Pages

RegistryScan.cc tells my Mac I have a Windows Malware infection

I was happily working along this afternoon when suddenly I received a Skype pop-up text message. I rarely use Skype for text messaging, sticking with Adium for that. It's usually some Skype SPAM asking me to come to some lonely woman's web page to see pictures of her. This time the message looked pretty ominous:

Obviously this is just a SPAM attempt to get someone to jump over to a web site. Kind of tough for my Mac running Leopard to get a Registry hack installed. At the bottom of the message was a link to go to the offending site:

http://www.registryscan.cc/?q=scan

Out of curiosity I decided to jump over and take a look at the page. I'm running a Mac and it was pretty clear this was targeting Windows machines. What I got was this:


Just trying to navigate away from the site presented me with this little pop-up:


What do I love about all of this? Let's see:
  • The animation leading up to the above screen shot looks like a Windows progress dialog
  • The Windows XP style dialogs were very nicely done
  • The ScanAlert motto: Making the web Hacker Safe! (technically doesn't that mean it's making it safe for hackers???)
  • The line "You PC is still with spyware!" makes me think a LOLCat is responsible
  • That I'm running a Mac
Needless to say the people that pull this crap need to be removed from the Internet. Funny thing is I did a quick search and found this reference to the problem on a Microsoft discussion forum where a Windows user fell for it. There's even a blog post from nearly a month ago from Alex Eckleberry identifying this same site and issue, yet it's still running around today.

Anyone out there know how to stop people like this? Is there a good place to report this kind of behavior? I can see non-technical people falling hard for things like this.

19 comments:

Jacki Hollywood Brown said...

This is the same reason my Dad made me take auto shop in high school...not that I would be fixing my OWN car but I would know when someone was trying to take me to the cleaners.
We need more people to be educated about the internet and scams etc. Just you posting this blog will educate some people. So THANKS!

David Alison said...

@Jacki: Thanks - that's why I put this up. I was actually a little reluctant to include the URL (which is why I made it a non-link) but hopefully it will be picked up by the Google machine and indexed.

Daniel said...

ahh don't you love getting these... I always get a laugh when I get warning message popups with the windows buttons on the right hand corner when I'm using Safari on my Mac... but it's only funny because I understand how stupid the claims are.
I've had many people who have clicked these types of popups/unders and gone through with the scans and infected their computers to the point of no return... and then come running to me crying -_-" Like a guy last year in my class clicked on a popunder that said he had a certain Trojan horse virus and in the end got that virus from the website and I had to spend days trying to recover the system :| Not fun...
I wish there was a place to report this sort of stuff but unfortunately the internet is an untamed place and action will only usually get taken if it's involved in fraud/copyright breaches which sucks :(

Anonymous said...

11/20/08. i was sent this message on skype. i didn't fall for it but i did google the link and found ur site. i love how ur Mac got a full scan. anyway tell ur regulars to ask themselves "why would windows contact me on any instant messen-ger when they can automatically up-date everytime i turn on my comput-er?" (if u allow windows to update)
i was here

Bry said...

OMG, you've been infected by Windows. Shut down, reboot at least 3 times to apply all necessary updates, and still be left with the same steaming pile of crap you before starting. But at least it'll run so many more programs that Mac OS X
**end sarcasm**

Anonymous said...

Thanks for the post, David. Got the same message yesterday and again today with Skype running on my PC.

I did a google on the URL and found your post...perfect timing. Thanks for taking the time to share.

Tom

David Alison said...

@Tom: That's why I put it up man - glad it helped.

Thorsten Claus said...

Yup, very funny, just happened to me, too :)

But I'm glad that my "PC" is "still", even though it's only "still with malware". Imagine it would be moving! Kind of difficult to type :)

Matt said...

Change your Skype privacy settings to only allow people on your contacts list to contact you. And don't use SkypeMe mode.

http://www.skype.com/security/safety/safety.html

Robert said...

That just popped up on my screen too. The skype message threw me off and I'm a new Mac user so I didn't notice the Windows format. Like the others I was curious and googled the url. Then found you. thanks!

Mary Ellen said...

Got the same thing this morning. Tried to find it on snopes, then googled the url. So glad to confirm it's bogus. Thanks.

Mark said...

Watch for these links now coming on Skype. I don'tk now how they are beating my privacy settings, but they are requesting to be added to you as a buddy and sending this message.

The skype user to block is
computer.update.kac9
Computer Update

Anonymous said...

The Computer Science Professor: I find these 'scams' useful in my teaching. Whenever possible I demonstrate to my classes what to look for whether it's a 'phishig' or 'pharming' scam or something new like this foolish one. But I've got to tell you that even with a PhD and experience as a Chairman of a college's Computer Science Department I still get challenged with the unending collection of idiots out there who should be banned from computer usage for life. I'll keep educating users to avoid scams. Hope you all will to.

Anonymous said...

Thanks for this post - the RegistryScan site looked relatively professional so it wasn't as obvious as it normally is that it was a scan. When I searched for the name, your blog was one of the first things that came up. Why can't these scammers get proper jobs?! The cc suffix also rang alarm bells - apparently it technically indicates the Cocos (Keeling) Islands, which are found somewhere between Australia and Sri Lanka in the Indian Ocean, but it's been sold all over the US. Cheers, James

Anonymous said...

Thanks for the post ! Today it is Feb 27th, 2009 and I have just received the veeery suspicious SPAM invite, too.

I have flagged it as bogus to the skype team, btw.

Elizabeth said...

I'm pretty good at navigating the intertubes so I wasn't going to go giving myself a virus or get anything stolen, but I'm glad someone did report it and I'm hoping that maybe people will Google the address before they go on it (Google led me to you). Non-techies really will fall for anything. But you can't really blame them; putting your average joe at a computer alone is like asking them to do knee replacement - they wouldn't be able to tell which one was the fake. Ok bad analogy; but I think you get it.

David Alison said...

@Elizabeth: Thanks for the note. As I said before this is one of the things I do quite a bit on my blog: write down things that I find so that they can help others.

Looking through my logs I've had over 600 visitors reach my blog through Google by searching for "registryscan.cc" in the past 3 months so clearly the intertubes are working.

Elizabeth said...

Whoooo for the people who can use these things properly!

Michael Z said...

On a kind of related note, I listen to Howard 100 on Sirius and they constantly have commercials for the same half baked scam sites.