Slashdot Mirror
Inside a Ransomware Money Machine
tsu doh nimh writes "The FBI is warning that it's getting inundated with complaints from people taken in by ransomware scams that spoof the FBI and try to scare people into paying 'fines' in lieu of going to jail for having downloaded kiddie porn or pirated content. KrebsOnSecurity.com looks inside a few of the scams in the FBI alert, and it turns out it only takes 1-3 percent of victims to pay up to make it seriously worth the fraudsters' while."
Scams are only effective if they appear to be true. Would it surprise anyone for the FBI to essentially take bribes (fines) over fake criminal charges?
sudo make me a sandwich
My buddy got one of those from watching waaaaayy too much porn, and actually called the FBI who told him it was a virus.
What it does is lock your screen with an FBI logo and official-looking message, even displaying the output from the webcam if there is one, saying that unless the mark pays $200 or so using a Bitcoin-like form of payment one can get at convenient stores, the user will be arrested for downloading CP and/or "copyrighted material." Certain keys are locked, obviously, so you can't do the 3-finger salute and kill it with the task manager.
A boot into safe mode and a little MsConfig was enough to fix, though not remove, the malware.
-- Ethanol-fueled
It should all be considered a scam when someone says pay up or I'll take you to court/press charges/sue/threatens you.
Be seeing you...
The best defenses against scams are still the same:
1. Knowing your right to due process, and
2. Knowing proper spelling and grammar in your native language.
I'm continually dismayed that large numbers of people (possessing enough intelligence to use a web browser) don't realize that the FBI using email or popups to demand summary payment of "fines" without due process is implausible and illegal.
Gamingmuseum.com: Give your 3D accelerator a rest.
Geeze isn't it simpler to just install linux or get a mac?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Poor Hoover must be spinning in his bustier.
Isn't this about the same percentage as any spam campaign? That's pretty much why it's still profitable.
Though, you'd think that most people would realize that law enforcement doesn't simply send you an email demanding you pay a fine or face criminal charges -- there really isn't that option as far as I know. Well, at least not in all countries.
Lost at C:>. Found at C.
once you have the mattress home it is legal for you to remove the tag but after that you can't resell the mattress.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Just a horrible observation: this has seriously gotten out of hand and it is getting worse. Back twenty years ago, there were only a limited number of known viruses, that identity definitions / checksums of all of them could have fitted on a single database file big enough for a single floppy disk. Nowdays the combination complicated operating systems with weak security, security bugs on internet software and abundance of poor programmers in the 3rd world countries willing to sell their code of ethics, morals and their mother for two thousand dollars per exploit make it virtually impossible for anti-virus companies to maintain a product and database to keep these off.
In my experience, my customers in most cases were duped in downloading these pieces of thiefware. My personal thought back than was "I wish I could lock this computer in read-only state so that they can not do absolutely anything stupid except turn it on, browse and turn in back off."
In light of this there must be a new way of conducting Internet browsing and software management on local computers. My personal thought was a full read-only operating environment periodically verified with full checksum for its integrity, on which any software updates or new software installs are simply impossible / or new installs are allowed based on reputation scores of such software.
But seriously, are there any schemes or research out there that has been working on the topic of creating a managed secure environment for average consumers?
I have no ego here, EVEN I screw up occasionally.
Yup, no egotism there, no siree...
FYI, understanding the fundamentals of how software works (i.e. "View[ing] the hex code") is not a requirement of using a computer, and shouldn't be.
Equally relevant, being a condescending asshat in regard to your perception of near infallibility isn't necessary either.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Several commenters have asked why anyone would fall for this – after all, US law enforcement agencies generally don't just shake people down for cash. But there are two real-world situations the average person might have dealt with that are somewhat analogous to this.
One is traffic tickets: In most cases, drivers are given the option to simply pay the fine without having to go to court. You can have a full hearing if you want, but most people just pay the fine.
The other is the legal threats against BitTorrent users, the ones where the MAFIAA sends out letters demanding that the person whose account the activity was conducted from either must pay $1000 or some similar amount immediately, or face a lawsuit for significantly more.
Now, there are definitely some legal differences there: a traffic infraction is a "summary offense" that doesn't carry the threat of jail time, and the MAFIAA lawsuits are civil cases, not criminal. But most people don't understand these subtleties: to many of them, any scary-sounding authority figure saying "Pay up" is the same thing. Heck, the Milgram experiment showed that you could have regular people deliver "fatal" electric shocks just by having a guy in a white lab coat tell them they had to.
I'm surprised there isn't more ransomware that turns your webcam on, perhaps catching you in something you'd rather not have on the interwebs, and blackmails you with that.
I'm not a lawyer, but I play one on the Internet. Blog
...and it turns out it only takes 1-3 percent of victims to pay up to make it seriously worth the fraudsters' while
You mean to say that if I demand that a hundred people each send me a lot of money, and one to three of them do... those one to three people are going to... send me a lot of money?? (Is this that "math" thing I've heard so much about?! :p)
The difference between blackmail and settlement is that blackmail requires the threat of doing something ILLEGAL if the demands are not met. Whereas, a settlement offer is the forbearance of a LEGAL right if the demands are met. If someone didn't pay me for my work, for instance, I can send a demand letter asking that he pay me or I will sue him for the money, which is a legal right I have. If I demand money or I will shoot him, that's blackmail.
The boundary is close when it comes to porno cases. What if the right to sue is clear cut (the Copyright Laws clearly prohibit downloading the material) but the real damage is the damage to reputation? That becomes closer to the situation of, "Give me money or I'll release this sex tape you made" or "Give me money or I'll tell the world about our love baby."
A NYC lawyer blogs. http://www.chuangblog.com/
" If I demand money or I will shoot him, that's blackmail."
No, that's extortion.
Blackmail would be threatening to tell your wife about your mistress. Blackmail can include things you would otherwise be perfectly legally allowed to do.
You may have every legal right to expose the trips made to a bathhouse by a homophobic republican senator but if you demand money from him in exchange for *not* revealing that secret, that's illegal.
I don't know about your country, but in mine, suing someone despite knowing very well that your chances of winning are zero with the intent of browbeating the person sued into submission due to him not knowing the legal system and not being able to afford adequate legal representation IS actually illegal.
It's called a frivolous lawsuit and if you are a lawyer and tend to do such things too often, I hope you have a plan B for your time after being disbarred.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If the people watching kiddie porn end up scammed, I say it's cool!
Why is it stupid to write to the FBI for help? Isn't it their job to prosecute crimes that cross the borders of the local jurisdiction, something that is almost certainly the case with such a scam?
Think of the FBI what you want, but as much as it may anyone surprise, they ain't the bad guys, most of the times...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Step 1 Find out which binary is running which provides the ransomware message. Rename it. View the hex code and see if it connects to other files or registry entries. Keep searching and identifying the malware parts.
Step 2 Rename, Delete
Step 3 Get a scan from the free online scanners. Keep deleting until the ransomware and all worms and virii are gone
Step 4 Use D7
This stuff happens cause people don't understand how to use their Operating System. It's the education stupid. That's not to say you make a mistake once every 5 or 10 years and accidentally delete your partition while partitioning something else. Or you actually run a worm'd up binary. It happens, I have no ego here, EVEN I screw up occasionally. However the difference is I head off to Step 1 above.
Actually writing the FBI for help? Very stupid.
You're absolutely right. My 77 year old mother spends most of her time (now that she's retired) tracing and debugging malware binaries. Please.
The bullshit you're spewing is about the same as "the problem with air travel is that people don't know how to pilot a 767." Are you really that thick or are you just trolling?
Posting anon as I'm moderating on this thread.
Geeze isn't it simpler to just install linux or get a mac?
This is the dumbest solution to a problem I have ever heard. Err no, I know someone who threw a way a 6mo old comp due to a virus, but this is still dumb. Those OSes aren't above flaws, attacks, the occasional worm. If you read tech news on the occasion you'd know that.
Each OS has its perks. Linux: web server/hardcore networking shit. Mac: Audio/video and Winders: games, most software that is only programmed for it and for the general 'low watt bulb' population. I really hope you don't do consulting.
"That's right...I said it."
HEX should absolutely NOT be in a Computers 101 class. I told my mother to take a Computers 101 class to learn about computers. God forbid they even brought the word HEX up in that class. That would confuse the shit out of ANY new user. Especially my neighbor who can't even get the names right. No Ken, it is called a Mouse not a Moose.
Hex should be reserved for a Programming 101 class. In my 24yrs of doing tech work, not once has a need to view something HEX come up. Only when I go out of my way and want to modify programs to change their expiration date, the ability to unlock the SAVE button, bypass the CD/DVD check or even give myself more time on a level in a game has HEX ever come into play. Joe User isn't doing that. Joe User wants to play games, work on a project from home in Office, print his tax returns or a sales order for his home business.
"That's right...I said it."
The last two examples you made are otherwise legal actions. It is perfectly legal for a woman to name the father of her child. It is not legal to demand money not to.
It could be argued that a settlement is a payment of actual damages to make the would be plaintiff whole without need for court whereas blackmail is simply for unjust enrichment. However, at some point (such as the RIAA suits) the merits of the case against the defendant fall so low that it becomes indistinguishable from an extortion racket. Further, the payments are documented to not find their way back to the allegedly damaged party, so there is no making whole. But note that the RIAA isn't up on racketeering charges.
The sad thing is that through uncontrolled legal costs, complete lack of a bullshit filter before those costs kick in, and capriciousness our 'justice' system so perfectly backstops blackmail every day.
Yes, it's illegal, on paper. However, in order to do anything meaningful about it, the victim would need to be able to take you to court. Among other things, that effectively means he'd have to be able to afford a lawyer. Additionally, it can be rather difficult to demonstrate to the court that the offender _knew_ he wouldn't win the suit and _intended_ to nonetheless force a settlement to which he was not entitled.
To actually provide the populace at large with effective protection against this kind of abuse of the legal system, all plaintiffs in civil suits would need to be required to pay the defendant's legal fees. (They could then recover their loss if and only if they win the suit.)
The problem with that, of course, is that most people would no longer be able to afford to enforce their legal rights by filing lawsuits. Thus, instead of allowing the courts to be abused to harass the innocent, you're now effectively denying justice by preventing the courts from being used correctly.
It's a thorny problem. There's no perfect solution.
Cut that out, or I will ship you to Norilsk in a box.
Senator XXX bathhouse tapes available on eBay.
Current bid: $1.00
Buy it now: $10,000
Have gnu, will travel.
http://it.slashdot.org/story/12/06/20/0424242/why-nigerian-scammers-say-theyre-from-nigeria
"According to research by Cormac Herley at Microsoft, scammers are looking for the most gullible people, and their crazy emails can help weed out people who are savvy enough to know better. "
Everyone above this line was either troll or trolled except "tsu doh nimh" which I'm pretty sure is this vietnamese gentleman's real name.
Given the feelings of most Americans, somebody with Kiddie porn is 'more deserving' of an early morning SWAT raid than most drug dealers.
Personally, I'm more the type of 'station a camera; visit the house when you go to work' type, if there's concern about possible violence. Then I pick you up at work.
SWAT style invasions will be saved for drug houses* that are effectively never unoccupied, and even then I'd probably wait until it's at 'minimum manning'. SWAT raids on fully occupied dwellings shall be saved for hostage/slave/abuse scenarios where human suffering is highly likely to be reduced if we go in *RIGHT NOW*.
*I'll note that even though I support the legalization of drugs, said legalization would involve moving distribution to legitimate channels, thus a few drug houses would still need to be busted.
I don't read AC A human right
I saw a special on this once. A group went around collecting any old mattress they could find, 'sanitized' it, sowed on a new cover, and resold it.
The problem was that their 'sanitization'* wasn't enough to stop bedbugs, and their cover wasn't impermeable to them. Most of the beds picked up were infested, and what ones weren't were often infested by contact with the other mattresses.
I can see a jurisdiction taking a look at the process and banning the business to try to stop the spread of lice/mites/bedbugs. As a moderate libertarian I think it's the wrong move, but I also believe that selling beds very likely to be infested, not warning buyers that they're likely to be infested, and engaging in essentially useless sanitization efforts to be criminal deception. Basically, if you're going to be sanitizing a bed, you'd better sanitize it. Bake it in an 200F oven for 3 days; subject it to a hard vacuum for 48 hours, whatever it takes. But that's expensive, and new mattresses don't cost much more; I could see it killing the business anyways.
*Which actually consisted of spraying it down with some sanitizer intended for hard surfaces that worked more like febreze than a proper bug killer.
I don't read AC A human right
very nice workaround :-D