Blog

Recently Websense® Security Labs™ has observed an increase in phishing and fraudulent Web sites in China. These sites have penetrated into many business fields, including some well-known Instant Messenger, online shopping, and game sites.

Phishing attacks have evolved for several generations to date; combining scam with voice is the most popular one. Tencent QQ, the most popular IM in China, is the biggest victim suffering the Reverse Vishing attack. The well-organized fraud groups make full use of the QQ customer service hotlines and QQ service, as well as a fake Web site to lure users with ultra-high value prizes and valuable awards.

The scam begins by sending phony system messages randomly, and then a message window pops up claiming the user has won a big prize. The pop up provides a unique verification code and a fake phishing link. In order to appear to be confirming the authenticity of a user's prize winnings, the swindlers supply customer service hotlines to the victims. These numbers are disguised as official phones, but are their personal telephones. Fraudulent sites also use legitimate-looking logos and company information to increase the trust and validity of the site. In the end, they attempt to charge the winners courier fees, taxes, and other fees for getting their huge awards. They are aiming to get bank account information.

Users are easily deceived by this kind of scam. In addition to the phony Web site and convincing evidence, the scams often say users have a limited time to claim the awards. That way, the winners have no time for carefully thinking before they act.

The following is an interesting sample of the phishing QQ. Let's look at how it works.

When analyzing the sample, we found it is just a dropper written in Delphi. When the sample executes, it drops 2 files named svchos.exe and svcpos.exe. The function of svchos.exe is to pop up two message windows imitating QQ system messages.

Here are the windows popped up by svchos.exe:

The other file's function, svcpos.exe, is to download a hosts file from a special URL and replace the system default hosts file with it. The downloading hosts file redirects www.qq.com to 222.xxx.xxx.220. So if the victim visits www.qq.com, he visits the special IP address and gets returned a page which includes same contents with www.qq.com, just with a pop-up window telling him that he has won a large prize.

Here is the window popped up by svcpos.exe:

If we click the link, we visit a QQ phishing site. It congratulates us for having won a large award, but before we can receive our award, we must pay taxes and enter our personal information, including bank account details. After we fill in the information, it suggests that we dial a number to identify the prize. The man on the phone tells us, "Yes, you won a prize; just pay the tax, then all the prizes will belong to you."

Here is the page asking us to enter our personal information:

Here is the page telling us to dial a number to identify our prizes:

The Tencent company has informed their customers not to trust any winning pop ups on the main page of Tencent QQ.

Similar tricks have spread through networks targeting other fields as well. QQ's Skype online games, which have real-time chat functions, have suffered these attacks. The defrauders also exploit some well-known commercial sites like Taobao (the largest on-line shopping Web site of China) to disseminate prize information. In some cases the defrauders use SEO (Search Engine Optimization) to increase the result rank of the major search engine sites.
Another fraud in China is the lottery forecast. Phony groups imitate the official China welfare lottery and China sports lottery sites, declaring that they are the only designated official lottery site of China.

This is the main page of a fake China lottery site:

The frauders boast a 70%-80% winning rate to lure lottery ticket buyers into applying for the member services and paying membership fees. Furthermore, they charge members who are joining for the first time a 5000 RMB deposit.

Here is a snapshot of the membership principles:

Today, this sort of scam is typical in China and is spreading on a large scale. The swindlers take various means such as BBS or search engines to disseminate phony sites and relative links. Baidu (the biggest Chinese search engine Web site) has become a victim as well.

Here is a phishing Baidu site aimed at spreading the lottery forecast:

In conclusion, with the phishing and fraud groups gradually improving their means of tricking end users, customers should be more careful with these compromised sites. Websense Security Labs will continue its unremitting efforts to monitor the newest developments. Customers of Websense are protected from these threats.

Security Researchers: Xue Yang, Ulysses Wang