Attackers are selectively editing Wikipedia articles to lend credibility to tech support scams, according to Rob VandenBrink at the SANS Internet Storm Center. The Wikipedia page for the SpyEye banking Trojan was changed in mid-December to include a typo-ridden paragraph which claims that only three tech companies can remove the malware, and that “Best buy, Geek squad, Office Depo will not be able to fix it at all.”
VandenBrink says that the scammer made these edits to convince victims that “only we can help you fix this (fake of course) infection you have on your computer.” The edit history of the Wikipedia user who made the changes shows that the account made similar edits to the “Macro virus” Wikipedia page, but those changes have since been fixed by other users.
Vandenbrink notes that it’s actually surprising that this technique hasn’t been utilized by attackers more often. Wikipedia articles are fairly easy for anyone to edit, and Wikipedia is often the first place many Internet users turn to when they want to quickly verify something that they’re unsure of.
In this case, the edited Wikipedia page is the first Google search result for “SpyEye.” Although misleading edits can be corrected rather quickly, attackers still have time to carry out their scams before that happens.
Employees need to know which information sources they can trust when it comes to threats. Tech support scams not only exploit victims’ lack of technical knowledge, but also their ignorance of social engineering tactics. New-school security awareness training can give even technologically uncertain employees the ability to identify scams.