April 17, 2017

Doctor Web has already published an article about fixed matches, a popular form of Internet fraud. However, the technology used by cybercriminals is constantly evolving: now they have implemented a special program in their fraudulent schemes to trick Internet users.

The traditional approach of cybercriminals engaged in so-called fixed matches is quite simple: they create a special website that offers for sale “reliable and verified information on the results of sporting events”. Later, buyers can use this information to make supposedly sure-win bets at bookmaker's offices. The creators of such websites represent themselves as retired coaches and sports analysts. In fact, while one segment of paying customers gets one forecast, another segment gets one that’s the exact opposite. If one of the victims complains, cybercriminals offer them their next forecast for free as compensation for their loss.

Recently cybercriminals have made some changes to this scheme. They are still creating websites to attract customers and public pages on social networks, but as a way of proving the quality of their services, they tell customers to download a password-protected, self-unpacking RAR archive that supposedly contains text files showing the match results of an event. Cybercriminals send the password for this archive after the match is finished. This is supposed to give users a chance to compare the predicted outcome with the real one.

Instead of the archive, cybercriminals send their victims their own program, one that fully imitates the interface and behaviour of an SFX archive created with WinRAR. This program has been added to the Dr.Web virus databases under the name Trojan.Fraudster.2986. It is not only undistinguishable from an ordinary RAR SFX archive, but it also reacts the same way when users enter incorrect passwords and perform other actions.

This fake “archive” contains the template of a text file that, with the help of a special algorithm, inserts the required match results which depend on what password is entered by the user. Thus, when the match is finished, the only thing that cybercriminals have to do is to send their victim the appropriate password, and the text file with the correct result will be “extracted” from the “archive” (in reality, the Trojan will generate it on the basis of the template).

There is also an alternative version of this fraudulent scheme—cybercriminals send their victims a password-protected Microsoft Excel file containing a special macro. This macro uses the same method to insert the required result, depending on what password is entered.

Doctor Web reminds users that all the various and sundry predictions criminals are making about match results is a type of fraud that any user can fall victim to. Do not trust websites offering you the chance to make a fortune using insider information to place bets, even if the promises of the cybercriminals involved look very convincing.

More about this Trojan