This is a screenshot of an unsolicited message that has recently been seen on Skype:

If you click through on the link you’ll see a web page with some cute JavaScript that makes it look like a security scan is being done on your computer. The bogus scan then reports that it found malware and recommends downloading a product called “Scan and Repair Utilities 2007″ — which is a well known rogue anti-spyware application. If you click through on that, you’ll be asked for your credit card information.

This particular scam was first reported a couple of weeks ago. There are other similar variants that have been running around for a few months. What’s interesting about this threat is that there’s no actual code exploit (unlike the Skype worm from last month) — the attack relies entirely on social engineering.

Obviously, your first line of defense here is blocking malware and spyware sites in your web filter, which would prevent the end user from being able to view the fake scan and download the rogue security software. The sites referenced in this bit of Skype spam are categorized in the 8e6 database as Spyware. But what if the sites aren’t in your web filtering vendor’s database?

Because there’s no exploit being carried out, there’s no virus signature you can deploy to protect your users from this threat. There is (currently) no Skype spam-blocking software you can buy that filters this kind of stuff out from legit Skype traffic. You can mash together some technologies to help, like the Firefox noscript extension if you’re not on IE. Some web filtering vendors can block Skype completely or in combination with a firewall policy that blocks all outbound UDP. (We are working on the latter, because 8e6’s appliances don’t look at UDP.) But if your users use Skype for business, there’s not much technology to choose from.

But you can do a lot on the policy side:

Make sure that your users know whether or not Skype is allowed per corporate policy. Explicitly address it in your acceptable use policy (AUP), then publicize your decision.

Make sure that your users harden Skype.

• Enable automatic hotfixes (Tools –> Options –> Advanced).
• Don’t use SkypeMe mode.
• Set the most restrictive privacy settings. Allow only users in your contact list to start chats or calls and don’t show your status on the web (Tools –> Options –> Privacy, or File –> Privacy). Instruct your users to bootstrap their contacts with other users over the phone or email.

And as always, keep your users trained. Make sure they understand that there is such a thing as fake security software. The purpose of which is to prey on the disconnect between users understanding the need for security and understanding what they should do to be secure. Training closes that gap. Also make sure that they know not to trust unsolicited messages, no matter how they arrive: over IM, email or txt.

Tags: rogue anti-spyware, Skype, social engineering

This entry was posted on Thursday, November 1st, 2007 at 11:15 am and is filed under Security Best Practices. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.