Inside a Ransomware Money Machine

tsu doh nimh writes "The FBI is warning that it's getting inundated with complaints from people taken in by ransomware scams that spoof the FBI and try to scare people into paying 'fines' in lieu of going to jail for having downloaded kiddie porn or pirated content. KrebsOnSecurity.com looks inside a few of the scams in the FBI alert, and it turns out it only takes 1-3 percent of victims to pay up to make it seriously worth the fraudsters' while."

Funny how it's not a scam when the lawyers do it

[Nyder]

It should all be considered a scam when someone says pay up or I'll take you to court/press charges/sue/threatens you.

The best defense against scams

[operagost]

The best defenses against scams are still the same:
1. Knowing your right to due process, and
2. Knowing proper spelling and grammar in your native language.

I'm continually dismayed that large numbers of people (possessing enough intelligence to use a web browser) don't realize that the FBI using email or popups to demand summary payment of "fines" without due process is implausible and illegal.

Re:The best defense against scams

[Anonymous Coward]

Give them a few years. Right now, some bureaucrat is thinking, "This would be a great revenue enhancer. How do I implement this?"

Re:I call BS, or Stupid - your choice

[vlm]

Geeze isn't it simpler to just install linux or get a mac?

Re:The best defense against scams

[dkleinsc]

There's a couple more rules of thumb that help:
1. It's much harder to cheat an honest person. For example, if you don't download kiddie porn, it's very hard to get you to pay a fine to avoid trials for doing so. The Nigerian prince scam worked only on people who were willing to help somebody commit money laundering.
2. If it seems fishy, it's a scam. Anyone saying "money for nothing" (who's not a member of Dire Straits) should be suspect.

Why some people fall for this

[JDG1980]

Several commenters have asked why anyone would fall for this – after all, US law enforcement agencies generally don't just shake people down for cash. But there are two real-world situations the average person might have dealt with that are somewhat analogous to this.

One is traffic tickets: In most cases, drivers are given the option to simply pay the fine without having to go to court. You can have a full hearing if you want, but most people just pay the fine.

The other is the legal threats against BitTorrent users, the ones where the MAFIAA sends out letters demanding that the person whose account the activity was conducted from either must pay $1000 or some similar amount immediately, or face a lawsuit for significantly more.

Now, there are definitely some legal differences there: a traffic infraction is a "summary offense" that doesn't carry the threat of jail time, and the MAFIAA lawsuits are civil cases, not criminal. But most people don't understand these subtleties: to many of them, any scary-sounding authority figure saying "Pay up" is the same thing. Heck, the Milgram experiment showed that you could have regular people deliver "fatal" electric shocks just by having a guy in a white lab coat tell them they had to.

Re:Funny how it's not a scam when the lawyers do i

[darkmeridian]

The difference between blackmail and settlement is that blackmail requires the threat of doing something ILLEGAL if the demands are not met. Whereas, a settlement offer is the forbearance of a LEGAL right if the demands are met. If someone didn't pay me for my work, for instance, I can send a demand letter asking that he pay me or I will sue him for the money, which is a legal right I have. If I demand money or I will shoot him, that's blackmail.

The boundary is close when it comes to porno cases. What if the right to sue is clear cut (the Copyright Laws clearly prohibit downloading the material) but the real damage is the damage to reputation? That becomes closer to the situation of, "Give me money or I'll release this sex tape you made" or "Give me money or I'll tell the world about our love baby."

Re:Hah!

[Opportunist]

It all depends on how well patched your browser and its plugins are...

Re:Scams

[CheshireDragon]

Exactly. If they suspect you have kiddie pr0n they are not going to take a bribe and say 'pay up to keep us quiet.' The first time you will even hear from them they will be kicking in your front door, seize you and all your electronics.

Re:Scams

[moeinvt]

"Unlike some third-world countries, the justice system in this country is not corrupt."

I don't think they would take a bribe to make an arrest, but that doesn't mean they aren't corrupt as hell. How many well-connected elites in the financial sector have been prosecuted for fraud, forgery and perjury? The FBI issued a report in 2003 warning of an "epidemic of fraud" in the home mortgage market, yet no arrests and prosecutions? How many Bush admin officials have been prosecuted for violations of the FISA law, torture, war crimes, etc.?

Selective enforcement of the law is corruption, and it is absolutely pervasive in our so-called "justice" system.

Re:Scams

[Deep Esophagus]

That's why the thought that 1 to 3 percent of the targets are falling for this makes me weep for the collective intelligence of the human race.

Re:The best defense against scams

[Zontar_Thing_From_Ve]

The best defenses against scams are still the same: 1. Knowing your right to due process, and 2. Knowing proper spelling and grammar in your native language.

I'm continually dismayed that large numbers of people (possessing enough intelligence to use a web browser) don't realize that the FBI using email or popups to demand summary payment of "fines" without due process is implausible and illegal.

As an American, I will shamefully explain why this kind of thing would work here. First of all, I have noticed a big uptick in the number of people with conservative political affiliations who have an irrational distrust and hatred for governments in general and the US government in particular. Such people do not know anything about due process and they believe every negative story they hear about "big government". They'll easily believe that the FBI would contact people this way.

Second, just from reading Slashdot it's become clear to me to that the educational system in every English speaking country, yes every one of them, has completely failed its students and nobody anywhere in the English speaking world learns spelling and grammar any more. People think that "prolly" is a real word. People now think that anytime something puzzles you, you just need to add a question mark to it (ie. "I have no idea why the soap was on sale in the store for 25 cents?"). If anything I'm actually a little encouraged that only 3% or so of "victims" are falling for this. I would probably have guessed it would be at least 10%.

Re:funny thing about that law

[Anonymous Coward]

"I wonder why some areas would ban sales of used mattresses?"

Health concerns. There was a major issue with it (or at least a heavily reported issue) in the 80/90s. Not so much with personal sales but with less reputable companies which would take the most rancid, stained, mold/parasite infested and disgusting mattresses and resell them. What idiot would buy a nasty stained mattress you say? Lots of people as the companies in question would replace/sew over the old mattress with a new cover which made it look brand new but still had the contaminated stuffing.

Re:Scams

[Anonymous Coward]

Shhhhh.... You can't tell anyone that Obama's terrorism policies are the exact same as Bush's.

Re:Scams

[ideonexus]

It's easy to laugh and feel superior that a small percentage of people fall for these scams, but what isn't funny is that the people falling for it are mostly senior citizens. Just yesterday my mother-in-law brought me the phone and told me, "It's somebody from Microsoft! They say our computer is infected with a virus!"

I answered the phone and somebody with an Indian accent told me his name was "Todd Moody" and that our computer was sending error messages to Microsoft. Curious about the scam, I let him walk me through opening the application error log and trying to delete some errors from it, to which he exlaimed, "Oh no sir! You cannot delete the errors! This is very very bad! You have a very dangerous trojan virus on your computer!"

If I hadn't been there, my mother-in-law would have handed over her credit card information no questions asked. In fact, my father-in-law had done this in the past. One day I'm going to be a senior citizen and my bullshit detector is going to stop working like it does for everyone else. The Federal Government should be putting a stop to this predatory scumbaggery with extreme prejudice.

When you see this crap, do your civic duty and report it [ic3.gov].

Re:The best defense against scams

[CastrTroy]

I've heard the Nigerian prince scam is designed to be quite unbelievable because they don't want to waste their time with people who have any kind of common sense. It's too hard to get money from people with common sense. I think the same goes for this type of scam. Target enough people and you'll eventually fall upon somebody who watches kiddie porn. And that person will be easy to get money out of, because they'd rather pay money than face the other consequences.