May 2, 2012 | By Eva Galperin and Morgan Marquis-Boire

Fake Skype Encryption Tool Targeted at Syrian Activists Promises Security, Delivers Spyware

The campaign of attacks targeting Syrian opposition activists on the Internet has taken a new turn. Since the beginning of the year, Syrian opposition activists have been targeted using several Trojans, which covertly install spying software onto the infected computer, as well as a multitude of YouTube and Facebook login credentials. Last week, TrendMicro's Malware Blog described a website which purportedly offered Skype encryption software, but was actually a Trojan that installed DarkComet 3.3, a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more--and sends that sensitive information to an address in Syrian IP space. This week, EFF has found an almost identical website located at, shown in the screenshot below.

Clicking "download" downloads the fake Skype encryption application, called "Skype Encryption v2.1," shown in the screenshot below.

Launching the application produces a window that gives you the option to "Encrypt" or "DeCrypt," shown in the screenshot below.

When you click "Encrypt," the application launches a message asking you to please wait while it encrypts your connection, shown in the screenshot below. To be clear, this application does not encrypt anything. Instead of encrypting your Skype traffic, the application downloads a Trojan from This is the same Syrian IP address used in attacks described by TrendMicro, Symantec, Cyber Arabs, and in several of EFF's blog posts.

Once your connections are allegedly encrypted, the application launches a window that says, "Your Connections are Now Completely Encrypted ! ..... Enjoy," as shown in the screenshot below.

In the meantime, this application installs the DarkComet remote access tool on your computer. DarkComet allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, and steal passwords from your computer. Unlike the version of DarkComet described in the TrendMicro post, which is detectable by some anti-virus software, this version of DarkComet is not detectable by any anti-virus software at this time. For a detailed discussion of how to find and remove DarkComet from your computer, see this blog post.

Syrian Internet users should be especially careful about downloading applications from unfamiliar websites. The fake Skype encryption site showed many obvious signs that it might not be legitimate, from the misspelling of "encryption" to the abuse of Comic Sans, but we can expect future attacks to be more sophisticated.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Thanks to everyone helping to expand the web of trust at tonight's Bay Area Members' Speakeasy!

Apr 25 @ 8:27pm

EFF's @cooperq talks to GQ magazine about the dangers of spearphishing.

Apr 25 @ 6:29pm

Do you use the Internet to get your message out? It's time to defend it.

Apr 25 @ 5:54pm
JavaScript license information