Spanish police bust alleged “ransomware” ring that took in $1.34M annually

Spanish authorities announced Wednesday that they had arrested 10 people who were allegedly involved in a massive “ransomware” ring. The European Cybercrime Centre estimated that the criminal operation "affected tens of thousands of computers worldwide, bringing in profits in excess of €1 million ($1.34 million) per year."

The Spanish Ministry of the Interior described (Google Translate) the lead suspect as a “a 27-year-old citizen of Russian origin who was arrested in December in the United Arab Emirates,” and now awaits extradition to Spain. The newly arrested 10 were linked to the financial cell of the ransomware operation and include six Russians, two Ukrainians, and two Georgians. The Ministry added that the operation remains “open,” suggesting that more arrests could be forthcoming. (Spanish authorities posted a video (RAR) of the new arrests and raid.)

Madrid dubbed the ransomware used by the ring a “police virus” because it throws up a notice that appears to come from law enforcement. The malware requires the user to pay €100 ($134) as a “fine” from a false accusation of accessing child pornography or file-sharing websites. When the victims submit their payment details, European authorities added, the “criminals then go on to steal data and information from the victim’s computer.”

Read 7 remaining paragraphs | Comments

Man Arrested in Relation to the “Remote Control Virus”

Back in October 2012, we published a couple of blogs about Backdoor.Rabasheeta, a back door Trojan that was used to make numerous death threats from compromised computers, resulting in four wrongful arrests. The saga may have come to an end for the malware author who had been taunting the Japanese authorities for months. On February 10, the Tokyo Metropolitan Police arrested Yusuke Katayama, a 30-year-old Tokyo resident who works for an IT company, on suspicion of forcible obstruction of business by posting anonymous online threats, although the accused has denied any wrongdoing. Katayama was also arrested and convicted in 2006 for making similar online threats to a record company for a copyright issue regarding Noma-Neko, a popular cat character on a Japanese forum. Since October, the series of incidents has made national headlines in Japan, and the sordid story may now be reaching its climax.

Let me describe the sequence of events so that you can get a better understanding of what transpired.

Summer, 2012

The author of the malware fooled innocent people on message boards into installing software that turned out to be a back door Trojan. After the malware was executed, the attacker took control of the compromised computers and made various death threats, either through emails or by posting comments on message boards. The attacker also exploited a cross-site request forgery vulnerability to write a death threat on a message board from a compromised computer. The attacker used Tor, software used to stay anonymous on the Internet, to cover his or her tracks. The attacker’s criminal acts led to four wrongful arrests by the police.

October, 2012

After it was publicized that malware was used to remotely perform the crime, someone purporting to be the malware author came forward, sending an email to a lawyer who specializes in Internet legal issues. The author also sent emails to a few others, claiming to be the culprit who made death threats on 13 different occasions. He, or she, also provided other details as well as a “How-to” manual to prove that they were the perpetrator of the crimes.

November, 2012

The same person then sent the same lawyer, as well as some journalists, an email stating that they had made a mistake that would enable the authorities to track him or her down. The email contained an attachment of an image hinting that he or she was going to commit suicide. The image contained false exchangeable image file format (Exif) details in an attempt to fool the police. Searches by the police ended with no one suspicious being found anywhere near the location listed in the Exif data.

Figure 1. Email image attachment with false Exif data

December, 2012

The National Police Agency, Japan's central law enforcement body, offered a reward of three million yen for information leading to the arrest of the culprit.

January 1, 2013

As soon as the New Year began, the perpetrator again sent an email inviting the media to participate in a series of puzzles, with the winner’s prize being the source code of the malware, along with a message that included the motive and an FAQ. Solving the puzzles led to a location in the mountains where a memory card was supposedly buried, but even when the puzzle was solved, the card was not there.

Figure 2. Images displayed after solving puzzle

January 5, 2013

The perpetrator started another round of puzzles and this time they led to a memory card that was placed on a cat’s leash; apparently the cat is popular amongst tourists on Enoshima, a small island near Tokyo. The police actually found an SD card on the cat and confiscated it. According to media reports it contained the malware source code, as well as other unconfirmed files.

Figure 3. Images displayed after solving puzzle

The perpetrator, by leaving the virtual world and entering the real world, may have been the cause of their own undoing, as surveillance cameras on the island allowed the police to track the suspect down. The Internet has tools like Tor to help people stay anonymous or at least close to it, however, staying hidden in the real world is difficult to do. According to media reports, the police are investigating one incident where Tor may not have been used to perpetrate one of the crimes.

This may be the end of the saga for the culprit if he is found guilty, but it is just the beginning for the police and the prosecutors as they must gather as much evidence as they can to prove that he committed the crime and punish him accordingly. 

Man allegedly used identity theft to stick AT&T, T-Mobile with $8M bill

A man has been arrested for allegedly stealing identities to ring up at least $8 million in fraudulent cell phone service charges, according to a press release from the office of the US Attorney for the Southern District of New York on Wednesday. The US Attorney, Preet Bharara, asserts that the arrested man, Amadou Dia, executed the scheme for 12 years with a number of co-conspirators.

To achieve the service theft, Dia allegedly stole the identities of over 1,000 people, 450 of who were active-duty or retired US military personnel. Dia collected names, social security numbers, and dates of birth, and then used that information to activate cell service accounts with AT&T and T-Mobile.

Dia and his partners would then “create SIM cards and put them in mobile handsets,” and use the phones to call premium international telephone numbers sometimes costing $1 a minute to connect. When AT&T or T-Mobile went to bill for the calls, they couldn’t hold those with their names in the accounts responsible, as they were identity theft victims. Hence, the US carriers would have to pay out to the international carriers, who would then pay out to the holders of the telephone numbers, who were allegedly in on the scam with Dia.

Read 1 remaining paragraphs | Comments

Adobe Releases Security Update for Adobe Flash Player

Adobe has released a security update for Adobe Flash Player to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition or take control of the affected systems.

Adobe has released updates for the following versions:

  • Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh
  • Adobe Flash player and earlier versions for Linux
  • Adobe Flash player and earlier versions for Android 4.x devices
  • Adobe Flash player and earlier versions for Android 3.x devices
  • Adobe AIR and earlier versions
  • Adobe AIR SDK (including AIR for iOS) and earlier versions

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB13-05 and apply any necessary updates to help mitigate the risk.

This product is provided subject to this Notification and this Privacy & Use policy.