A ransomware campaign tied to a network of malicious porn sites has successfully impacted at least 2,000 Android users in the U.S. and users in 30 countries, attempting to extort a fee to unlock devices.
The attack campaign redirects visitors from a network of porn sites to an attack webpage containing an Android package that must be installed by the user. Once the victim installs the package, the victim's screen is locked by the Koler malware, which displays a phony message from law enforcement demanding up to a $300 fine to unlock the device, according to Kaspersky Lab, which issued a report Monday analyzing the campaign.
The distribution network of malicious porn sites and number of different payloads to target both mobile device owners and PC users demonstrates the growing sophistication and organization behind financially motivated attack campaigns, Kaspersky Lab said. The browser-based ransomware connected to the campaign appears to be tied to a popular exploit kit driven by a distribution network, believed to be based in Russia, Kaspersky Lab said.
"We believe this kind of infrastructure is a perfect example of how well prepared and dangerous these campaigns are. They are now targeting, but are not limited to, Android users," Kaspersky Lab said. "The attackers can quickly create a similar infrastructure thanks to its intricate automation, changing the payload or targeting different users. The attackers have also created many different ways of monetizing their campaign in a true multi-device schema."
The attack campaign was very active in April, the security vendor found. Nearly 200,000 people visited the ransomware distribution landing page after being redirected from nearly 50 different porn websites controlled by the criminals. Kaspersky Lab said the attack campaign is an interesting example of using malware-as-a-service as part of an automated infrastructure. The cleverly written code that uses the exploit kit to retrieve the attack site landing page for each victim is being shared on Russian underground forums, Kaspersky Lab said.
The mobile campaign was disrupted on July 23 and the command-and-control server sent uninstall requests to victim devices. However, the attack campaign also has a desktop component, which is still actively infecting users, the Russia-based security vendor said. The company also warned that attackers are likely to design copycat attacks to distribute malware to both mobile and desktop users.
"Attackers could expand their campaign in the near future," Kaspersky Lab said. "With regards to the malicious mobile application, we have found different APKs with the same behavior. Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk."
Google Android devices are increasingly targeted by cybercriminals, eager to monetize attacks using simple SMS message spam or phony gaming apps that steal contacts and other device data. The percentage of threats targeting Android exceeded 99 percent of all mobile malware in the first quarter of 2014, according to Kaspersky Lab statistics. The company said it has also logged more than 2,500 mobile banking Trojans. While mobile banking malware attacks have been limited to Asia and Russia, the security vendor said it is increasingly detecting mobile threats in Europe and the U.S.
Many businesses have established BYOD policies to address employee use of personally owned devices, but mobile security enforcement measures are still incomplete at many organizations, say solution providers. It should come as no surprise that organized criminals would add mobile attacks to traditional campaigns targeting desktop and laptops if they can make a business case for it, said Nick Giampietro, director of sales at G-Net Solutions. Businesses have been mainly focused on providing access and availability to information on employee mobile devices, said Giampietro, who predicts security to be a central component once mobile attacks become more prominent.
"In a couple of clicks an attacker might be able to download my database of 3,000 contacts," Giampietro said. "People want immediate gratification, but once someone gets hacked business owners will eventually realize that they need to add more security to it and begin budgeting it in."
PUBLISHED JULY 28, 2014