I'd just like to entertain you with the details of my little private investigation of a spam message.
In one of the threads I posted, a couple days later I see a message about "How to remove “windows secure kit 2011″ virus – windows secure kit 2011 removal instructions", with a link. Somewhat related, since the topic of the thread was about whether the svchost.exe is a threat.
I visited the link (which I do not wish to repeat here, of course), and what do I see? Useless instructions with fancy screenshots, and a download link to an "iExplore.exe" file (sounds fishy, doesn't it?).
I decided to check out, how the scam works ( you know, for shits and giggles ), so I set up a VmWare virtual machine, Windows 7 updated, Microsoft Security Essentials. I downloaded this exe, and run it. This is what happened:
- It downloaded "Spyware Doctor 8.0" from "PC Tools" installer (71 MB, no less).
- I installed it, so it says:
"The software is not compatible with the following security software: Microsoft Security Essentials. It is advisable to remove it before you install Spyware Doctor." And a "Removal" button.
- I opted to not remove, just pressed Forward.
It went on, asked for EULA acceptance (LOL), asked whether I want to automatic updates (LOL).
- Okay, the setup went down. When it finished, it asked for connecting to the internet to refresh its "removal database" (I cleverly disconnected at the start of the install process).
- So I reconnected and picked "Start Update".
- Windows User Account control kicks in. I accept. (LOL) It downloads 88 MB.
- So after it "refreshed its database", the user interface started, with "Intelli-scan", and nice progress bars, and what do you know, after just 2 seconds, it already found 2 security risks!
Those two risks are tracking cookies. It hadn't found anything else, but when it finished, and I clicked: "Remove risks", little window popped up: to remove the risk, I need the registered version. And the button below: Internet shopping.
- So I click on that, I get to e-commerce website, it seems nice and honest, with a simple form, name, email, register button.
I give my fake email, then click, and there you go: for as low as 29.95 USD, I can buy a 3 PC license. Paypal or Credit Card. And they will put in the package Registry Mechanic too, for 19.95 USD.
Ps. I reported the message, of course. The poster of the message had 7 other messages, also with links to this, and some other website.
I'll check back on the thread, and I'll update you, what happened. (The member and the message or at least the link will disappear, I suppose.)
Ah, how nice, I already got an email to my fake address (it's fake in the sense that it's the one I use for purposes like this... ). 63 USD is the thing I could pay, says the reminder. Of course with absolutely tracked links, whereever I would click. I won't.