Last week a colleague at work was interrupted by Windows asking him to activate his copy and verify his license details. It looked real and was certainly very professionally done, however there was something not quite right about it. The first screen very carefully tells you that your copy of Windows XP has been activated by another user, and that you should continue this process to enter your billing details in order to activate your copy of Windows XP. Worryingly, if you decide not to continue, your computer is shut down and you are forced upon restart to enter the process again.
The window opens and looks exactly like the regular activation set up. You are not able to close the window, go back to the desktop, Alt+tab, Ctrl+alt+del or do anything apart from click next. Its important to note at this point that Microsoft or any software vendor will never ask for any personal information or credit card details via the activation process. This is purely an ingenious program that leverages social engineering to get the not-so-web-savvy user in InterWebLand to succum and enter personal information. The second screen then requests you enter your location, email and phone, credit card details, including your CVV2 security code, and your ATM pin!
At this point we firmly believed that this was a fraudulent attempt. Although we were pretty impressed at its professional approach. Today we found an article over on ITWire: ‘Windows activation Trojan can catch the unwary’. When it happened the first time there was nothing on the security sites about it, so he must have been an early adopter! It would appear as if Symantec are on to this publishing an article about Trojan.CardPhisher and a set of CardPhisher removal instructions.