Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2012
    S M T W T F S
    « Aug   Oct »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for September 27th, 2012




    Recently, I talked at the VB2012 conference in Dallas about one of the recent developments in today’s threat landscape: the increasing prevalence of police ransomware. Earlier, Trend Micro published a white paper discussing this threat, titled The “Police Trojan”.

    The idea behind ransomware is relatively simple: the cybercriminals block the user from accessing their own computer. This continues until the user pays the cybercriminal money in order to unlock their system. We first saw this type of threat in Russia back in 2005 to 2006.

    More recently, we’ve seen this threat spread to other countries. Using geo-location, users are presented with a notice – supposedly from local police – that they have committed some crime, and to unlock their PC they need to pay a “fine” of some sort.

    As we looked into this threat, we found that this threat was, in someways, similar to previous fake antivirus threats. Multiple gangs produce their own variants; the social engineering is very good at getting users to pay up, and new versions are appearing all the time. Affiliate programs are also used to monetize this threat.

    We found at least two groups of suspects that run separate affiliate programs. Each group targets different countries, and use locally available payment schemes. There are also differences in the Trojans themselves.

    One of these groups uses server-side scripts to serve the appropriate images and scripts, depending on the user’s country:

    A second group uses a different technique. Here, the images and scripts are embedded in base64-encoded PHP code. The images and scripts are never downloaded separately, as they might be in the first case.

    In cases where the user’s country can’t be determined (or, perhaps, not being targeted by the cybercriminals), a more “conventional” alert, similar to that used by FAKEAV attacks, is displayed.

    How do cybercriminals get their money? Instead of using credit cards, victims are asked to purchase vouchers for electronic cash. Two providers, Ukash and paysafecard, are frequently used by cybercriminals. Both of these services are legitimate; however the vouchers are like cash in that there is no record if they actually change hands.

    What happens is that cybercriminals take the vouchers they have gathered and sell them to various exchange sites, for around 40-50% of the voucher’s face value. The exchanges, in turn, sell these to other users for up to 90% of their value.

    This highlights how cybercriminals are trying out new schemes in order to replace old ones which may have become less effective. New cybercriminal groups arrive on the scene; new business models are created. It is up to the security industry to keep up to protect users.

    For further details about these attacks, you may read the following blog posts:

     



    Posts masked as the fake web app “TumViewer” and “Online Income Solutions” were seen circulating on the popular blogging site Tumblr. Both offer something to Tumblr users, but in reality, they are social engineering lures meant to hook users into another run-of-the-mill survey scams.

    TumViewer and Online Income Solution: Just Another Survey Scam

    Several Tumblr posts were seen promoting “TumViewer” web app. This free app supposedly allows users to see who viewed their pages, which posts were viewed, and how often they were viewed. “TumViewer” appeared to be a minor hit among certain users, as we also noticed some tweets circulating on Twitter that promote the same app.

    Read the rest of this entry »

     
    Posted in Social | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice