Criminals impersonate UK police to spread ransom Trojan
Demands payment for accessing extremist websites and porn
By John E Dunn
12 September 2011
The recent spate of ransom malware has taken a strange turn with the news that criminals are impersonating the UK’s Metropolitan Police Service in an attempt to persuade victims to pay a fine for being caught accessing extremist or porn websites.
After apparently being alerted by members of the public and an unamed security company, the Met’s Police Central eCrime Unit (PCeU) has put out a warning about the scam in which unnamed malware locks up infected PCs before demanding a “substantial fee” be sent to the police organisation.
“The message advises the user that they have been caught accessing extreme pornography or terrorism related websites,” said a note put out by the PCeU. “It states that to unlock their computers they are required to forward a substantial fee to the MPS, by way of an online payment service.”
The PCeU was not able to confirm which malware was involved nor to elaborate on the infection mechanism beyond stating that infection could happen after visiting “certain websites,”a vagueness that compromises the usefulness of the warning to some extent.
Given the adoption of the MPS as the method of threat, however, the attack will be aimed at UK users who have no connection to either porn or extremism.
The attack is similar to Ransom.an, a Trojan reported only days ago which demands in German language text that claims to be from Microsoft that victims pay $126 for a Windows license within 48 hours or be locked out of their PCs.
This type of ransom social engineering attack has flared up every now and again at relatively low levels ever since first being tried in 2006, with one of the most persistent culprits being Gpcode. Usually the locking mechanism is either non-existent or can be reversed easily by security researchers; occasionally the attack has used encryption but that approach has fallen out of favour because it adds complexity.
Ransom attacks are nowadays mostly extreme variations on fake antivirus scam theme, where attackers seek to gain payment for non-existent PC infections. It is probably the success of this type of attack as much as anything else that has kept ransom malware on the fringes.