Attacks/Breaches
11/8/2012
08:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ransomware Scams Net $5 Million Per Year

Visitors to pornography sites main victims of scams that disable computers, demand payment for alleged online misconduct

Cybercriminals are making up to $33,600 a day duping victims into paying fines for alleged Internet violations after infecting and locking up their computers.

This latest brand of ransomware attacks -- where users infected with malware get a pop-up message allegedly from the FBI or other law enforcement agencies accusing them of illegal activity online -- has been on the rise over the past year across in Western Europe, the U.S., and Canada. It's earning criminal gangs at least $5 million a year, according to researchers from Symantec, and users visiting pornography sites are most at risk, with 70 percent of the cases originating from malware-rigged porn sites.

Ransomware used in this particular tack of posing as law enforcement agencies and demanding payment for alleged infractions has been spotted with 16 different versions of the malware over the past year and a half. While only around 3 percent of users with these infections actually pay up, the scam is still very lucrative, fines up to $200 in the U.S.

One relatively small player's ransomware operation netted 68,000 infected machines in one month, worth up to $400,000 if all of the victims paid the fines. A larger operation snapped up 500,000 infected machines in 18 days, according to Symantec.

"The research shows that up to 2.9 percent of victims end up paying ransoms. That number is significant given" the fees and number of infections, says Randy Abrams, research director of NSS Labs. "It also highlights the professionalization of ransomware as it becomes a popular ploy among numerous cybercrime gangs. Of particular note is the use of social engineering to convince users that they are being required to pay a fine by local law enforcement for browsing illicit materials."

The attacks are relatively simple to execute, says Vikram Thakur, principal security response manager at Symantec. The malware kits include geolocation services so the Trojan can detect the location of the victim's machine and push the geographically correct warning notice from local "law enforcement."

What makes them even more believable is that in most cases, the victims visited porn sites, so it could be construed as a legitimate charge. One message, for instance ordered payment of a $200 fine within 72 hours or be arrested. The reason: "viewing or distributing pornographic content," the pop-up message said.

"I've been at conferences where people were referring to something happening on their computer, saying 'the FBI locked my computer,'" Thakur says. "They truly believed that was the case."

Microsoft last year reported a similar campaign in multiple countries, using pop-up messages with an official-looking police banner claim discovery of child pornography, other illicit material, and emails with terrorists.

NSS Labs' Abrams says ransomware works well for several reasons. "Low investment of time and money, low risk of getting caught, a highly effective psychological attack methodology, pervasive ignorance of social engineering, and insufficient international law enforcement collaboration all make ransomware an attractive and successful attack vector," NSS Labs' Abrams says.

Plus it's a quick way to make a buck. "Ransomware, by design, requires fairly immediate action. Unlike the adware of old, or scams involving email exchanges to further trick a mark and arrange payments, ransomware tends to render the computer useless until it is done with," Abrams says. "You can't just click away annoying ads and the crooks don't have to go back and forth with their marks.

The ransom fines are paid via prepaid electronic payment systems that require purchase of a PIN card from a convenience store, for instance. Moneypak is the most commonly used –and abused—PIN. "The victim purchases an electronic payment PIN and then enters that number into the box provided" in the message, according to Symantec's new report on the ransomware scams. "This payment PIN will then be sent by the ransomware to a C&C server where the attackers can retrieve it."

[Sophisticated, automated malware attacks are spurring enterprises to shift their security technology, staffing strategies. See Next-Generation Malware: Changing The Game In Security's Operations Center. ]

Symantec's report "Ransomware: A Growing Menace" is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.