Schneier on Security

A blog covering security and security technology.

« Friday Squid Blogging: Handmade Giant Squids | Main | U.S./Canadian Dispute over Border Crossing Procedures »

May 5, 2007

New Trojan Mimics Windows Activation Interface

What they are calling Trojan.Kardphisher doesn't do most of the technical things that Trojan horses usually do; it's a pure social engineering attack, aimed at stealing credit card information. In a sense, it's a standalone phishing program.
Once you reboot your PC after running the program, the program asks you to activate your copy of Windows and, while it assures you that you will not be charged, it asks for credit card information. If you don't enter the credit card information it shuts down the PC. The Trojan also disables Task Manager, making it more difficult to shut down..

Running on the first reboot is clever. It inherently makes the process look more like it's coming from Windows itself, and it removes the temporal connection to running the Trojan horse. The program even runs on versions of Windows prior to XP, which did not require activation.

More info here.

Posted on May 5, 2007 at 7:59 AM • 16 Comments • View Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Good social engineering but I think the trickster went a bit too far here. The second screen illustration asks for the a credit card and ATM PIN number! I'd like to think that most people would spot something that badly out of place.

Posted by: Pond Life at May 5, 2007 10:19 AM

They went to all that trouble but then you see, in bold text, "We will ask for you billing details".
It only takes one grammatical blunder like that to ruin the whole effect...

Posted by: Area 42 at May 5, 2007 10:46 AM

Besides the spelling mistakes, the whole thing reads completely unlike the actual Microsoft activation screens. Not just the text, but the flow and style of the text.

Plus, they ask you for your ATM PIN. Who asks for that!?

Posted by: Stephen Touset at May 5, 2007 11:11 AM

This seems like the kind of thing that's easy to trace. If you can't get the information from the original code (it's got to go somewhere), then have the credit card companies submit a real-looking but fake #, and arrest anyone who uses it...

Posted by: Baron Dave at May 5, 2007 11:59 AM

@Area42 and Stephen: you may be right about the mistakes, but seriously--phishing attacks are not targeted at us, but your average computer user, who has a far greater chance of not noticing such mistakes, or simply not realizing their implications.

Posted by: bitprophet at May 5, 2007 12:44 PM

Unfortunately, this attack is targeted at lay users. I doubt they would find it strange to answer these questions. Clever social engineering is all about fooling "some people all of the time".

Posted by: Somebody Anon at May 5, 2007 12:55 PM

09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0

Posted by: anonymouse at May 5, 2007 8:05 PM

Yeah.. but will it run on Linux?

Posted by: Ryan at May 5, 2007 9:31 PM

> Yeah.. but will it run on Linux?

Sure, a similar attack can be launched on linux. I'd do it with @reboot in cron, but linux users tend to be less willing to fork over their personal information to some "validation" script because that type of thing doesn't happen to much on that platform.

Though I'm sure it could be effective against some RHEL users.

Then again, businesses usually don't fork over credit card numbers as easily as end-users.

Still probably would get a few though... and that's all you need really. You'd only have to write a small python script.

Posted by: D.J. Capelis at May 6, 2007 5:06 AM

@Baron: This seems like the kind of thing that's easy to trace.

Following the money is always a good idea.

But crooked merchants directly submitting fake charges to the credit card companies are just one way for the phishers to profit.

With the ATM PIN, the phishers can go to any ATM and get a cash advance. Sometimes, if the user submitted a debit card, the PIN is also good for the victim's online banking account.

They can also purchase goods from online vendors, have them delivered to a mailbox, and then sell them for cash.

Posted by: FP at May 6, 2007 1:25 PM

This couldn't happen without their first being a windoze activation. I blame Microsoft.

Posted by: Max at May 6, 2007 5:35 PM

Think of your poor old mum.

She can't logon to her bank any more because the site isn't really their site (it's being proxied to collect her logon), microsoft are asking for her credit card or her system won't run (but it isn't really them), the internet sometimes runs slowly because a trojan on her PC is busy with it and last night the lawyers from RIAA left a message on her machine telling her she's off to court because her grandson downloaded a song with her PC last month.

Posted by: Ralph at May 6, 2007 6:49 PM

@D.J. Capelis
"""Sure, a similar attack can be launched on linux."""

I'm a linux user.

What's this 'rebooting' and 'activating' you speak of?

You're right, though... it could be done and might catch enough people out to make it worthwhile.

Posted by: Thomas at May 6, 2007 9:10 PM

The pirates seemingly can make Windows do anything yet I cannot open a simple folder without the system freezing up.

Posted by: Joe Blow at May 6, 2007 11:15 PM

While upgrading my Ubuntu system to 7.04, a power glitch struck at just the wrong moment, somehow trashing the MBR. When I rebooted from the CD, I thought of what I'd been hearing about Windows in recent weeks and told the partitioner to take the whole disk. After two years of dual-booting, I've officially defenestrated. Now, if I could just get my wife to run her favorite games (all small ones, like Text Twist) from WINE, I wouldn't have to worry about someone using her machine to empty our checking account.

Posted by: Wyle_E at May 7, 2007 6:42 AM

It seems to me that Microsoft will take worthy measures. The virus will not find of itself application.

Posted by: Artis Ivis at May 7, 2007 6:52 AM