Slashdot Mirror
Inside a Ransomware Money Machine
tsu doh nimh writes "The FBI is warning that it's getting inundated with complaints from people taken in by ransomware scams that spoof the FBI and try to scare people into paying 'fines' in lieu of going to jail for having downloaded kiddie porn or pirated content. KrebsOnSecurity.com looks inside a few of the scams in the FBI alert, and it turns out it only takes 1-3 percent of victims to pay up to make it seriously worth the fraudsters' while."
Yes, me. I got one of these emails, but since I know that is not how the FBI operates I deleted it.
My buddy got one of those from watching waaaaayy too much porn, and actually called the FBI who told him it was a virus.
What it does is lock your screen with an FBI logo and official-looking message, even displaying the output from the webcam if there is one, saying that unless the mark pays $200 or so using a Bitcoin-like form of payment one can get at convenient stores, the user will be arrested for downloading CP and/or "copyrighted material." Certain keys are locked, obviously, so you can't do the 3-finger salute and kill it with the task manager.
A boot into safe mode and a little MsConfig was enough to fix, though not remove, the malware.
-- Ethanol-fueled
It should all be considered a scam when someone says pay up or I'll take you to court/press charges/sue/threatens you.
Be seeing you...
The best defenses against scams are still the same:
1. Knowing your right to due process, and
2. Knowing proper spelling and grammar in your native language.
I'm continually dismayed that large numbers of people (possessing enough intelligence to use a web browser) don't realize that the FBI using email or popups to demand summary payment of "fines" without due process is implausible and illegal.
Gamingmuseum.com: Give your 3D accelerator a rest.
I'd at least be surprised by the FBI emailing me the offer...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Geeze isn't it simpler to just install linux or get a mac?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Poor Hoover must be spinning in his bustier.
Isn't this about the same percentage as any spam campaign? That's pretty much why it's still profitable.
Though, you'd think that most people would realize that law enforcement doesn't simply send you an email demanding you pay a fine or face criminal charges -- there really isn't that option as far as I know. Well, at least not in all countries.
Lost at C:>. Found at C.
once you have the mattress home it is legal for you to remove the tag but after that you can't resell the mattress.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Just a horrible observation: this has seriously gotten out of hand and it is getting worse. Back twenty years ago, there were only a limited number of known viruses, that identity definitions / checksums of all of them could have fitted on a single database file big enough for a single floppy disk. Nowdays the combination complicated operating systems with weak security, security bugs on internet software and abundance of poor programmers in the 3rd world countries willing to sell their code of ethics, morals and their mother for two thousand dollars per exploit make it virtually impossible for anti-virus companies to maintain a product and database to keep these off.
In my experience, my customers in most cases were duped in downloading these pieces of thiefware. My personal thought back than was "I wish I could lock this computer in read-only state so that they can not do absolutely anything stupid except turn it on, browse and turn in back off."
In light of this there must be a new way of conducting Internet browsing and software management on local computers. My personal thought was a full read-only operating environment periodically verified with full checksum for its integrity, on which any software updates or new software installs are simply impossible / or new installs are allowed based on reputation scores of such software.
But seriously, are there any schemes or research out there that has been working on the topic of creating a managed secure environment for average consumers?
Several commenters have asked why anyone would fall for this – after all, US law enforcement agencies generally don't just shake people down for cash. But there are two real-world situations the average person might have dealt with that are somewhat analogous to this.
One is traffic tickets: In most cases, drivers are given the option to simply pay the fine without having to go to court. You can have a full hearing if you want, but most people just pay the fine.
The other is the legal threats against BitTorrent users, the ones where the MAFIAA sends out letters demanding that the person whose account the activity was conducted from either must pay $1000 or some similar amount immediately, or face a lawsuit for significantly more.
Now, there are definitely some legal differences there: a traffic infraction is a "summary offense" that doesn't carry the threat of jail time, and the MAFIAA lawsuits are civil cases, not criminal. But most people don't understand these subtleties: to many of them, any scary-sounding authority figure saying "Pay up" is the same thing. Heck, the Milgram experiment showed that you could have regular people deliver "fatal" electric shocks just by having a guy in a white lab coat tell them they had to.
...and it turns out it only takes 1-3 percent of victims to pay up to make it seriously worth the fraudsters' while
You mean to say that if I demand that a hundred people each send me a lot of money, and one to three of them do... those one to three people are going to... send me a lot of money?? (Is this that "math" thing I've heard so much about?! :p)
The difference between blackmail and settlement is that blackmail requires the threat of doing something ILLEGAL if the demands are not met. Whereas, a settlement offer is the forbearance of a LEGAL right if the demands are met. If someone didn't pay me for my work, for instance, I can send a demand letter asking that he pay me or I will sue him for the money, which is a legal right I have. If I demand money or I will shoot him, that's blackmail.
The boundary is close when it comes to porno cases. What if the right to sue is clear cut (the Copyright Laws clearly prohibit downloading the material) but the real damage is the damage to reputation? That becomes closer to the situation of, "Give me money or I'll release this sex tape you made" or "Give me money or I'll tell the world about our love baby."
A NYC lawyer blogs. http://www.chuangblog.com/
" If I demand money or I will shoot him, that's blackmail."
No, that's extortion.
Blackmail would be threatening to tell your wife about your mistress. Blackmail can include things you would otherwise be perfectly legally allowed to do.
You may have every legal right to expose the trips made to a bathhouse by a homophobic republican senator but if you demand money from him in exchange for *not* revealing that secret, that's illegal.
I'm surprised there isn't more ransomware that turns your webcam on, perhaps catching you in something you'd rather not have on the interwebs, and blackmails you with that.
For this reason, I am still amazed that no (well, not many) webcams out there come with a physical shutter that the user can slide closed / open. Why leave it 'looking' at you when you're not using it?
It's not like people don't know this is possible, it's been used as a premise in enough tv shows...
Ah well, a sticker works about the same for me...low tech to the rescue! :)
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
I don't know about your country, but in mine, suing someone despite knowing very well that your chances of winning are zero with the intent of browbeating the person sued into submission due to him not knowing the legal system and not being able to afford adequate legal representation IS actually illegal.
It's called a frivolous lawsuit and if you are a lawyer and tend to do such things too often, I hope you have a plan B for your time after being disbarred.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Exactly. If they suspect you have kiddie pr0n they are not going to take a bribe and say 'pay up to keep us quiet.' The first time you will even hear from them they will be kicking in your front door, seize you and all your electronics.
"That's right...I said it."
The first time you will even hear from them they will be kicking in your front door, seize you and all your electronics.
And it's that sort of personalized attention that makes American law enforcement the best! :O
-1, Too Many Layers Of Abstraction
That's why the thought that 1 to 3 percent of the targets are falling for this makes me weep for the collective intelligence of the human race.
Same thing could be asked of the current Obama administration's officials.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I just leave my wank sock over it, since the cam is just for chatroulette anyways and i need both for that.......
Snowden and Manning are heroes.
To work that would need to be a fairly targeted attack: picking a few marks and working on them. A scatter-gun attack as usually used by scammers will simply alert the world to the problem and make all marks take the "no one will believe you" line, and the more targeted approach would take a lot more time and effort (and ability): while the payout could be more than worth it long term, I doubt any scammer will take the risk of waiting for as long as the scheme could take to "pay out".
The only case where this sort of attack is a concern IMO is when the attacker is someone that you know, rather than a more remote scammer, who sees reason to be out to get you.
Shhhhh.... You can't tell anyone that Obama's terrorism policies are the exact same as Bush's.
It's easy to laugh and feel superior that a small percentage of people fall for these scams, but what isn't funny is that the people falling for it are mostly senior citizens. Just yesterday my mother-in-law brought me the phone and told me, "It's somebody from Microsoft! They say our computer is infected with a virus!"
I answered the phone and somebody with an Indian accent told me his name was "Todd Moody" and that our computer was sending error messages to Microsoft. Curious about the scam, I let him walk me through opening the application error log and trying to delete some errors from it, to which he exlaimed, "Oh no sir! You cannot delete the errors! This is very very bad! You have a very dangerous trojan virus on your computer!"
If I hadn't been there, my mother-in-law would have handed over her credit card information no questions asked. In fact, my father-in-law had done this in the past. One day I'm going to be a senior citizen and my bullshit detector is going to stop working like it does for everyone else. The Federal Government should be putting a stop to this predatory scumbaggery with extreme prejudice.
When you see this crap, do your civic duty and report it.
i ~ Celebrating Science, Cyberspace, Speculation
HEX should absolutely NOT be in a Computers 101 class. I told my mother to take a Computers 101 class to learn about computers. God forbid they even brought the word HEX up in that class. That would confuse the shit out of ANY new user. Especially my neighbor who can't even get the names right. No Ken, it is called a Mouse not a Moose.
Hex should be reserved for a Programming 101 class. In my 24yrs of doing tech work, not once has a need to view something HEX come up. Only when I go out of my way and want to modify programs to change their expiration date, the ability to unlock the SAVE button, bypass the CD/DVD check or even give myself more time on a level in a game has HEX ever come into play. Joe User isn't doing that. Joe User wants to play games, work on a project from home in Office, print his tax returns or a sales order for his home business.
"That's right...I said it."
The last two examples you made are otherwise legal actions. It is perfectly legal for a woman to name the father of her child. It is not legal to demand money not to.
It could be argued that a settlement is a payment of actual damages to make the would be plaintiff whole without need for court whereas blackmail is simply for unjust enrichment. However, at some point (such as the RIAA suits) the merits of the case against the defendant fall so low that it becomes indistinguishable from an extortion racket. Further, the payments are documented to not find their way back to the allegedly damaged party, so there is no making whole. But note that the RIAA isn't up on racketeering charges.
The sad thing is that through uncontrolled legal costs, complete lack of a bullshit filter before those costs kick in, and capriciousness our 'justice' system so perfectly backstops blackmail every day.
One day I'm going to be a senior citizen and my bullshit detector is going to stop working like it does for everyone else
Its not that it stops working, its just that its misaligned. You know MS would not call you directly, but Grandma doesn't. The rules we know to protect ourselves are completely alien to someone not immersed in the culture.
You are in a maze of twisted little posts, all alike.