News & Events
Online Extortions Uncovered
SignOnSanDiego.com: San Diego Union-Tribune, 05/25/2005
By Kathryn Balint
In the latest Internet threat, hackers encrypt the files on a computer and demand money to unlock them.
The extortion scheme was documented this month by San Diego-based Websense and made public this week.
"We have not seen anything like it before," said Dan Hubbard, senior director of security and research for Websense, which makes software that keeps employees from certain Web sites at work, including sites that are computer security threats.
Hacking schemes to extort money from computer owners have been around for years, but they have become more common in the last year.
One of the most common extortion plots involves hackers stealing information from a computer, then threatening to release it to the public unless the victim pays money. Another extortion plot involves a Web site infecting a computer with spyware that directs the victim to a Web site to buy a program that will remove the spyware.
But the new extortion scheme is the first to scramble the files on a computer so a user can't read them.
Websense became aware of the new extortion scheme from an individual whose computer files were garbled. Websense, whose clients include government agencies and large corporations, wouldn't identify the individual.
Upon inspection, Websense security researchers discovered the computer was infected with a malicious computer program known as a Trojan horse. The program encrypted files on the computer, including spreadsheets, text and photos, so they were unreadable.
Websense found that the Trojan horse included a file with instructions on where to send an e-mail for information about unlocking the computer's contents. The computer owner wrote to the e-mail address and received a response saying it would cost $200 for the tool to decode the encrypted files. The e-mail directed the victim to deposit the money in an online account.
The computer owner did not pay the ransom. Instead, Websense researchers cracked the code and unlocked the files with the help of Joe Stewart, a computer security researcher at Chicago-based Lurhq Corp.
Hubbard said that the attack exploits a vulnerability in Microsoft Internet Explorer to install the Trojan horse. The infected computer was running an outdated version of Internet Explorer when it was used to visit a Web site set up to deliver the malicious code, Hubbard said.
Computer security experts have already coined a new term for this type of attack, which essentially holds computer files hostage: ransomware.
The particularly Trojan horse used has been named pgpcoder, after the name in the header of the file placed on the victim's computer.
The attack itself was not particularly sophisticated. Hubbard said the encryption was "fairly easy to crack."
Those in the computer security industry believe it was a "proof of concept" attack.
The hackers "might have been seeing if it would work," said Bruce Hughes, senior anti-virus researcher for Trend Micro, maker of anti-virus software. "They might have been testing the waters with this one."
Jim Stickley, a San Diego computer security expert and chief technology officer for Trace Security, said the extortion scheme may give other hackers new ideas for attacks. He questioned whether a hacker could ever make money on such a scheme without getting caught.
"The hardest part I see is how they would actually collect the money," Stickley said. "In most of the extortion cases that have come to light, someone ends up getting caught."
He said an individual computer user probably wouldn't pay a hacker to unlock the files. And a corporation, he said, would likely have backup copies of the files or would have the ability to crack the encryption.
Kathryn Balint: (619) 293-2848; kathryn.balint@uniontrib.com
http://www.signonsandiego.com/news/business/20050525-9999-1b25webs.html