Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Wikipedia Articles as part of Tech Support Scamming Campaigns? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Wikipedia Articles as part of Tech Support Scamming Campaigns?

Caleb, one of our readers has reported that Wikipedia articles have been "primed" and are being used actively in the various fake tech support phone campaigns.  For instance, the Wikipedia article for SpyEye (https://en.wikipedia.org/wiki/SpyEye#cite_note-trusteerzeus-5 ) now contains this paragraph:

Indicators that something is wrong?

  • The grammar first and most obvious.   While grammar seems to be getting better in phishing campaigns, it's a decent indicator that something might be wrong on this page.
  • While the grammar might just as easily be an "English as a Second Language" speaker, the "Nobody can help you except 3 companies" verbage should be an alarm bell.  This is the text that's being used by the scammer to tell their victim that "only we can help you fix this (fake of course) infection you have on your computer"
  • The reference [6] goes to a parked page, and reference [5] refers to Zeus malware, which is a precursor to SpyEye.  Reference [7] points to a decent reference, but it's not related to the text it's a reference for.  
  • The Wikipedia "View History" page shows that the editor for this text was "Techaddy15031989", this account is no longer an account: https://en.wikipedia.org/wiki/User:Techaddy15031989 .  Accounts that come and go during suspicious activities are a good indicator - just as DNS names changing frequently might be in a differnt style of attack.
    Other edits by this account are shown here:
              https://en.wikipedia.org/wiki/Special:Contributions/Techaddy15031989
  • Looking at the history on these other contributions, we see similar text on the "macro virus" page, which has since been corrected by other editors.

Given the editing model for Wikipedia, it's somewhat surprising that we don't see more malicious activity of this type on the platform.  While Google doesn't show exact matches to this text elsewhere at the moment, has anyone seen text with similar intent in other articles?  Maybe this is something we'll be seeing more of?

===============
Rob VandenBrink

Rob VandenBrink

521 Posts
ISC Handler
We received a suspicious email that was reported as Phishing by the user. The email came from a Gmail account with subject "Computer network Info." The message as written strangely and came unexpectedly. The URLs below were embedded within the body of the message. Not sure if it is related, but thought I'd share.

hxxps://en.wikipedia.org/wiki/Computing_device
hxxps://en.wikipedia.org/wiki/Data_link
hxxps://en.wikipedia.org/wiki/Data_transmission
hxxps://en.wikipedia.org/wiki/Digital_signal
hxxps://en.wikipedia.org/wiki/Networking_cables
hxxps://en.wikipedia.org/wiki/Node_(networking)
hxxps://en.wikipedia.org/wiki/Telecommunications_network
hxxps://en.wikipedia.org/wiki/WiFi
hxxps://en.wikipedia.org/wiki/Wireless_network
Anonymous

Sign Up for Free or Log In to start participating in the conversation!