This story was originally published on Oct. 23, 2012, and is brought to you today as part of our Best of ECT News series.
Many people know it’s a bad idea to open attachments in email received from strangers, but relatively few know they need to take the same precautions when clicking links on social media sites and even VoIP (Voice Over IP) service Skype. Cybercriminals have been targeting individuals through Skype, and the criminals have been picking up their game and increasingly utilizing so-called ransomware or scareware.
This type of malware allows criminals to lock a computer from a remote location, rendering the machine essentially useless to the actual owner. The criminals then present a pop-up warning that the computer is locked and access won’t be returned until a payment is made.
What makes this particular threat very disturbing is that the criminals often present the warning as if it were coming from law enforcement — notably the FBI — with the claim that the individual being targeted broke some law. This, in essence, is designed to scare the user into paying the “fine.”
“This kind of scam is not necessarily new,” said Shelly Palmer, host of the syndicated radio program Shelly Palmer Digital Living Daily. “The Dorgbot variation is new, and I’ve seen it where the criminals are asking for (US)$100 to $200 to unlock the computer.”
Kaspersky Lab discovered the Dorgbot malware on Oct. 6.
Although ransomware isn’t new, it hasn’t really evolved in terms of how it works since the first known example was discovered in 1989. Written by Joseph Popp, the “PC Cyborg” Trojan worked by claiming that certain pieces of software on a user’s computer had expired, and it then locked the machine. The software was easy to break, unlike many of the modern ransomware attacks; it worked through social engineering and by playing off users’ fears.
“The malware exploits a social engineering flaw in people. It exploits, for example, trust and honesty — some also exploit fear,” said David Jacoby, senior security researcher atKaspersky Lab.
“Scareware can come in many different shapes. Some malware tries to pretend they are coming for various law enforcement agencies,” Jacoby told TechNewsWorld. “Another type of malware is threatening the victims to pay or else something bad will happen.”
A recent variation on this theme involves criminals telling people they have a virus on their computer and offering to clean it — but in this twist, there is nothing wrong. Recently, the FTC worked to shut down such a scam operating from India.
Cat and Mouse
While antivirus companies look to stay ahead of criminals, many times they fall behind — or the criminals find some new method of attack. What has made staying ahead so much harder is that users today don’t need to open an attachment or download anything. They really just need to click on the wrong link.
Having software that can determine whether a site is safe to visit is thus highly recommended, even if it means users might feel like the software is becoming a virtual nanny.
“We’re past that point,” said Digital Living Daily’s Palmer. “It is an arms race.”
It is the virus makers against the antivirus developers. This arms race isn’t one happening in a cold war scenario as much as full-on hostilities.
“What happens now is that we’re seeing much shorter times of the malware releases which makes antivirus companies react faster,” said Jindřich Kubec, virus lab director at Avast Software. “That’s why we needed to adopt cloud approaches, behavior analysis, sandboxing/process isolation, etc. But the principle still stays the same.”
Moreover, what makes this worse is that the criminals can target legitimate websites, thus turning what should be a safe zone into a very dangerous place to visit.
“One very common way to spread scareware and rogue security software is to infect websites with code that will redirect the visitors to another website,” said Jocoby. “That website looks exactly like common security software and antivirus software. It will simulate a local scan of your computer, where it finds several malware, and you are offered to download a file to fix all the security issues.”
No effort is required to become a victim either.
“You do not have to click on anything, or open any attachment — you just have to be active on the Internet to become a victim for these attacks,” he stressed.
New Kind of Hacker
In the past, some hackers took on a kind of folk hero status. Kevin Mitnick, for example, was considered the most-wanted computer criminal in the United States at the time of his arrest, but he now works as “security consultant.”
Today, though, the hacker is hardly as romanticized.
“It is a criminal enterprise. They know exactly what they are doing and what they are trying to accomplish,” said Alan Webber, industry analyst and managing partner at the Altimeter Group. “As a friend called it, ransomware is a virtual mugging.”
On the surface, it would seem that new laws might help matters, but this is far from the case. In fact, the problem isn’t the need to make new laws or even enforce existing laws, but rather simply to keep up with the criminals.
“This argument is made in Congress that we need stricter laws, but the laws are already on the books,” said Fred H. Cate, Ph.D., of the Center for Applied Cybersecurity Research at Indiana University. “As my students are surprised to hear, you can beat your wife and get a year in jail. If you send your wife a virus, you can get 20 years in jail.”
That doesn’t mean that the laws are actually enforced, but until there is loss of life, this is an issue that will persist, Cate added.
“We haven’t reach that 9/11 moment yet,” Cate told TechNewsWorld. “When that happens, Congress will overreact and we’ll move to system of more backups. It is going to escalate, but I see that eventually we have to focus more and more on recovery.”
Some efforts to stop ransomware have worked. For one, most major credit card issuers have been able to successfully block payments to the hackers, who have since moved to requesting payments via gift cards from retailers.
Combating this type of threat is really just a return to the basics — not trusting anything on any site. Computer users are advised not to open links in social media just as they shouldn’t in email.
“Stay away from sites that are going to pop up things,” added Altimeter’s Webber. “Keep the firewall up, and make sure you’re doing regular scans to make sure that stuff isn’t downloaded. But also stay away from spam email. It is sometimes OK to miss some email so the bad stuff doesn’t get through.”
The other thing to do is not to panic. This is called “scareware” for a reason, as it plays on fears. Ransomware, or scareware, can be difficult to remove — so again, recovery of important data is what is crucial, meaning there is never too much in the way of backups.
“Current ransomware uses strong encryption methods that make decryption nearly impossible,” said Avast’s Kubec. “Generally, the problem is still the same — people don’t update, they don’t backup, some of them don’t run antivirus, they have risky behavior, and when something happens, they panic and can lose more money and data than needed.”