New Skype spam leads to Trojan download

Skype Chatbot Scam fails Turing test miserably

I recently had a strange contact request show up on Skype. I mainly use this messaging platform for work, and I was puzzled, as I did not recognize the name of the requester.

I performed a quick web investigation on the name of the account, as well as contacted a co-worker to see if this was simply someone new at work trying to connect with me via Skype.

All results were negative, but this strange unknown person piqued my curiosity.  This is the very social engineering angle that such a request plays upon, as once you accept the request, you will be engaged in a discussion with a chatbot.

Chatbots have been around for ages and I have many fond memories of random IRC users stumbling on a channel I used to hang out in, and attempting to strike up a conversation with our custom Eggdrop chatbot, as we had chosen a feminine name for it. It had accumulated a large custom vocabulary and you could have a decent, if somewhat erratic, conversation with it.

While we originally used the chatbot in our channel to enforce nicknames, over time, more and more features were added to it.

We could play hang-man with it, ask the bot for the time, get currency exchanges, ask for the current weather, inquire when last a user had been present in the channel, and replay embarrassing quotes from users of the channel taken out of context. All great fun.

Early malicious bots https://en.wikipedia.org/wiki/Internet_bot  (scroll down to malicious purposes) used IRC as a command and control platform, where infected computer would log into an IRC channel to await commands, and this gave IRC bots and IRC in general a bad name.

Chatbot technology hasn’t stood still since then, with the development of Cleverbot, A.L.I.C.E. virtual assistants, and contests in which bot writers try to get their respective creations to pass the Turing test.

Here is the log of my conversation with this particular chatbot:

After adding this dana.kittinger

[2014-05-27, 10:09:42 AM] Jean taggart: Hello, Who are you?

[2014-05-27, 10:10:13 AM] dana.kittinger: (wave) hey, i saw your profile on the new skype app…i hope you don’t mind me adding you? 23/f here u?

Here is the hook, as adding a random stranger in Skype would be an improbable scenario, the author of this bot alludes to a new “Skype app” that would have this functionality. My Skype profile is incredibly sparse, intentionally so. To further add to the scenario, Dana kindly provides the potential mark an enticing age and gender: 23 years old and female. This helps narrow the target audience to someone who would be interested in a paid pornographic website.

[2014-05-27, 10:10:40 AM] Jean taggart: Are you a bot?

[2014-05-27, 10:10:54 AM] dana.kittinger: what’s a bot??

[2014-05-27, 10:11:53 AM] Jean taggart: Bot=web Robot, or chat bot., I just find it unusual that someone would reach out to me via Skype

[2014-05-27, 10:12:22 AM] dana.kittinger: im kind of studying, i hate it sometimes it gets so boring. what are you up to? 🙂

The chatbot ignored my inquiry, where a real person would of certainly been offended, and just plugged along with it’s scripted answers.

[2014-05-27, 10:12:54 AM] Jean taggart: I’m working. Sorta. Still early, haven’t had a coffee yet.

[2014-05-27, 10:13:23 AM] dana.kittinger: lol im studying for my bachelors in sociology…its really hard…need a break tho! you ever chat on cam?

Wow, a bachelor in sociology, smart girl we have here… Seems a little out of character to be trying to chat up strangers on Skype. I decided to play along and see if this chatbot was capable of arguing for it’s humanity.

Slow responses, and ignoring questions

[2014-05-27, 10:15:49 AM] Jean taggart: Yeah, the more I talk with you, the more I’m thinking I’m interacting with a script, take “(wave) hey, i saw your profile on the new skype app…i hope you don’t mind me adding you? 23/f here u?” A Google search return the exact same phrase being used by a script based chat agent. I’ll play, lets see if you can pass the Turing test.

[2014-05-27, 10:17:07 AM] Jean taggart: Also, the immediate request to video chat seems fishy. I’m expecting an attempt to redirect me to a paid site in pornographic content, but maybe that’s just bitter old me. 🙂

[2014-05-27, 10:19:11 AM] Jean taggart: Oups, sorry, lets see if I can generate a response that will move this along. No, I’ve never chatted on video. I do have a webcam though. ಠ_

[2014-05-27, 10:21:29 AM] Jean taggart: A response, any response would be good at this point. A real human would be offended by my insinuation that you are in fact a script based response system.

After a long delay, the chatbot obliviously carries on. The illusion of humanity is fast coming unraveled.

The pitch

[2014-05-27, 10:22:03 AM] dana.kittinger: it can be fun i love meeting new people on cam chat, you ever been on this new video chat site?  it has all sorts of cool effects and stuff lol (cool)

The perpetrator of this little scam needs to migrate the potential mark off of Skype, and onto his paying website, hence the pitch for “cool effects”. Sparkly smileys for a pornographic webcam based site feels more creepy than anything.

[2014-05-27, 10:23:05 AM] Jean taggart: Aaaand there it is. The pitch for the paid site, where yours truly, a hinted at 23/f nubile bored student will show me her naughty bits.

[2014-05-27, 10:23:17 AM] Jean taggart: You are a robot.

I tried calling “it” out, as I have seen chatbots that have elaborate responses in which they defend themselves and vehemently decry their humanity, but alas this wasn’t one of those.

If at first you don’t succeed…

[2014-05-27, 10:23:28 AM] dana.kittinger: Accept the invite, if you need the link again its http://QP54SHlzQ2o.safecamchats.com

[2014-05-27, 10:24:56 AM] Jean taggart: Wow. I’ve more interesting conversations with IRC eggdrop bots.

The script is attempting to get me to follow a random web link. This is never a safe proposition.

[2014-05-27, 10:25:30 AM] dana.kittinger: i think i will just put on a camisole and a thong then 🙂 i think u will like it?? i hope atleast… 😡

[2014-05-27, 10:25:35 AM] Jean taggart: Sorry Dana, your response selection is lacking.

The author of the bot script tries to heighten the hook, with scantily clad clothing promises. Classy.

[2014-05-27, 10:26:00 AM] dana.kittinger: http://77umGEswOLy.safecamchats.com lol go here do u see my cam?

[2014-05-27, 10:26:30 AM] Jean taggart: Goodbye, poorly written Skype bot.

The bot is still persistently hawking that URL.

[2014-05-27, 10:26:49 AM] dana.kittinger: kk, just click the accept button 🙂

[2014-05-27, 10:27:34 AM] Jean taggart: yes click some random link. Aight, lemme fire up a vm, i’ll go to your stupid link, but I need to do it from a VPN VM image.

[2014-05-27, 10:27:55 AM] dana.kittinger: Its http://UYD9e5IjoL.safecamchats.com just accept my cam invite,

[2014-05-27, 10:30:57 AM] Jean taggart: yup, links to a paid for porno site.

The chatbot is doggedly trying to get me to that URL. I wonder if there are metrics to track and associate the Skype ID to a successful login and registration process. The format of the URL link, and how it is different each time the chatbot provides it to me would certainly indicate something of that nature.

The scam, acquiring credit card information

[2014-05-27, 10:31:29 AM] dana.kittinger: oh, i think you might have to fill out some stuff…everyone gets verified as being real on here, keeps the creepy people away!!! lol 😡

[2014-05-27, 10:32:09 AM] Jean taggart: r-o-b-o-t

Of course, entering your credit card information is a perfectly valid way to confirm your identity, and that you aren’t an axe carrying mass murderer, because they don’t have credit cards. Yeah, right.

[2014-05-27, 10:32:16 AM] dana.kittinger: k, yea i had to do the cc part too  =( that how i got my profile verified as real (kiss) u don’t get charged, its free. did u get in?

[2014-05-27, 10:32:35 AM] Jean taggart: Who the **** falls for this?

[2014-05-27, 10:32:45 AM] Jean taggart: Blocked dana.kittinger

Chatting with a robot on Skype

Chatting with a robot on Skype

Yes of course it’s free, I’m absolutely convinced that despite entering my CC info, no illicit charges will be made, specially on a site that does not have https.

This concluded my interaction with this very rudimentary chatbot.

I blocked the user and reported the account to Skype.

Skype has terms of service prohibiting the use of chatbots.

“(i) use or launch any automated system, including without limitation, robots, spiders or offline readers that access the Software, Products or Skype Websites. Notwithstanding the foregoing, you agree that Skype grants to the operators of public search engines permission to use spiders to copy materials from the Skype Website for the sole purpose of creating publicly available searchable indices of the materials, but not caches or archives of such materials. Skype reserves the right to revoke these exceptions at any time.”

I have had interactions with similar Chatbots on MSN, AIM, ICQ, and the little iframe pop ups on websites, so this isn’t a new scam by any means.

The goal of the scammer is to steal your credit card information. Websites that “require” credit card information will use it, and justify the billing charges by hiding them in a byzantine Terms of Service clause. A webcam based site cannot validate if you are a “creep” or not with this information. This may sound obvious, but it is worth repeating.

Never share your credit card information with strangers, especially if it is a 23-year-old female studying for her bachelor in Sociology who has a hankering for voyeuristic encounters with random strangers on Skype and could fit her entire dialog file on a 1.44mb floppy.

As always, stay safe, and don’t hesitate to share your thoughts with us in the comments.

@jean_taggart

ABOUT THE AUTHOR

Jean Taggart

Senior Security Researcher

Incorrigible technophile who loves to break stuff and habitually voids warranties.