The Latest in IT Security

Online Criminals Bank on Skype Vouchers to Spread Exploit

15
Mar
2012

Senior Malware Analyst James Dee found a fake domain that claimed it has anything to do with Skype vouchers. This voucher, which is a form of Skype Credit, has been around for quite some time so it already has an amount of prominence with 663M* Skype users. Anyway, the website is skypevouchers(dot)com.

click to enlarge

Take note of the misleading title that comes with a questionable Iframe tag on the code. The domain, manjakuhappy.com, as it turned out is a legitimate Malaysian baby wear site that was injected with a malicious PHP code, which was contact.php. The script is no longer there as of this writing-

click to enlarge

-but we were able to retrieve it for analysis. Here’s what it looked like:

click to enlarge

After deobfuscating, analyzing the code, and following more URL trails, we finally end up with URLs, on which both as hosted on 95(dot)163(dot)67(dot)189, that house a malicious Java exploit on each:

  • Java Exploit 1:
    MD5: d3f933524c85c96a76f7ffd516d335c0
    Website: halloffam(dot)bee(dot)pl/showthread.php?t=83475
    Detection ratio: 5 / 43
  • Java Exploit 2:
    MD5: 58db6e6e25d9b8e4742f2ef9b43c3818
    Website: themettco(dot)bee(dot)pl/showthread.php?t=49281
    Detection ratio: 10 / 43

Both Java exploits take advantage of the vulnerability in the Java Runtime Environment (JRE) component in Oracle. More about CVE-2011-3544 here.

I did a bit of digging around and I found out that skypevouchers(dot)com has been around since 2006, registered by someone in Estonia. It doesn’t have much of a “landing page” now since it mostly does redirects, but if you’re interested on what it looked like six years ago, here it is:

click to enlarge

Be careful when searching the Web for free Skype vouchers. You might land on places with things you’re less than willing to bargain for.

Jovi Umawing (Thanks to James)

* Statistic as of March 2011

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments