Leon Erlanger is a freelance writer, consultant, and former PC Magazine Executive Editor who has spent the past eight ...
The past month has seen two interesting developments related to scare- and ransomware. The first was a judgment of $163 million, at the request of the FTC, on the final defendant perpetrator of a massive scareware scheme that used Web ads and phony virus scans to trick users into purchasing phony antivirus software. The second was a warning to users from Skype about a ransomware attack that spams user contact lists with a message saying “lol, this is your new profile pic.” When users click on the included Web link, they’re tricked into downloading a worm that, among other things, installs ransomware that locks the user out of his or her system and informs him that his files have been encrypted and will be deleted in 48 hours unless he hands over $200.
Scareware and ransomware are similar in that they rely on fear tactics to trick users into paying some amount of money to the perpetrators. The difference is that scareware typically gives the user the illusion of a severely compromised system, whereas with ransomware the compromise is all too real. These threats have been proliferating through social media sites such as Facebook and Twitter and have also scared users by displaying child pornography on their screens. Some victims have received notices from a phony government agency that such pornography has been found on their system and requires them to pay a fine.
Not only do users often pay the perpetrators to avoid embarrassment or prosecution, but disclosing personal information to the perpetrator can then result in identity theft or worse. When you consider that one judgment involved $163 million in alleged profits, this is a pretty lucrative exploit.
The last McAfee Threats Report : Second Quarter 2012 found a large jump in new ransomware exploits, up about 25 percent from the previous quarter and fourfold from the year before.
The effects for the user are shocking and immediate. As the report points out, it can be frightening enough to lose all your family photos and videos, but imagine the effect if the malware spreads from the user’s system across an enterprise network.
Scareware and ransomware should be part of any enterprise security education program. Users should know how these scams work and should understand that, rather than hiding an attack or paying the perpetrator out of fear of prosecution for child pornography, they should report the attack to IT right away. Users should also be educated about new specific threats and know that even if a security notice appears to come from McAfee or some other reputable security vendor, it may still be phony.
Users can protect themselves by observing a few key best practices:
Advice for enterprises can be found in my last blog, Security Education Should Get an F.