W32.Phopifas Cons Over 2.5 Million Clicks with LOL Links

An ongoing social engineering attack on Skype and other instant messaging applications has been gathering momentum over the last week. The attack, which looks to have started around September 29, has to date conned over 2.5 million clicks from unsuspecting users. The attack uses the common social engineering tactic of posting a link to instant messaging applications for a potential victim to follow. The following scenario outlines the steps in the attack:
 

Figure 1. Social engineering attack scenario
 

When the victim clicks on the goo.gl link they are redirected to a URL on Hotfile.com. The Hotfile.com site prompts the victim to download a .zip file which contains the malware W32.IRCBot.NG disguised as a legitimate instant messaging file. If the victim manually extracts the file and executes it, it contacts an IRC channel to receive commands. In our analysis we have observed the threat being commanded to download and execute another file from Hotfile.com. In each observed test it has been W32.Phopifas that is the second downloaded file, although it is possible that other malware may be downloaded depending on the victim’s geographical IP location. Our analysis of W32.Phopifas has shown that this threat is responsible for the initial postings to instant messaging applications in over 30 different languages that lead back to W32.IRCBot.NG.

Since the cybercriminals have opted to use Google’s goo.gl URL shortening service in their campaign, Symantec is able to follow the success rate of clicks. To date we have seen eight different goo.gl URLs being used by W32.Phopifas and have been able to check the click rate on each one. The graph below outlines the success of each link and the malware .zip file associated to it. The malware .zip file name also contains the date it was used in the W32.Phopifas campaign.
 

Figure 2. Malicious URL click rates
 

While we cannot extrapolate from these figures how many victims actually downloaded, extracted, and installed the malware, the figures do show just how successful a simple social engineering ploy can be on instant messaging applications.

In addition to the W32.IRCBot.NG and W32.Phopifas detections, Symantec also protects users with the intrusion protection signature Attack: W32.Ircbot.NG. It is recommended you always use the latest Symantec technologies to ensure the best possible protection against these types of threats. And as Skype reminds users, do not click on any suspicious link or open any unusual files from other Skype users—even if the message is from a known contact.