Attacks/Breaches
11/8/2012
08:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Ransomware Scams Net $5 Million Per Year

Visitors to pornography sites main victims of scams that disable computers, demand payment for alleged online misconduct

Cybercriminals are making up to $33,600 a day duping victims into paying fines for alleged Internet violations after infecting and locking up their computers.

This latest brand of ransomware attacks -- where users infected with malware get a pop-up message allegedly from the FBI or other law enforcement agencies accusing them of illegal activity online -- has been on the rise over the past year across in Western Europe, the U.S., and Canada. It's earning criminal gangs at least $5 million a year, according to researchers from Symantec, and users visiting pornography sites are most at risk, with 70 percent of the cases originating from malware-rigged porn sites.

Ransomware used in this particular tack of posing as law enforcement agencies and demanding payment for alleged infractions has been spotted with 16 different versions of the malware over the past year and a half. While only around 3 percent of users with these infections actually pay up, the scam is still very lucrative, fines up to $200 in the U.S.

One relatively small player's ransomware operation netted 68,000 infected machines in one month, worth up to $400,000 if all of the victims paid the fines. A larger operation snapped up 500,000 infected machines in 18 days, according to Symantec.

"The research shows that up to 2.9 percent of victims end up paying ransoms. That number is significant given" the fees and number of infections, says Randy Abrams, research director of NSS Labs. "It also highlights the professionalization of ransomware as it becomes a popular ploy among numerous cybercrime gangs. Of particular note is the use of social engineering to convince users that they are being required to pay a fine by local law enforcement for browsing illicit materials."

The attacks are relatively simple to execute, says Vikram Thakur, principal security response manager at Symantec. The malware kits include geolocation services so the Trojan can detect the location of the victim's machine and push the geographically correct warning notice from local "law enforcement."

What makes them even more believable is that in most cases, the victims visited porn sites, so it could be construed as a legitimate charge. One message, for instance ordered payment of a $200 fine within 72 hours or be arrested. The reason: "viewing or distributing pornographic content," the pop-up message said.

"I've been at conferences where people were referring to something happening on their computer, saying 'the FBI locked my computer,'" Thakur says. "They truly believed that was the case."

Microsoft last year reported a similar campaign in multiple countries, using pop-up messages with an official-looking police banner claim discovery of child pornography, other illicit material, and emails with terrorists.

NSS Labs' Abrams says ransomware works well for several reasons. "Low investment of time and money, low risk of getting caught, a highly effective psychological attack methodology, pervasive ignorance of social engineering, and insufficient international law enforcement collaboration all make ransomware an attractive and successful attack vector," NSS Labs' Abrams says.

Plus it's a quick way to make a buck. "Ransomware, by design, requires fairly immediate action. Unlike the adware of old, or scams involving email exchanges to further trick a mark and arrange payments, ransomware tends to render the computer useless until it is done with," Abrams says. "You can't just click away annoying ads and the crooks don't have to go back and forth with their marks.

The ransom fines are paid via prepaid electronic payment systems that require purchase of a PIN card from a convenience store, for instance. Moneypak is the most commonly used –and abused—PIN. "The victim purchases an electronic payment PIN and then enters that number into the box provided" in the message, according to Symantec's new report on the ransomware scams. "This payment PIN will then be sent by the ransomware to a C&C server where the attackers can retrieve it."

[Sophisticated, automated malware attacks are spurring enterprises to shift their security technology, staffing strategies. See Next-Generation Malware: Changing The Game In Security's Operations Center. ]

Symantec's report "Ransomware: A Growing Menace" is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web