A Japanese cyber extortion gang is running a new “name to shame” scam by duping users who pirate adult games into installing malware, then demanding that they pay up to keep their names from being publicly posted on the Web, a researcher said today.
The scheme is a new one in the world of “ransomware,” the practice of mucking with users’ files then extorting money to release them back to their rightful owners, said Rik Ferguson, a senior security researcher with Trend Micro’s U.K. office.
According to Trend Micro, whose researchers in both Japan and the U.K. have analyzed the attack, extortionists seeded a Trojan horse onto a popular Japanese file-sharing service called Winny, which has an estimated 200 million users. The malware posed as installers for adult games in the Hentai genre, a pornographic form of anime.
“The installer asks a whole series of personal questions, including name, date of birth, phone number, mailing address, company name and game passwords,” said Ferguson. “It also collects information from the PC, including screenshots of Internet Explorer’s Favorites.” The latter is IE’s term for its bookmarks.
That information, as well as the IE screenshots, were posted to a Web site that is currently offline. Before it went dark, it was used by criminals to extort 1,500 yen, or approximately $16, from victims by promising to remove the information.
“Victims receive e-mail from a company called Romancing Inc., which claims they were in breach of copyright infringement,” said Ferguson. “For a fee, [the criminals] would remove that information and resolve the copyright infringement.”
Although copyright infringement scams have been used by cyber criminals — a recent attack hit European users who were accused of illegally downloading music — the pornographic angle is new. “This ‘name to shame’ tactic hasn’t been used before,” Ferguson said.If the victims had regularly surfed to Hentai sites, the IE activity screenshots and extortion demand would have been very effective in embarrassing users into paying up, he added.
According to reports in the Japanese media, 5,500 people in the Nagasaki area alone have admitted they downloaded the malicious file. One was reportedly a school principal. “The name to shame would be especially effective against victims like that,” Ferguson said.
The hackers also built in a second extortion attempt by adding three MP3 files to victims’ PCs. Those files were offered for sale on another site for what Ferguson called “extremely high” prices, as much as 58 million yen, or $630,000. “You can’t listen to those files,” he said. “The second extortion attempt would claim, ‘Look, you downloaded these files too, and look how expensive they are.'”
The criminals were planning to pitch a second extortion demand to those who fell for the first, Ferguson said.
Payment claims for fake software, often bogus or almost-worthless security software — dubbed “scareware” — are not only nothing new, but also very lucrative, according to a 2008 report. The latest attacks, however, are a troubling trend.
“We’re beginning to see new combinations where scareware is merging with ransomware,” Ferguson said. “This is certainly unlike anything I’ve come across before. The old modus operandi has changed to use bait actually on the victims’ PCs.”
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg’s RSS feed. His e-mail address is [email protected].