Steer Clear of this Skype Spam

Posted: September 3, 2015 by Christopher Boyd
Last updated: October 20, 2016

Over the last few weeks, there’s been a spam campaign taking place on Skype which involves the following steps:

Scammers use an automated technique to break old / weak Skype passwords (this has been contested by Skype users in that forum thread).
They then use these accounts to send spam messages to contacts.
The spam frequently hides the “real” destination by providing (say) a Baidu search engine link instead – along with the Skype Username of the person who clicked the link in the URL.
The websites the encoded URLs lead to tend to use redirects – it’s possible they’ve been compromised – before dumping the end-user on a diet spam page.

Here’s an example of the spam currently going around:

“Hi [username] | baidu(dot)com/[URL string] advise”

Spammers will often send messages containing shortened URLs – like Bit.ly – to disguise their bad intentions. Some search engines like baidu encode their search URLs (go to Baidu.com, search for something and then right click / view link for examples). Spammers take advantage of this, masking the link to the target website with what the victim will see in the chat spam as a legitimate, trusted URL.

Below you can see the initial landing page, the final destination and a screenshot of a Fiddler log:

This slideshow requires JavaScript.

If your Skype password is in need of a spring clean, now might be the perfect time to do it – feel free to check out the list of hints and tips on the Skype Security page.

Christopher Boyd

COMMENTS

Pingback: Skype Recommends Users Change Passwords | securityinaction()
Pingback: Skype Hacking Tool: A Sting in the Tail… | Malwarebytes Unpacked()
JC

I bet they got in through my hotmail account, which was linked. Just a guess because my hotmail has been hacked before. I really don’t think they are hacking the password. I think they must have a more efficient exploit up their sleeves!
JC

The spammer who sent links out from my Skype account used the display name “live”. I think that’s a clue they accessed Skype from a microsoft live account which was linked.
anebarone

The same just happened here.
1 – I had both a “live” and “facebook” new contacts added; both had a conversation history with me filled with spam links. Blocked both.
2 – Changed Skype and my Live password.
3 – Found no malware or viruses. Bitdefender is always active and I use Malwarebytes for a routinely scan.
17Silben

I agree I used a unique, random 12-string and use 2factor-auth on my MS account.
Though my skype was ancient I dont use it often and forgot to update. My best guess is an exploitable weakness in older skype versions (at least I hope its only in older ones).
Shailesh Kumar Dubey

I opened one of such links on my android phone and landed on a spam site. What actions should I take to ensure my accounts info and my phone stay secure? I have already changed the passwords to all accounts. Please help. I would prefer if I do not have to perform a factory reset.
fatkat

I was sent this baidu link and clicked on link. Can you provide information as to what measures to take to make my laptop secure again?
Craig Ryan Allaby

I did NOT even click the link that was sent to me by someone & this still happened to me. What a pain to delete out the Baidu links from dozens of contact IMs, change my password, relog, go back & delete them once again as they somehow came back, tell people that I was hacked & that they should now change their own password to be on the safe side, & to finally change my status to telling people to NOT click any Baidu links. -.-
That took me about an hour. x.x
Christian Sonne

A few days ago I changed my Skype password make sure it wasn’t hit in case I had used the old password somewhere else. Unique, 26 characters. Today my account was compromised.

There are no linked accounts. I don’t see how it could possibly be a case of brute-forcing the password. Nor could it have been leaked from another service.
Aurimas Visockis

Ancient internet rule 101: never open any fishy websites you don’t know anything about.
Sikobae TheXenodragon

Ever since the Outlook/Skype merger due to the all-knowledgable Micro$oft buyout, your Live account and Skype account are one and the same and share the same password.
anebarone

This is not done automatically, so far. You have to activate the merging. After writing my former comment I found out how to merge everything.
ZetaZeta

How the heck does that even work? I decided to test the link by using a tor instance with noscript and landing on that URL let them use my account to send these links to everyone – how?!

How does visiting that URL compromise my account? Theoretically ANYONE including the bot could visit it. Unless my account got compromised at the same time COMPELTELY unrelatedly.
K.D. K.

With how skype is pre-loading web-pages and generating thumbnails in the chat window, is it possible that bit of malware could be spreading during this? My password was 177 characters long (now a fair bit over 20.) containing numbers, symbols (such as ¶ and ™ before, now different ones) capitol and lowercase letters, unique to skype and not used anywhere else on the internet, and I am not infected with any known virus to malwarebytes, norton or avast, but my account was just used to send a spam link to all contacts in my contact list. Either there’s a bleed/leak/security hole that allows hackers to send messages as someone they are not signed in as & retrieve a full contact lsit without providing a password, or there is a hole in skype itself (likely in web-page pre-loading) that allows a script to run in the background when the thumbnail is being generated.

thoughts?
Mathew

Thanks, Chris! Shared.
TheRealKorbenDallas

WTH are you talking about? Opening the linked spam page does not sent anything to anyone. Where did you get that idea?
ferozfirru

tell me how visiting the spam link will effect the system???
TheRealKorbenDallas

It doesn’t affect your system at all. It is just spam. The purpose of that link is to make you visit the page. The perps apparently receive payments from advertisiers on per-click basis.
IronEleven

Apparently the reason the link contains your Skype username is to tell the attackers that your account is active, painting it as a target for whatever method they use to steal your password.
modularKit

definitely, i exprienced the same thing – i have secure account psw, i’m kind of aware of IT stuff, but then suddenly – i even got calls from people – ey man, why you send me this stuff, whats up with you? and i was even asleep at that time, my MAC (not PC) was hybernated… Definitely there is some hole in WEB.SKYPE, because i’m using that instead of client (also i turned off some of my shady extensions on browser)
Stoshy

Save a recovery code on your Microsoft Account settings in case your account password gets brute forced (scripts that try every password imaginable)?
Stoshy

There’s some exploit with the Skype web app that they are taking advantage of. And yes, you can configure the Baidu links to email you in the event someone does click your bogus links.
Stoshy

Nothing. It just lets them know your account is active and that you have friends to share their links with. It makes you a target.
Van Terry

Time ditch skype and head over to Discord
Patricia Cook

Problem is MICROSOFT! I have one skype address for business related contacts and a personal one which is part of my microsoft outlook email. Now the problem is my business contacts skype account doesn’t have a separate microsoft email so when I go to change the password it goes to my personal one and NOT the business one. They have removed the ability to link and unlink skype accounts from your microsoft/email account and they have removed the ability to change the password for a skype account so I am screwed! So the chinese hackers have hacked my skype account, sent shiite to all my business contacts and now I can’t even change the freaking password. Thanks MICROSOFT for supporting the chinese hacking industry.
Patricia Cook

that may be but MS removed the ability for you to change your password for your skype account, all changes prompt you to log into a microsoft/outlook account. When I go to change my skype password I can only change my outlook skype not my desktop skype which is different with a different password
Patricia Cook

After spending 10 hours I managed to get it sorted myself. The problem I encountered was that my microsoft account would override my skype account rather than let them be separate. I had to decouple them, by setting up a new email for skype then I used a different browser to log into it but not after I ran into trouble with having to wait 30 days for security to be satisfied locking me out of both my outlook email and my separate skype account. I removed the security changes and after a few email security code validations it worked! I don’t know whether the changes then reverting back plus the new browser did the trick or whether after my raving at them for almost 2 hrs meant they fixed something. Don’t know if that helps anyone else but it worked for me. Cheers

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 14 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 7 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Christopher Boyd
Lead Malware Intelligence Analyst

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

SEARCH LABS

TOP POSTS