In my previous blog "Fake apps and the lure of alternative sources," I discussed a fraudulent scheme that takes advantage of known, legitimate and free applications. Unlike rogues and ransomware which use threats and force to influence their victims, the social engineering techniques employed by a fake installer are less aggressive yet, interestingly, more deceptive.

This technique is widely used in the Win32/Pameseg family – our detection for a family of "paid archives" that present as fake installers. These "installers" persuade their victims into sending premium SMS messages to successfully complete an installation.

Trojan:Win32/Pameseg.A and TrojanDownloader:MSIL/Pameseg.A are detections for recent variants that have been found taking advantage of the new release of Windows 8, while Trojan:MacOS_X/Pameseg.A has been found targeting Mac OS X users.

If we take a closer look at the fraudulent scheme used, the social strategy starts with the user committing to pursue an attractive proposition. This may include wanting to find an installer for pirated software, key or serial number generators, or simply the installer of a legitimate application. In order to achieve this goal, the user will need to search for information. If the user is unsure or does not even know where the legitimate and clean distribution is, then it is likely they will spend time searching and trying from one or more unknown distribution channels; a problem that brings opportunity to the operators and affiliates of fraudulent paid archives.

Multi-armed bandits, courtesy of Microsoft Research - Silicon Valley (MSR-SVC)

Figure 1: Illustration courtesy of the Multi-armed bandits project at Microsoft Research - Silicon Valley (MSR-SVC)

 

Why is this a problem? Because the user searching from an unknown distribution platform is playing a game of chances – think of it as a probability of finding a match from a random search result. This user’s scenario can be described as the multi-armed bandits (MAB) problem, in which a player faces several slot machines that look identical but produce different winnings. The only way the player can learn and maximize the distribution of the reward from any of the slot machines is by playing all of the machines. The player can't know which machine will provide the reward until they've tried the machine.

In this case, the perpetrators of fraudulent paid archives simply play their chances by offering the distribution. The intent here is that a user may search for a particular piece of software and end up choosing to download malware - thinking they have selected a legitimate copy of the software.

Upon installation of the software, a deceptive scheme is used, which we can relate to as the "low-ball" technique. Using this technique, the user is led to believe they are making a free choice; however, the choice ultimately leads the user to a targeted behavior of downloading and executing the installer. When the installation is almost complete, as seen in the Win32/Pameseg family, the deceptive scheme appears by requesting a cost - a cost that was not previously made clear to the user. This hidden cost is revealed through a second request, for example asking the user to send premium SMS message to get an activation code to continue the installation.

Trojan:MacOS_X/Pameseg.A installer

Figure 2: Fake installer for Trojan:MacOS_X/Pameseg.A

 

The effectiveness of the low-ball technique is due to the fact that the user has already spent time searching for information, explored a distribution, and committed to an idea. This leads the user to perform the voluntary actions of manually downloading the file, storing it locally and initiating the installation process. This is a series of voluntary actions that the user may have not agreed to had they known of the increasing expectation or cost associated with the second request (for money). However, because the low-ball technique is a persuasion method based on a sequential request, the user may act and agree on the second request to comply with the existing "agreement".
For example, the Pameseg family asks the user to comply with the installation by providing an activation code that is only available after sending a premium SMS message. The perpetrators are relying on the user thinking "I've spent this much time and effort on finding and downloading this, I may as well just pay and get it fully unlocked."

This monetization model of paid-archives is an intentional deceit, a deception deliberately targeting innocent online users in order to secure an unfair or unlawful financial gain. Because it is an easy money-making scheme, this monetization model attracts distributions and affiliates in which these perpetrators continue to drive the proliferation of this scheme (see the paper “Less aggressive, more effective: Social engineering with paid archives,” published in the Virus Bulletin Conference 2012 proceedings).

We advise users to consider the following measures as an important precaution against these schemes:

  • When searching for a source to download from, make sure to carefully check the source. Ensure you download the installer or application from legitimate and trusted sources.
  • Be aware of any online transaction you make. Ensure you understand the terms of the software download, especially when it involves installation of "free" applications and, most importantly, those that require you to perform financial transactions.
  • If you’re unsure, find someone you know who can provide helpful advice.

Be safe online and enjoy the festive season!

 

Methusela Cebrian Ferrer
MMPC Melbourne