avast! Virus Lab infographic shows how prolific and wide-spread Browser Ransomware attacks have been over the last three months.
During December I wrote about the tricks and tactics of Browser Ransomware. Browser Ransomware is malware that works in different types of browsers to prevent people from using their PCs. To get access back to their own PC, the victim of this malware must pay a ransom to unblock it. The key to success for this attack is its translations into many different languages, giving the cybercrooks a bigger pool of potential victims.
Today I would like to look back on Browser Ransomware attacks and share some data from our avast! CommunityIQ with you.
We detect Ransomware attacks using several different methods. The detections I checked were created January 30, 2014. I was really surprised at the huge impact this attack has had on AVAST users.
- In a little under 3 months, AVAST protected more than a half million unique users around the world from Ransomware attacks.
- In the past 6 weeks, AVAST users have unknowingly visited a site with Ransomware on it over 18 million times.
- During last 24 hours, AVAST stopped redirection from infected sites to sites hosting Ransomware for more than 18,000 unique users. Read more…
It’s not surprising that scared people are the most vulnerable to attacker’s traps, and there is no reason to think it will work differently with computer users. Using this psychology, cybercrooks show an unaware victim an alert page claiming to have found that banned pornography was viewed or stored on their computer. The message goes on to say their computer is blocked, all their data is encrypted, and they will be sent to court in 48 hours unless they pay a fine. This is basically how ‘Ransomware’ works – scare tactics with a convenient way to buy yourself out of the predicament at the end.
When we look closer at the scam, we find that the Ransomware is focused only on the victim’s browser and fortunately, not as they claim, on the data stored inside the victim’s computer. Here are several points that work together to scare the victim:
- The headline of the webpage: “FBI. ATTENTION! Your browser has been blocked…”. This is the part of the attack that tries to scare visitors as much as possible.
- The name of the page, “gov.cybercrimescenter.com”, tries to convince visitors they are on a legitimate website which belongs to the government.
- A countdown timer starts on 48 hours and counts down the time before “legal steps” starts.
These points try to rush panicked victims into paying the requested money as soon as possible without time to think. But it’s better to take a deep breath before reacting. You know you didn’t watch the movies mentioned on the page, and of course, you didn’t store illegal files. Do you really think that upon identifying a child pornographer, that the government will tell them to pay a small amount of money as a fine and let them go?
Several days ago we received a complaint about javascrpt.ru. After a bit of research, we found that it tries to mimic ajax.google.com and jquery, but the code is an obfuscated/packed redirector.
After removing two layers of obfuscation, we found a list of conditions checking visitors’ user Agent. From these conditions. we got a clue and focused on mobile devices.
Today, I received an email from one of my coworkers (yes, even careful employees of security vendors are in danger:) ). This email has more recipients and contains only one link, without any text or subject.
Fortunately, I am a really paranoid person about emails containing only a link to an unknown site. At this link, you can notice two really suspicious things: The directory is images and there’s a file called yahoo12.php. That should warn users to avoid clicking on this link.
The phishing scam creators are really getting creative. Of course one could question their targeting such in this case. Czech republic is known for our quite lenient view of laws and rules and – especially – the need to pay (or the lack of there off) of any fines especially when imposed by so called municipal police. Who would bother… Hence, an email urging to pay a fine is normally filed directly into the ‘round file’. Known as trash. Well in this case… there actually might be a good reason to look at this closely Read more…
Recently, we’ve noticed that there are too many legitimate domains popping up in our url filters with malware. At first we thought we had a huge false-positive (FP) problem, but after analysis we found a pattern.
All of the referring links came from the Russian Odnoklassniki server, which is a quite-popular Russian social network. Users of that network are getting fake messages with links to photos.
Not only users visiting high-risk sites need avast! protection, but also, for example, visitors of the well-known site samsungimaging.net (the Samsung SMART CAMERA blog) were able to notice that their avast! protected them from a threat.
Yesterday, on this site AVAST began to detect malicious Java content.
Social sites are great for people who want monetize theirs ideas. But sometimes these ideas are far more sinister.
Over the last few last weeks, researchers at the Avast antivirus labs in Prague have noticed new attack based on a combination of social sites, fake Flash Players and the promise of illicit videos of well-known Hollywood stars. Read more…
Sometimes, the use of simple scams and well-known brands are used to trick people into giving up login names and passwords. By making people aware of these scams, we can better protect against the hackers.
You don’t need any obfuscated scripts or blackhat SEO tricks. Sometimes it is as easy as creating a Google document and sending it to trusting users. Anyone can create a simple form without any checks and this can be as a link to docs.google.com. This form is seeded at social sites and via emails. The hackers then wait for responses from any visitors.
Scams involving bogus telephone callers tricking users into divulging private information or parting with money for useless software are not new. However, it is worth reminding people of how the crooks are updating their tricks to better protect the innocent.
We received some emails from our users telling us that they spoke with some guy from ‘Microsoft’ who called to tell them that their computer is badly infected with malware and need repairs. The ‘Microsoft’ guy convinces the victims to use Ammyy remote administrator software to allow the ‘Microsoft guy’ to repair the computer. Ammyy remote admin is legitimate non-malicious program but it is a really easy way for scammers to connect to the victims’ computers and convince them that they are helping.
The crooks then they try to force victims to buy support service. In the first call reported to us they offered a “cheaper” service for only $177.00 plus tax for lifetime support. In the second case, the price had gone up to €300 for 5 years support.
The biggest problem with phone call scams is that the only protection is a common sense. Antivirus can protect against malware from websites and downloads but no software can offer protection when victims allowed access to their computer and are tricked into to paying for fake ‘support & service’.