Two Clever Phishing Attempts
Among the phishing techniques making the rounds, the 'desperately needed user manual' trick is a reliable favorite. If you’ve ever searched online for the user manual of an older computer, household appliance, stereo system, etc., you’ve probably encountered this one. Another recent reprobate is the Google Docs scam. Let’s see how both of them try to trick you...
Pssst... We Got Yer User Manual Right Here!
So you bought a used gizmo from a guy on eBay or Craigslist. The seller doesn’t have a user manual for it but you figure you can find one online in PDF format. You go to the manufacturer’s website but that model is no longer supported; the manual isn’t available. So your next step is to Google the model number and “user manual,” right? That’s when the fun starts.
The people who run these scams pay to be first in Google search results. Their search summaries are dynamically tailored to your search terms so they appear to be offering exactly what you need. “Download user manual for Bosch HES432U…” Heck yeah, you got lucky on your first try! So you click that link and a download starts instantly, instead of taking you to a Web page you could check out carefully.
But that’s OK because the file you’re receiving is just a PDF file; a document, not an executable program that can do things to your hard drive or gather up your email contacts, credit card numbers, bank account passwords, etc., and send them to some dark server in the Ukraine. It’s just a harmless user manual, right? RIGHT?
Probably not; PDF files can contain executable code. The download may actually be an EXE file disguised as a PDF. When you open such a file, it may attempt all of the nefarious actions mentioned above and more. Good anti-malware software will detect and block such auto-executing PDF files. Scammers depend in part on lazy people who don’t have anti-malware protection or don’t keep it up to date; they catch a lot of fish that way. But there are other hooks in the bait as well.
That file, user_manual_for_HES432U.pdf, may contain only an excerpt or abstract of the user manual you’re seeking. It whets your appetite for the full manual and makes you impatient because you just came THAT close to getting what you need. Impatient people make mistakes, like clicking on the link at the end of this sales pitch that says, “Install Conduit to get your user manual.”
Conduit: "A means of transmitting or distributing"
“Conduit Search” is a widespread piece of malware that hijacks your browser. And it's aptly named, because it transmits and distributes all kinds of nasty stuff. It resets your homepage to one the scammer selects; changes your default search engine to search.conduit.com; and transmits all of your search queries to a third-party who uses that data for "marketing" purposes. Some say that having Conduit installed may lead to “spear phish” emails that target victims with highly personalized and tempting email spam.
Once installed, Conduit will substitute ads from its paying customers into the search results you get from Google and other ad-supported search engines. When you click on one of those ads, Conduit and its underhanded customers make money.
Conduit will also invisibly manipulate search results so that its customers appear first instead of the firms that your preferred search engine would prioritize. This is so subtle that most users don’t detect anything amiss. People pay Conduit well for biased, sometimes wildly inaccurate placement in search results. For you, the consequence is a lot of time wasted clicking on results that have little to do with your search, and possibly downloading more malware.
Conduit is nasty stuff, and many unscrupulous websites distribute it under the false guise of user manuals. And sadly, some well-known (and formerly trustworthy) download sites such as CNET and Tucows lace their downloads with Conduit. See my related article Downloading? Watch Out For These Danger Signs.
Fortunately, Conduit is well-known malware that many top-tier free anti-malware programs know exactly how to handle. To get rid of a Conduit infection, you need to uninstall its standalone program and then uninstall the Conduit Toolbar and any other malware that Conduit may have added to your browser.
Uninstalling the “Search Protection by Conduit” malware is a routine task; just open Control Panel and use the “Uninstall a program” (Windows 7) or “Add/Remove program” (Windows XP) function to select and remove “Search Protection by Conduit.” While you have that uninstall utility open, use it to remove any other unfamiliar or unwanted programs that you may find.
If neither your existing security software nor the Windows uninstall method cleans up the mess, there are tedious manual (pardon the pun) ways of removing the junk that Conduit adds to your browser, but I prefer to let our trusted friend MalwareBytes Anti-Malware do it automatically. I've written about MBAM previously, in Is MBAM Enough Security?
The Google Docs Phish
I want to also mention a similar scam that's making the rounds, targeting Google account user names and passwords. But instead of getting you to download something you actually searched for, this one is proactive, and often comes to you from a known contact.
The Google Docs phishing attempt will arrive as an email asking you to “click here” to review an important document. It says the document is waiting for you on Google Docs, and all you need to do is sign in with your email address and password. From here, it's the classic "rogue website that looks just like the real one, but actually exists only to steal your username and password" scenario.
Submitting the form with your login credentials sends that information to the hackers, who now have the keys to your Google account. They can impersonate you online; raid your contacts; even send more spam or phishing emails that appear to be from you. Bottom line, don't click before engaging brain.
Have you been a victim of the “user manual phish" or the "Google Docs phish"? Post your comment or question below...
This article was posted by Bob Rankin on 13 Feb 2014
|For Fun: Buy Bob a Snickers.|
Geekly Update - 12 February 2014
The Top Twenty
What is the Internet of Things?
There's more reader feedback... See all 21 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Two Clever Phishing Attempts (Posted: 13 Feb 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved