It’s not surprising that scared people are the most vulnerable to attacker’s traps, and there is no reason to think it will work differently with computer users. Using this psychology, cybercrooks show an unaware victim an alert page claiming to have found that banned pornography was viewed or stored on their computer. The message goes on to say their computer is blocked, all their data is encrypted, and they will be sent to court in 48 hours unless they pay a fine. This is basically how ‘Ransomware’ works – scare tactics with a convenient way to buy yourself out of the predicament at the end.
When we look closer at the scam, we find that the Ransomware is focused only on the victim’s browser and fortunately, not as they claim, on the data stored inside the victim’s computer. Here are several points that work together to scare the victim:
- The headline of the webpage: “FBI. ATTENTION! Your browser has been blocked…”. This is the part of the attack that tries to scare visitors as much as possible.
- The name of the page, “gov.cybercrimescenter.com”, tries to convince visitors they are on a legitimate website which belongs to the government.
- A countdown timer starts on 48 hours and counts down the time before “legal steps” starts.
These points try to rush panicked victims into paying the requested money as soon as possible without time to think. But it’s better to take a deep breath before reacting. You know you didn’t watch the movies mentioned on the page, and of course, you didn’t store illegal files. Do you really think that upon identifying a child pornographer, that the government will tell them to pay a small amount of money as a fine and let them go?
Several days ago we received a complaint about javascrpt.ru. After a bit of research, we found that it tries to mimic ajax.google.com and jquery, but the code is an obfuscated/packed redirector.
After removing two layers of obfuscation, we found a list of conditions checking visitors’ user Agent. From these conditions. we got a clue and focused on mobile devices.
Today, I received an email from one of my coworkers (yes, even careful employees of security vendors are in danger:) ). This email has more recipients and contains only one link, without any text or subject.
Fortunately, I am a really paranoid person about emails containing only a link to an unknown site. At this link, you can notice two really suspicious things: The directory is images and there’s a file called yahoo12.php. That should warn users to avoid clicking on this link.
The phishing scam creators are really getting creative. Of course one could question their targeting such in this case. Czech republic is known for our quite lenient view of laws and rules and – especially – the need to pay (or the lack of there off) of any fines especially when imposed by so called municipal police. Who would bother… Hence, an email urging to pay a fine is normally filed directly into the ‘round file’. Known as trash. Well in this case… there actually might be a good reason to look at this closely Read more…
Recently, we’ve noticed that there are too many legitimate domains popping up in our url filters with malware. At first we thought we had a huge false-positive (FP) problem, but after analysis we found a pattern.
All of the referring links came from the Russian Odnoklassniki server, which is a quite-popular Russian social network. Users of that network are getting fake messages with links to photos.
Not only users visiting high-risk sites need avast! protection, but also, for example, visitors of the well-known site samsungimaging.net (the Samsung SMART CAMERA blog) were able to notice that their avast! protected them from a threat.
Yesterday, on this site AVAST began to detect malicious Java content.
Social sites are great for people who want monetize theirs ideas. But sometimes these ideas are far more sinister.
Over the last few last weeks, researchers at the Avast antivirus labs in Prague have noticed new attack based on a combination of social sites, fake Flash Players and the promise of illicit videos of well-known Hollywood stars. Read more…
Sometimes, the use of simple scams and well-known brands are used to trick people into giving up login names and passwords. By making people aware of these scams, we can better protect against the hackers.
You don’t need any obfuscated scripts or blackhat SEO tricks. Sometimes it is as easy as creating a Google document and sending it to trusting users. Anyone can create a simple form without any checks and this can be as a link to docs.google.com. This form is seeded at social sites and via emails. The hackers then wait for responses from any visitors.
Scams involving bogus telephone callers tricking users into divulging private information or parting with money for useless software are not new. However, it is worth reminding people of how the crooks are updating their tricks to better protect the innocent.
We received some emails from our users telling us that they spoke with some guy from ‘Microsoft’ who called to tell them that their computer is badly infected with malware and need repairs. The ‘Microsoft’ guy convinces the victims to use Ammyy remote administrator software to allow the ‘Microsoft guy’ to repair the computer. Ammyy remote admin is legitimate non-malicious program but it is a really easy way for scammers to connect to the victims’ computers and convince them that they are helping.
The crooks then they try to force victims to buy support service. In the first call reported to us they offered a “cheaper” service for only $177.00 plus tax for lifetime support. In the second case, the price had gone up to €300 for 5 years support.
The biggest problem with phone call scams is that the only protection is a common sense. Antivirus can protect against malware from websites and downloads but no software can offer protection when victims allowed access to their computer and are tricked into to paying for fake ‘support & service’.
When we looked into the recent wave of WordPress site hacks, our investigation took two separate paths: uncovering the TimThumb vulnerability and the Black Hole Toolkit used to exploit it.
Now it is time to talk more in detail about what the Blackhole Toolkit is.
For starters, the Blackhole exploit kit is used to spreading malicious software to users through hacked legitimate sites. It was most likely made by Russia developers. The big clue for this is that operators can switch between Russia and English languages. The full version of this toolkit costs around $1500 on the black market. However, bargain hunters can find a stripped down version for the free online.
But, much more important than acquiring Blackhole is finding out how to get rid of it. More precisely, simply finding out if you have been infected. So, how can website owner recognize that his page was infected and has been blocked by an antivirus program because it is being misused as a redirector to site with Blackhole exploit kit? And how do they compromise your site?