Cybercriminals are becoming increasingly adept at schemes to trick people into giving them money or financial information, an expert said in a Cyber-Extortion Webinar hosted by ASIS International’s Information Asset Protection and Pre-Employment Screening Council (IAPPES) and the Intangible Asset Finance Society (IAFS) Friday morning.
“Particularly in Eastern Europe you see a large number of increasingly sophisticated organizations that are building sophisticated malware…to steal passwords and financial data,” said David Glockner, managing director of Stroz Friedberg, a firm specializing in investigations, intelligence, and risk management.
Some of these organizations, or individuals, use malware that blocks or freezes the victim’s computer; the malware then might display or convey a message that demands money in exchange for the computer being freed.
Another tactic is a virtual version of what Glockner called “street crime extortion” much like what he saw during his 25 years as a prosecutor at the U.S. Attorney’s Office in Chicago. In the cybercrime context, it’s where you have someone threatening to steal or damage data unless paid a certain amount of money.
At other times, the malware masquerades as something scary but ostensible helpful, such as an ad or warning offering antivirus protection.
The FBI, which sometimes collectively refers to these types of malware as scareware and ransomware, described example incidents in the 2012 Internet Crime Report, published by the FBI’s Internet Crime Complaint Center (IC3) in partnership with the National White Collar Crime Center.
The report noted that individuals received pop-up messages on their computers alerting them to “purported infections that can only be fixed by purchasing particular antivirus software.” The notice typically displayed icons of reputable antivirus vendors.
Called a pop-up scareware scheme, the pop-ups couldn’t be easily closed by clicking “close” or the “X” icon. Instead, “the scareware baited users into purchasing software that would allegedly remove viruses from their computers. If the users clicked on the pop-ups to purchase the software, forms to collect payment information appeared and the users were charged for the bogus products.”
Instead of getting antivirus software, user were more likely downloading malware, but even if the user didn’t click on the pop-up, the scareware might have installed malicious code onto the computer, and the “aggressive tactics of the scareware have caused significant losses to users,” the report said.
Also described in the report is Citadel malware, sometimes referred to as the FBI Ransomware because it sometimes uses the FBI’s name and refers to its programs, such as InfraGard and IC3, according to a press release issued by IC3 in July of 2012. The Citadel malware delivers ransomware named Reveton and once that ransomware is installed, “the user’s computer freezes, and a warning of a violation of U.S. federal law displays on the screen,” the report explained. “To intimidate the user further, the message declares the user’s IP address was identified as visiting child pornography and other illegal content.”
The user is then instructed to pay a fine of $300 to the U.S. Department of Justice using a prepaid money card service to unlock the computer. Once a payment has been made, the Citadel malware “continued to operate on the compromised computer and could be used to commit online banking and credit card fraud,” the report says.
These types of crime have become the most common complaints that the FBI received in 2012, with 289,874 complaints total for the year, averaging more than 24,000 complaints per month, according to an FBI press release announcing the 2012 Internet Crime Report issued in May 2013.
For companies, these types of schemes can result in breaches of sensitive information and reputation damage resulting in the loss of customers. Michael Greenberg, a senior research analyst with the RAND Center for Corporate Ethics and Governance who also participated in the webinar, said that when people hear that their personal information, such as credit card data, has been exposed, it’s “a serious reputational event for the company that’s been targeted....” But it’s also a reminder to those not yet victimized “that we’re increasingly locked into this digital world where our own information is out there in the ether somewhere.”
Because of this, companies need to take extra care to protect their information from being compromised, said Glockner. And when an incident does occur, they need to be open about it, which he noted companies are getting better at, as states have enacted regulation calling for disclosures and as society continues to embrace technology. “As companies see themselves as no longer alone in addressing cybersecurity issues, I think they become more comfortable talking about it…and realizing that if it’s going to come out…maybe you’re better off getting ahead of the problem.”
To report an instance of cyber-extortion and find out more about scareware and ransomware, visit the IC3 website at http://www.ic3.gov.