The past month has seen two interesting developments related to scare- and ransomware. The first was a judgment of $163 million, at the request of the FTC, on the final defendant perpetrator of a massive scareware scheme that used Web ads and phony virus scans to trick users into purchasing phony antivirus software. The second was a warning to users from Skype about a ransomware attack that spams user contact lists with a message saying “lol, this is your new profile pic.” When users click on the included Web link, they’re tricked into downloading a worm that, among other things, installs ransomware that locks the user out of his or her system and informs him that his files have been encrypted and will be deleted in 48 hours unless he hands over $200.
Scareware and ransomware are similar in that they rely on fear tactics to trick users into paying some amount of money to the perpetrators. The difference is that scareware typically gives the user the illusion of a severely compromised system, whereas with ransomware the compromise is all too real. These threats have been proliferating through social media sites such as Facebook and Twitter and have also scared users by displaying child pornography on their screens. Some victims have received notices from a phony government agency that such pornography has been found on their system and requires them to pay a fine.
Not only do users often pay the perpetrators to avoid embarrassment or prosecution, but disclosing personal information to the perpetrator can then result in identity theft or worse. When you consider that one judgment involved $163 million in alleged profits, this is a pretty lucrative exploit.
The last McAfee Threats Report : Second Quarter 2012 found a large jump in new ransomware exploits, up about 25 percent from the previous quarter and fourfold from the year before.
The effects for the user are shocking and immediate. As the report points out, it can be frightening enough to lose all your family photos and videos, but imagine the effect if the malware spreads from the user’s system across an enterprise network.
Scareware and ransomware should be part of any enterprise security education program. Users should know how these scams work and should understand that, rather than hiding an attack or paying the perpetrator out of fear of prosecution for child pornography, they should report the attack to IT right away. Users should also be educated about new specific threats and know that even if a security notice appears to come from McAfee or some other reputable security vendor, it may still be phony.
Users can protect themselves by observing a few key best practices:
- Keep their systems up to date with security software and software and operating system patches.
- Exercise caution regarding software downloads and Web sites they visit.
- Make sure all desktop and laptop files are backed up consistently.
- Do not pay under any circumstances.
- Understand that a scareware threat may not be real, but it does indicate that the system has been compromised with malware that may be doing other nefarious things besides spreading scareware, such as adding the system to a botnet.
- Disconnect the infected system from the network and inform IT immediately in the event of an attack.
- Take advantage of available scareware removal tools from reputable security vendors, or rely on IT to do so.
- Enable popup blockers.
- Avoid clicking on links in emails and instant messages unless you are positive they are legitimate.
- Inform owners of the site that appears to be the immediate source of the attack.
Advice for enterprises can be found in my last blog, Security Education Should Get an F.