Funny story: Experts send back ransomware security to fraudsters online

Ivan Kwiatkowski is a security researcher. A little while ago, he received a call from his parents saying that their computer was infected with the "Zeus" virus because they saw the message appear on a website. It turned out that this was just a scam, and Kwiatkowski took advantage of both the hackers to lure them to run ransomware and encrypt files on their own computers. Invite you to read the interesting and humorous story below, which also draws me a lesson about being careful when you see virus messages jumping during web browsing.

I. What is Rawesome?

Ransomware is a type of malware (malicious software) that prevents or limits users from using their device or data. Some encode files that prevent you from opening important documents, while others use lock mechanisms to prevent them from continuing to use them. Security firm Trend Micro further explained that the malware forced victims to pay to have the right to continue using their system, so the word "ransom" – meaning ransom. This amount is sometimes only a few dollars, sometimes up to several tens, even hundreds of dollars (each case has to pay $ 600). Some other hackers use bitcoin safely and avoid being caught. But it should be emphasized that even if you have already paid, there is no guarantee that hackers will give you back access or do anything worse.

II. Story begins

A few days ago I received a call from my parents saying that somehow they had access to the xxx website and this page said that their computer was infected with Zeus virus. On this website are autoplay sounds, warning dialogs written in JavaScript that jump out constantly, a blue background with pretty looking machines that look like dead blue screens, and there's also a place Some random IP instead of displaying the address of the computer being accessed.

So I decided to call the "technical support" phone number printed on this website. Before that, I ran a Windowx XP virtual machine so that if needed, the "technique" would come in for me. When I called, I was greeted with a fairly professional recording, similar to what you hear when calling a phone to big companies. Then there was a man named Patricia who picked up the phone.

Screen Shot 2016-09-13 at 3.21.25 PM

III. First call

Immediately, I planted hope for the girl on the other end by saying I was an entrepreneur working with an important contract worth big money, and the time was very low. I speak French, Patricia also speaks French but is very bad, so I suggest looking for a different way, but I can't support it by phone. So she instructed me to install a remote control software from the website and accessed my computer.

Fun begins here. The first thing Patricia does is run Command Prompt and type dir / s to list the file currently in the machine. She did so to gain my trust in her profession. She said the dates of these files coincide with my access date. Meanwhile, I still silently press Control C to copy everything.

Surprisingly, she started WORKING "1452 virus found" and "ip hacked" on the Command Prompt! Yes, type manually. She asked if I used anti-virus software, I said no because they were too expensive because the @taviso guy kept making them naughty . Then a strange thing happened. She said I ran out of free support for 15 minutes and she will call me back so I don't have to pay the phone fee.

I believe is the real IP address of this scam

A few minutes later, I received a phone call from the phone number in Pennsylvania, USA (+ 1-267-460-7257). Patricia said that my computer was infected with the virus and now it needs to be cleaned. She said I should buy either ANTI SPY or ANTI TROJAN software with the total amount needed to pay about $ 189.90. Before I gave her my credit card number, she went back to the Command Prompt screen earlier and typed the command "netstat" (used to check the network status) and said that someone was connecting to the computer. My calculation right now.

I asked: Isn't that you? This said that someone from Delhi is on my computer. A silence took place, and she told me that she is actually "localhost" because this localhost means secure connection (of course this is not true). I retorted: "Are you sure? I think localhost means my local computer ". She hesitated for a moment and then said that the code she had just run indicated that there was someone from Delhi, the same position as her, but a completely different person – a hacker trying to steal information.

Then we talked about the software case just now. I said, "Okay, I'll buy it. Where can I buy it in Paris? ”. “I'm not sure you can find it in Paris. This is a software only distributed exclusively through Microsoft gold partner and Microsoft security channels only. Then I asked her: "So I just need to go to", she said "That's right", then "Do you have any questions?" No? Good bye".

IV. Second call

I think this is not the way he cheated others. Maybe she's being trained or something. Now I realize that the screenshots that I took were not very good, so I waited about half an hour before calling again. I hope to meet Patricia again earlier and tell her that I can't find anything on the Microsoft website. However, this time it was another guy named Dileep and he led me through the process once more.

Dileep seems to be familiar with what he does more, and adds that my computer has too many services stopped and this is not normal at all. He said that my computer has been infected with the virus, he will remove my virus for free but recommends that I buy "Tech Protection" software in the future. This software costs € 299.99, which is more expensive than the package Patricia told me earlier.

I agree to buy the software that Dileep said and give him some fake credit cards as quickly as possible. Obviously, the payment tool does not accept this transaction and we have tried it again 4 or 5 times. Finally, I suggest that I use a second credit card and give him another random number sequence (but this time it is a valid number based on the Luhn algorithm). Dileep said I read the card more than 10 times and even asked "superior" to see why the transaction was not approved. I also heard someone read my card number very loudly in my phone.

Screen Shot 2016-09-13 at 3.22.33 PM

Right now, I came up with a good idea. I opened my spam box, including many malicious software samples named Locky. These are ZIP files that contain JavaScript code to download ransomware. I took one and dragged it into my virtual machine. The remote support I installed earlier has a feature that allows me to send files to supporters. I uploaded this ZIP file and said: "I have taken a photo of my credit card, please try to enter it yourself. Maybe it will. ”

At first, Dileep ignored me and made me enter card information a few more times. This guy is quite patient. Then I said: "Dileep, listen, I am old and my eyes are not good. I started getting tired of reading these tiny numbers again and again. In addition, I think he also knew I was not familiar with computers. So why don't you help me? "

Screen Shot 2016-09-13 at 3.24.14 PM

Dileep paused for a moment and replied, "I tried to open your picture but nothing happened." At this time, I tried my best to stop laughing. "Are you sure, sometimes my photo cannot be opened on Mac OS, are you using Windows?". Dileep said, "Yes. His photo could not be opened because his computer was infected with the virus. This is why we need to solve this problem. ”

And while he was chatting with me, that ransomware started encrypting his file. We tried a few more and he eventually gave up. He told me to contact the bank and would call me back the following Monday.

Through this, we can see that we are easily fooled by those who are trying to trick you. Their model works based on the assumption that only people who are easily fooled will contact them, so when they are tricked, they get stuck. If you're free and can speak French, call them on +339 75 18 77 63 and lure them into some fun.

Trojan Writer

ITZone via Kipalog

Share the news now