Another law enforcement group co-opted in extortion scheme

A cybercrime group has raised the scare tactics used in an increasingly sophisticated Trojan-ransomware combo to frighten victims into paying a bogus fine to unlock their computers.

The latest iteration of Citadel malware and Reveton ransomware uses the name of the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center,in a warning that claims victims have violated federal laws. In a new twist, the ransomware claims victims' computer activity is being recorded.

The scheme begins with luring a person to a website hosting the malware. Once Reveton is installed, it locks up the victim's computer and displays a screen saying the FBI has found that the computer's IP address has been used to access child pornography and other illicit content.

[Bill Brenner in Salted Hash: Cybercrooks make millions off ransomware, Symantec says]

The ransomware uses the IC3 name to frighten people into paying a fine using prepaid money card services, the FBI said. The malware uses the geographical location of the victim to direct to a particular payment service.

"In addition to instilling a fear of prosecution, this version of the malware also claims that the user's computer activity is being recorded using audio, video, and other devices," the FBI said in a statement.

The scheme also involves installation of Citadel, which waits in the background to steal online banking credentials and credit-card numbers.

Criminals have used the Reveton-Citadel combo before. In August, the pair was used in a scheme that co-opted the name of the FBI to frighten victims, the agency said. The FBI first learned of the malware in 2011.

Symantec recently predicted that ransomware such as Reveton would surpass fake antivirus in 2013 as the biggest online scam. Fake AV scams typically warn visitors to a malicious website that their computers are infected with viruses and then installs malware under the pretense of removing the infection.

"From here on out, we're going to see [Reveton-like] threats get much more professional looking and sophisticated as cybercriminals refine the scam and up the fear factor," said Kevin Haley, director of Symantec Security Response.

Symantec has noticed that the spread of Reveton (also known as Ransomlock.G) has increased lately in the U.S. and other countries. "It's particularly effective because the attackers behind it are quick to implement the latest exploit kits and social engineering tricks," Haley said.

More than 16 gangs are behind the spread of ransomware, he said. The majority of infections occur when people click on ads featured on adult-oriented websites.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Tags RevetonData Protection | MalwaresymantecapplicationsCitadellegalsoftwaredata protectionransomwarecybercrime

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Enterprise Virtualisation Security

Deep Security provides a comprehensive Server Security Platform giving organisations advanced protection for Physical, Virtual, and Cloud Servers.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.