Tech support scammers now utilizing ransomware-like lock screens to threaten people

By Justin Luna | Neowin

Some of us may be very well aware of the classic tech support scam stories, where a man randomly calls people, and informs them that they are from “Windows company” and that the call recipient’s computer has been detected full of viruses. These cold callers then use fake Blue Screen of Deaths, and make the victim think there really is something wrong with their PC.

Tactics like these can be easily terminated, with the use of a few built-in Windows tools, as well as a few keystrokes. However, scammers have been seen improving their game, and are now incorporating lock screens, in order to threaten a user even more.

This technique can be attributed to the infamous ransomware, where a malicious program encrypts a user’s computer files, and sets a PC to be stuck on a lock screen prompting them to pay up.

As for this one, the scammers trick the victims into thinking that their Windows’ license has expired, and then removes any ability for the user to control their computer. “This is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it,” according to Jérôme Segura of Malwarebytes Labs.

There is an entire ecosystem on how these malware are being distributed, one of which includes bundling them into Pay Per Install applications. “What you thought was a PC optimizer or Flash Player update turns out to be a bunch of useless toolbars and, in some cases, one of these lockers,” said Segura.

A security researcher, @TheWack0lian has shared a sample on how the new tech support scam tactic works. Through a genuine-looking Microsoft program, which installs without any particular incident, the malware waits for the user to restart their system. Upon rebooting, a user will be welcomed by what looks like Windows configuring updates, though this is already the malware kicking in.

Once its “process” is done, it displays an error screen saying that the user’s Windows license is expired. It even takes the time to display the user’s current license key and computer name, to make it look more legitimate.

Now, to be able to unlock the system, the only choice a user has is to dial the number flashed on the screen, leading them into the said cold tech support scammers who are eager to steal victims’ personal information, as well as their credit card number. Calling the number, it was discovered by the researchers that there is a hidden functionality to the locker. Pressing Ctrl+Shift+T will display an installer for TeamViewer, a remote access computer program. However, the scammer refused to proceed with unlocking the computer unless a payment of $250 is made.

Fortunately, the researchers were able to find a way to bypass the lock screen. Victims of the said issue can press Ctrl+Shift and then the S key. Alternatively, a user can enter either “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w” into the “Product Key” field to be able to unlock the PC. This however, might only work for some versions of the rogue program.

With these kinds of programs rapidly evolving right before our eyes, it is very alarming to see how much these kinds of malware can take many innocent and susceptible people hostage, and play on their fears in addition to stealing money from them.

It always pays to be wary of where we always go on the internet, as well as what links we click on. Also, a good security software is always handy, to be able to block out the malware that can possibly not only ruin our computers, but also possibly a part of our lives.

Advertisements

Nasty new ransomware program threatens to leak your files online

| PCWorld

Ransomware creators have taken their extortion one step further: in addition to encrypting people’s private files and asking for money before releasing a key, they now threaten to publish those files on the Internet if they’re not paid.

This worrying development has recently been observed in a new ransomware program dubbed Chimera that was documented by the Anti-Botnet Advisory Centre, a service of the German Association of the Internet Industry.

The attackers behind this new threat target mainly businesses by sending rogue emails to specific employees that masquerade as job applications or business offers. The emails contain a link to a malicious file hosted on Dropbox.

Once Chimera infects a computer it starts encrypting the local files. After the first reboot it displays a ransom note on the user’s desktop. The attackers ask for a payment of around 630 euro in Bitcoin in order to provide the decryption key.

Up to this point, the process is similar to that followed by other ransomware programs. However, Chimera’s creators have taken their intimidation attempts to a new low. In their ransom note they claim that if they’re not paid they will publish the user’s files on the Internet.

There’s no evidence that any victim’s personal data has yet been released online, the German Anti-Botnet Advisory Centre said in a blog post.

It’s not clear if the ransomware program does indeed siphon off user files before or after encrypting them. But the threat could be enough to scare even users who have backups into paying.

Ransomware programs typically encrypt data locally and don’t upload it to command-and-control servers because that would require a lot of storage space, even if attackers restrict the theft to certain file types such as pictures.

But the prospect of this happening in the future is scary, as it would pose a major privacy risk to businesses and consumers alike.

Threat forecast for 2014: Ransomware, scams, snoops

AVG has released its security threats predictions for the new year, and the sophisticated attacks that defined 2013 look to continue.

AVG Technologies Australia security advisor, Michael McKinnon, said the emergence of ransomware such as Cryptlocker shows the increasing sophistication of modern malware, and should be a concern for individual users and business.

The company also highlighted internet vigilantism as a growing force on the web. Public frustration at the lack of penalties for cybercrime should continue to grow as individuals take matters into their own hands. McKinnon sited the Boston bombings as an example of large scale activity by such actors.a>

Concern about cybercurrency

Increases in the trading of peer-to-peer currency like Bitcoin are something to be mindful of in the coming year. The real challenge for such crypto-currency technologies is how they will pervade mainstream society. With many issues to overcome such as taxation and regulation, McKinnon notes that mixed feelings in the community over such currencies will continue for some time, but remains worth watching.

bitcoin

Edward Snowden and Wikileaks showed that privacy was a major issue in 2013, and this will continue. The issue in the future will be one of choice; Individuals need to be aware of the content they put up on the web and the privacy issues that may result.

”There are those that don’t wish to live in a surveillance state, while others have complete faith in the ability of their governments to protect them. And some that merely wish to be informed of the best products and bargains by revealing their location and purchasing habits willingly to third parties. Either way, let’s hope that freedom prevails in making our own choice,” McKinnon said.

He also pointed to the enormous number of new Internet users expected in the near future, and their vulnerabilities to the pitfalls of the web to which many experienced users are well accustomed.

These new users face a far steeper learning curve than people in the past, and he expects to see an increase in the number of victims of cyber crime in the near future as these novices learn how to safely navigate the web.

via Threat forecast for 2014: Ransomware, scams, snoops | PCWorld.

Ransomware targets smaller businesses, security CEO warns

Trending cyber attacks such as ransomware may be typically overlooked by small and midsize businesses, but the CEO of security firm Lumension warns that they are actually in the line of fire.

Pat Clawson, LumensionPat Clawson

Around the world, ransomware has been proved to be effective in midsized business environments and below, mainly due to the lack of tools available to deal with the attack, said Pat Clawson, chairman and CEO of Lumension, which is based in Scottsdale, Arizona.

“Most corporations have the means to deal with that outright from a technology and people perspective,” he said. “However, if it is a ten person business environment, it is going to cost them a lot of money to get the issue resolved.”

Clawson admits that it is not uncommon for these smaller businesses to even consider paying the ransom with the hope all of the stolen data returns.

“For that reason, ransomware is more effective when it targets SMBs that do not have the ability to fight it by themselves with technology or people,” he said.

Knowledge and power

The benefit that bigger companies have is access to the necessary tools and manpower to take care of the problem, as well as prevent it from happening in the first place.

“The guys who create the ransomware are also smart enough to know where the money is to be made,” Clawson said. “Instead of corporations, they tend to target SMBs and individual people that may fall prey to the attack.”

In addition to having the necessary tools to combat ransomware, Clawson said corporations have a culture where staff are more aware of the pitfalls of ransomware, if it manages to get through at all.

“Their technology is already catching the ransomware at the gateway,” he said. “However, if something does get through, their ability to undo the ransomware is significantly easier than for a private business or single user on their own.”

via Ransomware targets smaller businesses, security CEO warns | PCWorld.

‘Darkleech’ malware attacks servers, demands ransom

A persistent, widespread malware campaign that utilizes compromised Apache servers is locking users’ computers and demanding a fee of $300 to free their data.

Researchers from Eset wrote that the ransomware scam is an extension of a long-running attack that compromises the infrastructure of web hosting companies with a variant of a malicious Apache module called “Darkleech.”

“Malicious modification of server binaries seems to be a very popular trend for malware distribution,” wrote Sebastien Duquette, an Eset malware researcher, on a company blog.

Eset also suspects that hackers also may have figured out how to compromise CPanel and Plesk, which are both software programs used by hosting companies to manage their networks and websites.

How the malware operates

Darkleech tampers with websites hosted on an Apache server. It loads an iframe into a web page and redirects a victim to a malicious URL that hosts the Blackhole exploit kit, Duquette wrote. Eset detected at least 270 websites that redirected victims this way in the last week.

The Blackhole kit then tries to exploit unpatched web browsers or vulnerable Java or Adobe Reader plugins in order to install malware. If an exploit is successful, several pieces of malware are placed on the victim’s computer, Duquette wrote.

One of those malware programs, called Nymaim, locks the victim’s computer and asks for a fee. Duquette wrote the Nymaim ransomware campaign, which has been running for a long time, is customized according to the approximate location of the user. U.S.-based users, for example, see a bogus warning from the U.S. Federal Bureau of Investigation.

It appears attackers are still having much success using the Blackhole exploit kit. As many as 40,000 IPs have been used in campaigns, and in May alone, 15,000 IP addresses were serving up the kit at the same time, Duquette wrote.

“Given how successful these campaigns have been so far at redirecting massive amounts of visitors it is hardly surprising to see these abuses on the increase,” Duquette wrote.

via ‘Darkleech’ malware attacks servers, demands ransom | PCWorld.