Ransomware, the practice of providing fake notifications that “you’re infected” and then selling a fake solution that removes the fake malware they just installed, has been a boon for scammers. Now, they’re taking it a step farther, throwing in a law enforcement scare. In this latest scam, an official-looking banner appears on infected machines, purporting to be from one of a number of law enforcement agencies, localized by region. At the same time, the malware locks down the computer and informs the user that they have to pay a fine to unlock it (paying the "fine" does not actaully unlock the computer).
The malware seems to be highly localized, targeting specific language groups and matching that against localized law enforcement body names. So if you’re in Germany, you get a pop-up purporting to come from the “German Federal Police”, but in the UK you’d get a notice from the “Metropolitan Police.”
This is the sort of localized threat Sebastian wrote about recently as a prediction for 2012. By localizing attacks, they can seem more real and have a higher “success” rate, because they seem more relevant to users in a given region.
The scam says that the user has been engaged in illegal activity, and has been caught by the localized law enforcement agency. Since they were “caught”, they must now pay a fine, or have their data deleted by the fake law enforcement agency. Of course, paying a fine only guarantees more of the same a few weeks or months down the road. In the meantime, the payments provide a nice haul of cash for the scammers.
It’s really frightening to see the lengths to which scammers will go to frighten users who may not be familiar with such scares. After all, if a scary real-looking notification pops up on many users’ computers saying that the feds might come to get you, there is a moment of shock. And the alarm factor is what the scam is all about. The notifications allege criminal activity ranging from terrorism to other equally unsavory activities – whatever might catch the attention of the user. They even include your IP, adding to the perceived credibility.
And then there’s the fact that the user might have been engaged in something less than totally honorable, adding to the scare factor. A user thinks, “maybe they found my illegal .mp3/software/traffic/whatever”, and may act irrationally, potentially playing into the scam in an effort to just “make the legal problem go away.” Of course, we know how that story ends. Add this to the fact that various users secretly suspect law enforcement of spying using "grey area" tactics, partly because of the perceived opaqueness of the organizations’ methods. Again, this plays into the hands of the scammers.
Microsoft has some nice screenshots and breakdown, so thanks for that. Hopefully we can help widen the awareness of this scary scam, and help to keep users safe.
Author Cameron Camp, ESET