<<<
NEWS FROM THE LAB - Wednesday, July 17, 2013
>>>
 

 
On "FBI" "Ransomware" and Macs Posted by Sean @ 15:34 GMT

On Monday, Malwarebytes researcher Jerome Segura posted a nice write up (and video) about FBI themed ransom scams targeting users of Apple Mac OS X.

The basics are as such:

  •  Segura discovered the scam via a Bing Images search for Taylor Swift.
  •  A compromised site hosting the image linked to a webpage mimicking police ransomware.
  •  Only it isn't really "ware" in the normal sense of a ransomware trojan.
  •  The scam uses clever persistent JavaScript in its attempt to trick people into paying a supposed fine.

And now we'd like to contribute some additional notes.

Located in Canada, Segura was directed to an FBI themed webpage. This is probably due to his North American IP address, or else he was using a US-based proxy.

In Europe, the result is Europol themed:

Europol_Ransom_Scam_Mac

And the scam uses a Europol-themed URL:

Europol_Ransom_Scam_Mac_Locked

Also, such scams are not just targeting Macs, as this comment from The Safe Mac explains.

TheSafeMac_FBI_Ransomware

Crimeware kits are always targeting everything all the time. Windows, Macs, every OS.

But most of the time… there isn't a good exploit vector with which to target Macs with malware, so they are redirected to something "spammy" instead. For example, now that the ransom scam has been exposed, this is what the FBI and Europol URLs are currently redirecting to:

Find Your Adult Friend

Find Your Adult Friend: a site which uses scraped images. (Avoid.)