Home Forums Mac Software Mac Operating Systems robocall malware!

so I'm walking back to my desk when I hear my skype ring and auto answer. it's a robocall from "ONLINE ALERT® - ACTION REQUIRED" (skype id t01.computer.system.notification) telling me in a little snitch type voice that my computer was not protected and I needed to go to www.sospws.com immediately. The recording looped for several minutes and then disconnected. Browsing there out of curiosity, it's a not-too-convincing scareware page.

Well, that's a new angle, huh?

It is. This is a very interesting twist on the scareware/malware scam; it isn't trying to download computer malware at all.

The payload is at

sospw.com/activate

which runs a fake "virus scan" and then throws up bogus but scary-looking "virus warnings". So far, so typical. However, if you click the Activate button, it doesn't download malware like most of these sites do. Instead, it asks you for your name, address, and email.

I created a bogus email account and put in phony information. What I got was an offer to activate an anti-virus "subscription service" for $19.95 a month, whereby "security experts" would remote into my computer and clean up the "viruses" for me.

The "subscription service" is advertising the URL

https://safeandsecures.com/sasecure.php

which is a redirector to

https://www.liveadmin.com/buy.php?xIkSiifUyhYkndkUfuydyYUbfdyUnUkufduUYTZRbKknNK

which is a redirector to

https://www.click2sell.eu/securepayment/...a6b50497248413d

click2sell.eu is a European company that does affiliate marketing; basically, think of it like eBay, except instead of selling old Care Bears lunch boxes you're selling services. They're the actual point of transaction--where the money changes hands.

It looks to me like sospw.com and safeandsecures.com are front-ends for liveadmin.com. The Web site at liveadmin.com is the actual Web site of the con artists. The other two sites funnel traffic to liveadmin.com in a deniable way; if they get shut down for spam, liveadmin.com keeps on going.

sospw.com and safeandsecures.com are both registered through GoDaddy and hosted on Leaseweb. liveadmin.com is hosted overseas on tiscali.de, a German black-hat Web hosting company preferred by Russian organized crime. (It's not a surprise that the liveadmin.com Web site says that their operators are fluent in Russian and English.)

What it looks like to me is that Russian organized crime, which has long been involved in fake antivirus malware, has decided that getting one-time payments for $19.95 for removing the phony antivirus malware isn't enough; they're looking for recurring sales. I bet if one signs up for this "subscription service," the recurring $19.95 monthly bills on one's credit card are almost impossible to remove.

V1's link and your first one are dead ends already.

I can see "bulletproof hosting" being in Russia, but why does Germany allow that?

Because it makes money?

Seriously, you see spam-friendly hosting all over the place. I ran into a situation recently where Earthlink tolerated a phish site on their network for quite a long time. Abuse teams not only don't make money for an ISP, they *cost* it money.