Instant Messaging: March 2009 Archives

Yesterday we came across something we haven't seen before - a fake Instant Messaging program used to share stolen data to the masses via the wonders of FTP. Let's begin by introducing iMess:

imess1.jpg

As you can see, there's two parts to this - the iMess application that steals your MSN login, and "HQ" - the file that lets you grab said stolen data.

This is what the iMess program loading screen looks like when fired up, rather humorously using what appear to be ripped versions of Smilies from the ASK range of products, along with a list of "features" such as "Anti Block System" and "Hundreds of skins":

imess3.jpg
Click to Enlarge

It's all very slick, and designed to set the end-user at rest. No scam looks that professional, surely?

Well, actually...

imess4.jpg

....whoops, it does. Note that it's called iMess2 - no idea what happened to the first one, but perhaps that's another confidence trick. At any rate, if you enter your login details, you'll see that staple of rogue applications - the fake error message:

imess10.jpg

While this is taking place, it's probably a good time to crack open the code and see what's taking place:

imess2.jpg

Did your MSN login details just get sent to an FTP server in the Netherlands? I think they did.

Want to see where they end up? Sure you do! Time to fire up the "HQ" program - which is used as nothing less than a sort of communal sharing zone for stolen logins. Put simply, if you run HQ, you can see ALL of the stolen logins obtained around the World and sent to the FTP server.

"HQ" stands (rather appropriately enough) for "Headquarters". First you'll see the below - a splash page of sorts, telling you the last time the stolen data was "cleaned" (ie tidied up), with two buttons - "Contact" and "Accounts".

imess5.jpg
Click to Enlarge

It's the accounts we're interested in...

imess8.jpg

As you can see above, there are a number of buttons across the top. Simply hit "Connect" to connect to the FTP server, then hit "Get list" and all of the accounts stolen via this program are displayed in the bottom panel. If you want the password for any of the accounts, left click one then press "Show" and...

imess9.jpg

The login details are yours for the taking. From there, you can use the stolen logins to send spam or infection links via those accounts, dip into EMails that use the same logins (harvesting any additional data / logins stored inside) ....the choice is yours.

It's a common theme of phishing scams (for example) that a ringleader effectively orders the troops to go out and phish under the illusion they get something at the end of it, when in reality the person at the top of the chain keeps all the data.

Here, we have a bizarre example of using rather slick faked IM technology, sharing stolen data with the masses "for the greater good" (in the loosest sense of the phrase of course - there's nothing particularly "good" about this).

Hang onto your MSN Login details and avoid this program.
Someone has created a couple of fake applications currently in the wild, both made to look like legitimate chat programs. They're pretty convincing:

fkaim1.jpg

fkaim3.jpg

We've seen these kinds of scams before, and as with those programs, when the victim enters their details they're stored locally on the PC (in this case, storing them in Settings.ini) for the attacker to collect.

Though this means physical access to the PC is required (think net cafe scammers hawking around unsecured PCs), for around 5$ you can buy an upgraded version which sends the stolen data to an FTP server.

Okay, I hear you cry - how do we spot these particular nasties?

Well, it seems vanity has got the better of the creator. They just couldn't resist putting in a "hidden" about page that tells you who made them - presumably for bragging rights on forums.

This works great for us, especially when I do so enjoy randomly clicking around on the surface of rogue programs just in case something amazing pops up.

As luck would have it...

fkaim2.jpg


fkaim4.jpg


Thanks, vain hacker type person. Obviously, this will only work where you're presented with a PC running either of the above, but it's better than nothing...

About this Archive

This page is a archive of entries in the Instant Messaging category from March 2009.

Instant Messaging: November 2008 is the previous archive.

Instant Messaging: April 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.