Massive Malvertising Campaign Leads to Browser-Locking Ransomware

The Browlock ransomware (Trojan.Ransomlock.AG) is probably the simplest version of ransomware that is currently active. It does not download child abuse material, such as Ransomlock.AE, or encrypt files on your computer, like Trojan.Cryptolocker. It does not even run as a program on the compromised computer. This ransomware is instead a plain old Web page, with JavaScript tricks that prevent users from closing a browser tab. It determines the user’s local country and makes the usual threats, claiming that the user has broken the law by accessing pornography websites and demands that they pay a fine to the local police.

Browlock 1 edit.png

Figure 1. Browlock ransomware demands a fine for surfing pornography illegally

What is substantial is the number of users getting redirected to the Browlock website. In November, Symantec blocked more than 650,000 connections to the Browlock website. The same trend continues in December. More than 220,000 connections were blocked just 11 days into December. Overall, about 1.8 million connections have been blocked since tracking began in September.

These numbers may not seem particularly large for those familiar with exploit kits and traffic redirection systems, but they solely represent users of Symantec products. The 650,000 connections detected in November is merely a piece of the pie, but the real number is likely to be much larger.

Browlock 2.png

Figure 2. Browlock ransomware’s activity in November and December this year

The previous figures show the amount of activity detected per day. The attacks occur in waves, with two particularly noticeable peaks on November 3 and November 16. On November 16, more than 130,000 computers were blocked from being directed to the Browlock website.

Getting the hits

The Browlock attackers appear to be purchasing traffic that redirects many different visitors to their malicious website. They are using malvertising, an increasingly common approach which involves purchasing advertising from legitimate networks. The advertisement is directed to what appears to be an adult Web page, which then redirects to the Browlock website.

The traffic that the Browlock attackers purchased comes from several sources, but primarily from adult advertising networks. Several security researchers have been tracking this activity for the past few months, notably Malekal and Dynamoo.

In a recent example, the attackers created several different accounts with an advertising network, deposited payment, and began buying traffic to redirect users to a website with a name that resembles an online chat forum. When the user visits the page, they are then redirected to the Browlock site. In fact, the attacker hosts the legitimate-looking domain name on the same infrastructure as the ransomware site itself.  

The Browlock infrastructure

When a victim is directed to the Browlock website, a URL specific to the victim and their country’s law enforcement is generated. For example, visitors from the US are directed to a URL which looks similar to the following:

fbi.gov.id693505003-4810598945.a5695.com

There are two notable elements of this URL. The first is the fbi.gov value and the second is the actual domain, a5695.com. The fbi.gov value is clearly meant to represent the local law enforcement agency. Symantec has identified 29 different law enforcement values, representing approximately 25 regions. The following graph shows the percentage of connections for the top ten law enforcement agencies identified. We found that traffic from the US was the most common. This is followed by Germany, then Europol, which covers European countries when no specific image template has been created.

Browlock 3.png

Figure 3. Top ten regions targeted by Browlock

The second relevant value is the domain. We have seen 196 domains since tracking began. The domains adhere to the format of a single letter followed by four digits and then .com. The actual domains have been hosted on a number of different IP addresses over the past four months.

The most active Autonomous System (AS) has been AS48031 - PE Ivanov Vitaliy Sergeevich, which was used in each of the past four months. The attackers rotated through seven different IP addresses in this AS.

Summary

The Browlock ransomware tactic is simple but effective. Attackers save money by not using a malicious executable or accessing an exploit kit. As the victim simply needs to close their browser to escape from the Web page, one might think that no one will pay up. However, the Browlock attackers are clearly spending money to purchase traffic and so they must be making a return on that investment. The usual ransomware tactic of targeting users of pornographic websites continues to capitalize on a victim’s embarrassment and may account for the success rate.

Symantec protects its customers from Browlock with IPS and AV signatures.

Malicious infrastructures used

AS24940 HETZNER-AS Hetzner Online AG

  • IP address: 144.76.136.174 Number of redirected users: 2,387

 AS48031 – PE Ivanov Vitaliy Sergeevich

  • IP address: 176.103.48.11 Number of redirected users: 37,521
  • IP address: 193.169.86.15 Number of redirected users: 346
  • IP address: 193.169.86.247 Number of redirected users: 662,712
  • IP address: 193.169.86.250 Number of redirected users: 475,914
  • IP address: 193.169.87.14 Number of redirected users: 164,587
  • IP address: 193.169.87.15 Number of redirected users: 3,945
  • IP address: 193.169.87.247 Number of redirected users: 132,398

AS3255 –UARNET

  • IP address: 194.44.49.150 Number of redirected users: 28,533
  • IP address: 194.44.49.152 Number of redirected users: 134,206

AS59577 SIGMA-AS Sigma ltd

  • IP address: 195.20.141.61 Number of redirected users: 22,960

Nigeria Ifaki Federal University Oye-ekiti

  • IP address: 196.47.100.2 Number of redirected users: 47,527

AS44050 - Petersburg Internet Network LLC

  • IP address: 91.220.131.106 Number of redirected users: 81,343
  • IP address: 91.220.131.108 Number of redirected users: 75,381
  • IP address: 91.220.131.56 Number of redirected users: 293

AS31266 INSTOLL-AS Instoll ltd.

  • IP address: 91.239.238.21 Number of redirected users: 8,063

Instagram Hoax: Over 100,000 Users Repost Bogus Account Deletion Message

Over the weekend, a hoax about mass account deletion made its rounds on photo-sharing app Instagram. A bogus account @activeaccountsafe, posted a photo which claimed to be a privacy policy update from Instagram. The photo reads:

“On December 20, 2013 we will be randomly deleting a huge mass of Instagram accounts. Many users create multiple accounts and don’t use them all. This cost us $1.1 million to run inactive accounts. These accounts become inactive and then create spams. In order for us to keep al spam off of Instagram we will be randomly deleting accounts. To keep your account active REPOST this picture with @ActiveAccountSafe & #ActiveAccountSafe . We’re doing this to keep active users online.”

Instagram Hoax 1 edit 2.png

Figure 1. The hoax Instagram account @ActiveAccountSafe

The account amassed close to 100,000 followers, while the hashtag #ActiveAccountSafe has racked up nearly 150,000 posts.

Instagram Hoax 2 edit 2.png

Figure 2. Nearly 150,000 posts using the hashtag #ActiveAccountSafe

We recently discovered a scam which duped 100,000 Instagram users into giving up their login credentials. Unlike the previous scam, this one did not ask users to login with their Instagram login credentials. It merely asked them to re-post a photo. However, the message is clear: social network users are constantly targeted by scams, spam and hoaxes and these campaigns succeed, which is why those responsible for them keep pursuing them..

Instagram users need not worry about plans to delete a large number of accounts on December 20, as it was all part of the hoax. Instagram has disabled the account and the hashtag is no longer searchable.

Symantec Security Response advises users to follow the official Instagram account and check the Instagram blog for updates to confirm any changes to privacy policy.

How hackers made minced meat of Department of Energy networks

A Department of Energy network breach earlier this year that allowed hackers to download sensitive personal information for 104,000 people was the result of a decade-old patchwork of systems, some that hadn't installed critical security updates in years, according to a federal watchdog.

July's successful hack on the department's Employee Data Repository database was at least the third one to occur since 2011, DOE Inspector General Gregory H. Friedman wrote in a recently published review of the breach. The hack resulted in the exfiltration of more than 104,000 individuals' personally identifiable information (PII), including their social security numbers, bank account data, dates and places of birth, user names, and answers to security questions. The department expects to incur costs of $3.7 million setting up credit monitoring and in lost productivity. That figure doesn't include the costs of fixing the vulnerable systems.

The inspector general review recited a litany of failures that allowed hackers to penetrate system defenses. Chief among them is the fact that none of the 354 database tables containing social security numbers were encrypted. Using strong cryptography to protect such "at rest" PII has long been considered a best practice in government and corporate data security. The department's management information system (MIS) that allowed access to the DOEInfo databases also failed to require common security enhancements, such as two-factor authentication or a department-issued virtual private network.

Read 3 remaining paragraphs | Comments

Botnet forces infected Firefox users to hack the sites they visit (updated)

Sites browsed by hacked PCs (left) and SQL injection flaws found by the botnet (masked, right).

Investigative journalist Brian Krebs has uncovered an unusual botnet that forces infected PCs to scour websites for security vulnerabilities that can cough up proprietary data or be exploited in drive-by malware attacks.

The botnet, dubbed "Advanced Power" by its operators, has discovered at least 1,800 webpages vulnerable to SQL injection attacks since May, Krebs reported in a post published Monday. SQL injection vulnerabilities exploit weaknesses in Web applications that allow attackers to send powerful commands to a website's backend databases. From there, attackers can download login credentials or other database contents or cause sites to post links that silently redirect visitors to malicious websites.

Advanced Power masquerades as a legitimate add-on for Mozilla's Firefox browser. Once installed, it looks for vulnerabilities on sites visited by the infected machine. Krebs wrote:

Read 3 remaining paragraphs | Comments