Fake Adobe Flash Player Ads Target Skype Users
Flash Player is known for its numerous vulnerabilities that keep popping up even if Adobe is religiously releasing security patches. However, it seems that hackers have found another way to use the plugin in malware distribution and other cybercrime activities: posting fake Flash Player ads on Skype.
On March 29, Reddit user j8048188 noted that a suspicious ad popped up when he first pulled up Skype. The ad showed what looked like the official Adobe Flash Player download page in the background, plus a small legitimate-looking pop-up window asking him if he wanted to run or save a 1.47 KB HTML Application file called “FlashPlayer.hta”. According to the window, the file would be downloaded from “oyomakaomojiya.org”.
This incident was not isolated since there were many people other than j8048188 who complained about getting this fake Flash Player ad in Skype. Twitter users @ElectriicDev and @caseylynnfoster posted screenshots of the fake ad they received, with the latter’s picture showing that the FlashPlayer.hta file would be downloaded from a site called “cievubeataporn.net”.
Several Skype users reported the fake ads on the Skype Community page. User jarodsafehouse started a thread with the title “BEWARE! Adobe Flash Player Update”, stating that a large ad for Adobe Flash Player showed when he opened his Skype. Other people echoed his complaint, with one user Taiga6 posting a picture showing that FlashPlayer.hta would be downloaded from “quoopsocaltransport.org”.
Redditor j8048188 deconstructed the code found in the FlashPlayer.hta file and posted it for others to see, and ZDNet.com showed it to several online security experts to ask their opinion. According to them, the FlashPlayer.hta offered by the fake ads would trigger an obfuscated JavaScript code that executes a command on PowerShell and downloads a JavaScript Encoded Script (JSE) from a domain. These numerous steps mean that antivirus programs won’t detect the malware; the JSE, meanwhile, is downloaded from a disposable domain to make it difficult to trace the attacker.
If you see these fake ads on your Skype account, do not click on the pop-window nor download the file it recommends. If you use Flash Player and think it needs to be updated, get it from the official Adobe website instead of downloading it from third-party sources.