Caleb, one of our readers has reported that Wikipedia articles have been “primed” and are being used actively in the various fake tech support phone campaigns. For instance, the Wikipedia article for SpyEye (https://en.wikipedia.org/wiki/SpyEye#cite_note-trusteerzeus-5 ) now contains this paragraph:
Indicators that something is wrong?
- The grammar first and most obvious. While grammar seems to be getting better in phishing campaigns, it’s a decent indicator that something might be wrong on this page.
- While the grammar might just as easily be an “English as a Second Language” speaker, the “Nobody can help you except 3 companies” verbage should be an alarm bell. This is the text that’s being used by the scammer to tell their victim that “only we can help you fix this (fake of course) infection you have on your computer”
- The reference  goes to a parked page, and reference  refers to Zeus malware, which is a precursor to SpyEye. Reference  points to a decent reference, but it’s not related to the text it’s a reference for.
- The Wikipedia “View History” page shows that the editor for this text was “Techaddy15031989”, this account is no longer an account: https://en.wikipedia.org/wiki/User:Techaddy15031989 . Accounts that come and go during suspicious activities are a good indicator – just as DNS names changing frequently might be in a differnt style of attack.
Other edits by this account are shown here:
- Looking at the history on these other contributions, we see similar text on the “macro virus” page, which has since been corrected by other editors.
Given the editing model for Wikipedia, it’s somewhat surprising that we don’t see more malicious activity of this type on the platform. While Google doesn’t show exact matches to this text elsewhere at the moment, has anyone seen text with similar intent in other articles? Maybe this is something we’ll be seeing more of?
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.