Once again, Microsoft’s secure communication tool is used to spread malware, according to several complaints on Reddit last Wednesday. Criminals targeted Skype users with fake, yet convincing, Adobe Flash plug-in updates through Skype’s in-app ads.
When users log in, a page appears asking them to download “FlashPlayer.hta” which seems like a critical update, but is in fact a malicious page. Once clicked, an HTML application is downloaded to infect the device with ransomware.
The user who started the thread contacted Skype support, which confirmed he was dealing with a virus “unrelated to Skype.” The code was posted on Reddit after two more users complained about seeing the same fake page when logging in.
When contacted, Microsoft name the attack a “social engineering effort.”
“We’re aware of a social engineering technique that could be used to direct some customers to a malicious website,” said the spokesperson. “We continue to encourage customers to exercise caution when opening unsolicited attachments and links from both known and unknown sources and install and regularly update antivirus software.”
Social engineering is the process tricking users into revealing private, sensitive information or into clicking or downloading malicious software. Since its release, Skype has regularly been a top target for criminals who rely on gullible, distracted or curious users to click on infected links, Flash and Java ads.