an iframe, pointing to hxxp://www.liveadmin.com/affiliates.php?affil104, where the payment form is actually hosted.

HTML source of securecheckouts.org
There have been a steady rise of websites trying to resell free software (AVG and other antivirus, OpenOffice, P2P clients, etc.) or deliver fake stores that claim to offer software at deep discounts, etc. However, this was the first time that I've encountered a Skype call being used to push users to visit a fake store.


Second call

I received a similar Skype call on 11/17. I was urged to visit www.msgmf.com to protect my computer. Te website is similar to www.swnow.com. It tricks users into paying $19.95 through click2sell.eu for an antivirus.

Second Skype call spam
Fake antivirus on www.msgmf.com
Antivirus "activation" page
Payment form on click2sell.eu

-- Julien

Learn more about Zscaler.