Ransomware Scams Net $5 Million Per Year
Visitors to pornography sites main victims of scams that disable computers, demand payment for alleged online misconduct
November 8, 2012
Cybercriminals are making up to $33,600 a day duping victims into paying fines for alleged Internet violations after infecting and locking up their computers.
This latest brand of ransomware attacks -- where users infected with malware get a pop-up message allegedly from the FBI or other law enforcement agencies accusing them of illegal activity online -- has been on the rise over the past year across in Western Europe, the U.S., and Canada. It's earning criminal gangs at least $5 million a year, according to researchers from Symantec, and users visiting pornography sites are most at risk, with 70 percent of the cases originating from malware-rigged porn sites.
Ransomware used in this particular tack of posing as law enforcement agencies and demanding payment for alleged infractions has been spotted with 16 different versions of the malware over the past year and a half. While only around 3 percent of users with these infections actually pay up, the scam is still very lucrative, fines up to $200 in the U.S.
One relatively small player's ransomware operation netted 68,000 infected machines in one month, worth up to $400,000 if all of the victims paid the fines. A larger operation snapped up 500,000 infected machines in 18 days, according to Symantec.
"The research shows that up to 2.9 percent of victims end up paying ransoms. That number is significant given" the fees and number of infections, says Randy Abrams, research director of NSS Labs. "It also highlights the professionalization of ransomware as it becomes a popular ploy among numerous cybercrime gangs. Of particular note is the use of social engineering to convince users that they are being required to pay a fine by local law enforcement for browsing illicit materials."
The attacks are relatively simple to execute, says Vikram Thakur, principal security response manager at Symantec. The malware kits include geolocation services so the Trojan can detect the location of the victim's machine and push the geographically correct warning notice from local "law enforcement."
What makes them even more believable is that in most cases, the victims visited porn sites, so it could be construed as a legitimate charge. One message, for instance ordered payment of a $200 fine within 72 hours or be arrested. The reason: "viewing or distributing pornographic content," the pop-up message said.
"I've been at conferences where people were referring to something happening on their computer, saying 'the FBI locked my computer,'" Thakur says. "They truly believed that was the case."
Microsoft last year reported a similar campaign in multiple countries, using pop-up messages with an official-looking police banner claim discovery of child pornography, other illicit material, and emails with terrorists.
NSS Labs' Abrams says ransomware works well for several reasons. "Low investment of time and money, low risk of getting caught, a highly effective psychological attack methodology, pervasive ignorance of social engineering, and insufficient international law enforcement collaboration all make ransomware an attractive and successful attack vector," NSS Labs' Abrams says.
Plus it's a quick way to make a buck. "Ransomware, by design, requires fairly immediate action. Unlike the adware of old, or scams involving email exchanges to further trick a mark and arrange payments, ransomware tends to render the computer useless until it is done with," Abrams says. "You can't just click away annoying ads and the crooks don't have to go back and forth with their marks.
The ransom fines are paid via prepaid electronic payment systems that require purchase of a PIN card from a convenience store, for instance. Moneypak is the most commonly used –and abused—PIN. "The victim purchases an electronic payment PIN and then enters that number into the box provided" in the message, according to Symantec's new report on the ransomware scams. "This payment PIN will then be sent by the ransomware to a C&C server where the attackers can retrieve it."
[Sophisticated, automated malware attacks are spurring enterprises to shift their security technology, staffing strategies. See Next-Generation Malware: Changing The Game In Security's Operations Center. ]
Symantec's report "Ransomware: A Growing Menace" is available here for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like