New Trojan Mimics Windows Activation Interface


What they are calling Trojan.Kardphisher doesn’t do most of the technical things that Trojan horses usually do; it’s a pure social engineering attack, aimed at stealing credit card information. In a sense, it’s a standalone phishing program.

Once you reboot your PC after running the program, the program asks you to activate your copy of Windows and, while it assures you that you will not be charged, it asks for credit card information. If you don’t enter the credit card information it shuts down the PC. The Trojan also disables Task Manager, making it more difficult to shut down..

Running on the first reboot is clever. It inherently makes the process look more like it’s coming from Windows itself, and it removes the temporal connection to running the Trojan horse. The program even runs on versions of Windows prior to XP, which did not require activation.

More info here.

Posted on May 5, 2007 at 7:59 AM16 Comments


Pond Life May 5, 2007 10:19 AM

Good social engineering but I think the trickster went a bit too far here. The second screen illustration asks for the a credit card and ATM PIN number! I’d like to think that most people would spot something that badly out of place.

Area 42 May 5, 2007 10:46 AM

They went to all that trouble but then you see, in bold text, “We will ask for you billing details”.
It only takes one grammatical blunder like that to ruin the whole effect…

Stephen Touset May 5, 2007 11:11 AM

Besides the spelling mistakes, the whole thing reads completely unlike the actual Microsoft activation screens. Not just the text, but the flow and style of the text.

Plus, they ask you for your ATM PIN. Who asks for that!?

Baron Dave May 5, 2007 11:59 AM

This seems like the kind of thing that’s easy to trace. If you can’t get the information from the original code (it’s got to go somewhere), then have the credit card companies submit a real-looking but fake #, and arrest anyone who uses it…

bitprophet May 5, 2007 12:44 PM

@Area42 and Stephen: you may be right about the mistakes, but seriously–phishing attacks are not targeted at us, but your average computer user, who has a far greater chance of not noticing such mistakes, or simply not realizing their implications.

Somebody Anon May 5, 2007 12:55 PM

Unfortunately, this attack is targeted at lay users. I doubt they would find it strange to answer these questions. Clever social engineering is all about fooling “some people all of the time”.

D.J. Capelis May 6, 2007 5:06 AM

Yeah.. but will it run on Linux?

Sure, a similar attack can be launched on linux. I’d do it with @reboot in cron, but linux users tend to be less willing to fork over their personal information to some “validation” script because that type of thing doesn’t happen to much on that platform.

Though I’m sure it could be effective against some RHEL users.

Then again, businesses usually don’t fork over credit card numbers as easily as end-users.

Still probably would get a few though… and that’s all you need really. You’d only have to write a small python script.

FP May 6, 2007 1:25 PM

@Baron: This seems like the kind of thing that’s easy to trace.

Following the money is always a good idea.

But crooked merchants directly submitting fake charges to the credit card companies are just one way for the phishers to profit.

With the ATM PIN, the phishers can go to any ATM and get a cash advance. Sometimes, if the user submitted a debit card, the PIN is also good for the victim’s online banking account.

They can also purchase goods from online vendors, have them delivered to a mailbox, and then sell them for cash.

Max May 6, 2007 5:35 PM

This couldn’t happen without their first being a windoze activation. I blame Microsoft.

Ralph May 6, 2007 6:49 PM

Think of your poor old mum.

She can’t logon to her bank any more because the site isn’t really their site (it’s being proxied to collect her logon), microsoft are asking for her credit card or her system won’t run (but it isn’t really them), the internet sometimes runs slowly because a trojan on her PC is busy with it and last night the lawyers from RIAA left a message on her machine telling her she’s off to court because her grandson downloaded a song with her PC last month.

Thomas May 6, 2007 9:10 PM

@D.J. Capelis
“””Sure, a similar attack can be launched on linux.”””

I’m a linux user.

What’s this ‘rebooting’ and ‘activating’ you speak of?

You’re right, though… it could be done and might catch enough people out to make it worthwhile.

Joe Blow May 6, 2007 11:15 PM

The pirates seemingly can make Windows do anything yet I cannot open a simple folder without the system freezing up.

Wyle_E May 7, 2007 6:42 AM

While upgrading my Ubuntu system to 7.04, a power glitch struck at just the wrong moment, somehow trashing the MBR. When I rebooted from the CD, I thought of what I’d been hearing about Windows in recent weeks and told the partitioner to take the whole disk. After two years of dual-booting, I’ve officially defenestrated. Now, if I could just get my wife to run her favorite games (all small ones, like Text Twist) from WINE, I wouldn’t have to worry about someone using her machine to empty our checking account.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.