Generally, download sites do a good job of keeping potentially undesirable programs off their network. You might see the oddly titled "family keylogger" program and wonder about the ethics of such a utility, but leaving those rather dubious grey areas aside, mostly things take care of themselves.
However, while browsing the cnet.download.com site today, I happened to find something rather peculiar in their "Network Monitoring Tools". Namely, this:
Click to Enlarge
As soon as I saw the creator description of the program, I knew something wasn't quite right:
"Apheve is a great piece of software that has the ability to disguise
itself as multiple IM programs including MSN, Skype, and BT Yahoo.This
is perfect if a visitor is coming round who wants to access their IM
account."Wait, it "disguises" itself as multiple IM programs? And its name sounds like a bizarre slang version of the word "thieve" (A Pheve)?
Oh dear.
As you might expect, the program is available to download on numerous sites, including CNet Asia and ZDNet UK. Up for grabs since May 2008, the number of downloads is somewhat alarming:
18,214 download.cnet.com
9186 CNET Asia
455 ZDNET.co.uk
Not including other sites related to the above URLs, that means there's a grand total of at least 27,855 people (possibly) running round trying to steal your IM logins. (Check out the comments for more thoughts on what all those people may....or may not....be using the program for).
Did I say steal? Yes, I did. Presenting.... "Apheve":
Quite simply, you select the IM client of your choice - MSN Messenger, Yahoo IM or Skype - and hit the "Start!" button. Then you retreat to a safe distance and let your victim use the PC. As we've
seen before, these kinds of programs work great for scammers in net cafes, libraries and schools / universities.
The victim will see one of these:
Click to Enlarge
Click to Enlarge
Of course, both of those IM boxes are entirely fake. Should you enter your login details, you'll be shown an error message and wander away from the computer feeling vaguely annoyed. Meanwhile, the attacker jumps onto the same computer and clicks on the apparently harmless looking fake icon in the Taskbar - in this case, a picture of a DVD / CD:
....and is presented with your login information, courtesy of a nifty popup box:
Click to Enlarge
Is it just me, or does that go a little beyond the scope of "Monitoring Software"?
The program has absolutely
no reason to exist other than harvesting login credentials.
Even the choice of targets seems designed to cause as much trouble as possible - Skype accounts will probably have unused call credit stored against them, Windows Live accounts may well be linked to EMail as well as IM, potentially giving access to yet more personal information, logins etc.
Any claim by the creator that this is intended for "network security" is fairly blown out of the water when we check out his Youtube channel, only to find...
Click to Enlarge
...he's promoting it with the title
"How to hack Msn, Skype or Yahoo with Apheve 1.1", with
"Apheve pro - The ultimate hacking tool" in the description.
The only good thing here is that due to the program being around for a while, the fake versions of Skype, Windows Live Messenger etc look rather outdated and not very much like the real, current versions. The DVD / CD icon in the corner could also be a giveaway, though of course you can change that if you really want to.
We've EMailed the Downloads team, and will post again when we hear back from them.Given the rather single-minded purpose of this application, I'm a little surprised it managed to squeeze through the cracks. The above download sites may well be "Tested Spyware Free", but they're currently not "Tested Horrible IM Stealing Piece of Junk Free".
Hopefully that might change shortly...
