Mobility Loop


Originally published by Mobility Loop.

Reposted with permission.

Copyright 2006 Core Competence Inc.

All rights reserved.



Beware Phone Phishers Bearing False Gifts




Monday, November 21, 2005

Written by Lisa Phifer   

PhiferTo many travelers, Skype has been something of a godsend -- free software that converts your laptop or Pocket PC into an inexpensive, easy-to-use Internet phone. Calls between Skype users are free; calls to landlines anywhere on the globe run less than 3 cents per minute. Security researchers have been seeking "the catch," dissecting proprietary software and protocols to find hidden gotchas, but Skype users don't seem to be worried. Most let their enthusiasm for this handy mobile service drown out vague rumblings about possible risks.

And herein lies perhaps the biggest security threat: careless user behavior. It didn't take long for attackers to capitalize on Skype's sky-rocketing popularity. In late October, hundreds of Skype users fell victim to phishing emails, installing IRCbot trojans posing as the latest Skype software.

When Trojans Come Calling

In late October, about a week after Skype released version 1.4 of its Internet phone software, virus trackers like MessageLabs began to see trojan-laden Skype phishing emails. These messages, which purported to be advertisements sent by Skype, tricked users into opening attachments with names like Skype for Windows 1.4, Skype-details, and Skype-info. Instead of carrying Skype software or documentation, these attachments carried variants of FANBOT. When executed, FANBOT displays a "file could not be opened" an error message, plants itself into the Windows system folder as REMOTE.EXE, changes the Windows registry to auto-run at StartUp, and uses its own SMTP engine to send copies of itself to other victims, harvested from the Windows Address Book. It also connects over a random port to a remote IRC server so that it can receive attacker commands to download or execute files, get system information, send mass emails, or update/remove itself. Within days, this trojan had infected over 800 systems.

Less than one week later, a second Skype-related trojan was found in the wild: LOOKSKY. This phishing email carried the subject line "Skylook for Skype." It claimed to be a call recording utility for Skype users, bundled with an offer for SkypeOut call discounts. Like FANBOT, this malware replicates itself and plants a trojan backdoor agent. But it also plants a keystroke logger and updates itself every ten minutes by contacting a designated website over port 8080. Fortunately, only a handful of LOOKSKY infections have been reported to date.

Old Threats in New Wrapping Paper

Skype is by no means uniquely vulnerable to phishing attacks like these. In fact, these trojans have nothing to do with Skype software itself; they merely hitched a ride on Skype's popularity.

However, these incidents may have benefited from lack of corporate IT oversight for Skype and other Peer-to-Peer (P2P) applications that employees enjoy using but tend to install themselves. Tension between these users and the IT administrators charged with protecting them can lead to "sneaking" such programs onto company laptops and PDAs. It's really no surprise that P2P programs are frequent trojan targets, because self-installed programs typically bypass IT vetting, software distribution, monitoring, and vulnerability alerting.

If you're an individual using Skype, how can you avoid becoming a victim? Employ routine Internet best practices, like never opening unsolicited file attachments and keeping your anti-virus and anti-spyware updated. In this case, signature updates were quickly available to detect FANBOT and LOOKSKY. If you must install software yourself, download it directly from the vendor's website and verify the program's signature before executing it. In this case, you can check Skype's signature using the PGP public key posted at the bottom of Skype's security page. Finally, keep a watchful eye on vulnerabilities and security threats -- for example, see Skype Security Bulletins and this Skype Phishing and Spoofing Alert.

If you're charged with securing mobile workers and worried about threats associated with Skype, start by visiting the Skype Security Resource Center. But don't stop there. Get a handle on the security architecture and protocols employed by Skype. Industry research and debate over Skype's proprietary security measures is on-going. For several points of view, read Baset and Shulzrenne's Analysis of Skype P2P Internet Telephony Protocol [pdf], Berson's Skype Security Evaluation [pdf], Fabrix's Skype Uncovered [pdf], and Garfinkel's VoIP and Skype Security [pdf]. Finally, don't let your decision to bless or ban Skype blind you to ordinary social engineering attacks like phishing that prey upon careless users, no matter what software they use.