May 4th, 2007

It was bound to happen - Trojan impersonates Windows activation

Posted by Adrian Kingsley-Hughes @ 11:29 am

Categories: Microsoft, Security

Tags: Credit Card, Trojan Horse, Microsoft Windows, Adrian Kingsley-Hughes

This was so bound to happen - A Trojan which impersonates the Windows activation process and asks the users to enter their credit card details.

The Trojan, called Trojan.Kardphisher, has been spotted in the wild by Symantec researchers. The Trojan isn't all that clever, instead it relies on social engineering to get users to part with their details. 

Here's the scam.  The Trojan installs itself onto a PC and presents the user with the following message:

Your copy of Windows has been activated by another user.
To help reduce software piracy, please re-activate your copy of Windows now.
WE will ask for your billing details, but your credit card will NOT be charged.
You must activate Windows before you can continue to use it.
Microsoft is committed to your Privacy.  For more information, www.microsoft.com/piracy.
Do you want to activate Windows now?

It looks pretty convincing too (check out the images here and here). 

If users select "No," the PC shuts down while clicking "Yes" takes the user to a second screen which asks for the victim's name and credit card details.

Symantec offers the following advice:

This Trojan teaches us all a good lesson - Trust No One. This is the slogan from the TV show The X-Files, and very much applies when it comes to protecting your personal information. Sometimes the creators of Trojans attempt to impersonate Microsoft, a bank, or even a government organization. Whatever the warning or message says, we must make very sure it is genuine before giving up any personal details, financial or otherwise. It's far better to doubt a genuine request until proper verification is provided, than it is to blindly place your trust in a communique simply because it appears to have come from a trusted source.