OFFICIAL SECURITY BLOG
December 4, 2013 | BY Christopher Boyd
If you’re a Skype user, you may want to keep in mind that “free Skype credit” generators may sound appealing, but are going to give you little more than a nagging sense of “Why did I even switch on the PC today”.
A site (skypecreditgenerator(dot)org) offers up a too-good-to-be-true promise of Skype credit galore – “unlimited”, in fact.
“We are produd [sic] to announce the all-new Skype Credit Generator 3.4.2 that you can use to top up your Skype balance in no time at no additional cost! Make unlimited calls worldwide by just using your Skype account,” the scam reads.
They’re so “produd” they also offer “Plugin support (for) further updates and security bypassing algorhytms [sic].”
I have a feeling I’ll send the [sic] tag into meltdown if I continue to quote from the site, so let’s move on and take a look at what’s on offer.
The site claims to have various download locations up for grabs (the download now button claims to be Mediafire, links at the bottom of the page talk about Filefront but everything links to an executable on the site itself–in fact, we have multiple files on offer here).
Shall we take a look?
There are a few versions of the generator on offer. Here’s 126.96.36.199, wasting no time at all in presenting the user with what is going to be a multitude of installs.
For example, here’s Search Protect which will set the homepage and default search to Conduit Search.
Here’s PricePeep, which will display ads on your screen if it feels it can show the end-user a better offer than what they might happen to be looking at.
Additional installs offered up included Bubble Dock and Mobogenie. At this point it’s time to wait while everything downloads and installs on the system, with the faint promise of something to do with Skype credits now more of a vague memory than anything tangible.
Eventually Bubble Dock and MoboGenie load up, and you can’t minimise or reposition Bubble Dock – it just sits there in the middle of the screen, sitting on top of whatever else you might happen to have open.
A lot of installs which promise free credits / generators / gifts typically involve installing lots of unrelated programs, while the initial hook is nowhere to be seen. That isn’t the case here – there actually is an entry in programs for the credit generator. Unfortunately the PC owner might be getting a little bit fed up by this stage, as they’re now told they need a specific version of .NET to run the file.
Okay, no problem. We’ll go to the Microsoft site, bring up the download page and…
…discover that Price Peep has chosen this moment to make itself known, by overlaying the download portion with adverts for Beats headphones and a .NET book.
Well, this is going brilliantly so far.
One install of .NET later (and maybe a couple of headache tablets), we’re finally ready to launch the Skype credit generator. Do we get our credits yet? The answer is, of course, “no”. The program now needs to grab plugins via a page located at “sharfiles.com”, so we’re now downloading 6MB of executable action.
What do you think happens after the end-user has installed all of the above programs, minimised some adverts to grab .NET, gone to an additional site to download some “plugins” and runs the 6MB executable file from “Finedream Invest LTD?”
The end-user is now being presented with “PileFile”, whose “integrated internet accelerator allows you to download your files on full throttle”. I think the individual who set out to find some free Skype credits has likely thrown their PC out of the window by this point. This install is very “more-ish”, and it depends on the end-user being so desperate to get their hands on the promised freebies that they’ll just….keep….clicking those install prompts till they get what they want. Which in this case appears to be more install prompts.
Users of Malwarebytes Anti-Malware will find we detect the above file as PUP.Optional.FilePile.A. As for the initial executable (way back up at the top of the page, which may now require a stepladder to reach) the current VirusTotal score is pegged at 18/47, and users of Malwarebytes Anti-Malware will find that we detect this as PUP.Optional.Smart.