I suppose we all saw this coming, ransomware authors are now posing as the NSA, claiming to be using the PRISM system to identify users performing illegal activities and demanding payment for their system to be unlocked.
This new discovery was found by security researcher Kafeine on his blog, an article labeled “Prism themed ransomware – Kovter evolution.”
The ransomware appears after a user has either executed the malware (via trickery no doubt) or by being hit by a drive-by exploit. After some time, the malware covers the screen and makes it impossible for the user to get around the ransom notice by disabling the Task Manager and forcing the notice to the front of the screen; typical ransomware stuff.
Screenshot courtesy of Kafeine @ Malware Don’t Need Coffee
The success of a malicious attack is determined by several factors including how well it is crafted and what its distribution channel is.
Over the years, we have seen different methods used by the bad guys to deliver their nasty payloads. Social engineering, the art of tricking people into doing certain things, always yields a pretty good return.
Of course, drive-by downloads, where simply browsing to a site results in your computer getting infected, is also a very popular technique.
To add to these two methods, there’s a third one that we could call extortion where the end user has no other choice but comply with the bad guys’ demands.
Did you ever wonder what it looks like when all these techniques are combined? Look no further:
Fake YouTube showing pornographic videos.
We discovered this legitimate website that had been compromised. It pretends to be YouTube, although you will (our should) never see such content on there since it is very explicit material.
Scammers are at it again with their attempts to get users to download unnecessary software, visit pointless (and potentially dangerous) sites and filling out surveys for their own profit.
This time however, their tactic method hit a little close to home.
Earlier this week, we got a tip off from one of our followers and friends on Twitter: @bartblaze about a twitter account pretending to be speaking for Malwarebytes.
The twitter account, @malwarebytesx, has posted heavily over the last couple days about Malwarebytes Anti-Malware being available (both legitimately and a cracked version) at a posted link. They even created a variation of our logo and got 51 people to follow them!
UPDATE (08/22/13): Apple revoked the fake Flash Player’s certificate which effectively removes it from Safari.
UPDATE (08/21/13): The bad guys are serving the fake Flash Player from Google Docs:
Click to enlarge
I used Fiddler to decrypt the HTTPS communication and reveal the malicious file being downloaded from Google Docs.
UPDATE (08/16/13): The rogue Flash Player extension for Apple’s Safari was signed with a valid Safari developer ID. (Hat tip to Braden Thomas for spotting it).
It belongs to “firstname.lastname@example.org” with Safari developer ID: E728F995AB.
Spammers are beating YouTube’s filters to upload pornographic images and tricking people into following a hyperlink to view more. We are not talking about slightly provocative or revealing images (and we know how many of those there are) but rather about highly offensive material normally only seen on porn websites.
Due to the sensitive and NSFW nature of the topic, I have blurred the pictures and foul language.
But there is a catch, and it comes as a premium-rate SMS, asking for age confirmation when it really is about charging you an expensive fee to view the material.
Those SMS numbers have been reported already for fraud, but they keep on going nonetheless. Typically, one text message can cost you several dollars, while regular text messages are normally free or only a few cents.