Browser ransomware still active on porn sites; 50 countries affected

A global malvertising campaign is targeting porn site visitors from some 50 countries with demands for ransom to unblock their browser, Bitdefender research shows.

Web visitors from the US, Denmark, Australia, Romania, Germany, Spain, France, Finland, the Netherlands and some other 40 countries are being redirected to a fake web page that requests money to restore access to browser functionalities.

The campaign, despite being first documented in August 2015, remains active. The ad server is still up even though the ad network was allegedly notified. Users browsing adult sites like xHamster are redirected to the malicious website after accessing an ad for the Sex Messenger dating app, served by online advertising company TrafficHaus.

Attackers are using an IE vulnerability to detect that traffic is coming from real users and not from a security sandbox or honeypot environments. After the presence of Internet Explorer is detected, users are redirected to this page.

Fig. 1 Fake page in Romanian

fr

Fig. 2 Fake page in French

An alarming message claims the browser is locked and all the user’s files are “arrested” and encrypted. The scammers are requesting the equivalent of 100 euros or 500 dollars to be paid in less than one week, otherwise files remain inaccessible and legal action will be taken against the user.

“No malware is really executed on the machine, so encryption does not take place,” says Alexandru Rusu, malware researcher at Bitdefender. “Technically, this is not ransomware, it is a type of scareware that urges inexperienced users to pay up simply because their browser window is blocked.”

The browser page does not close, even if the user pays the requested amount. To close the IE process, users simply need to open Task Manager through Ctrl+Shift+Esc. For Windows 8, right click on IE>End Task.

Users are advised to use an ad blocker tool to remove potentially malicious advertising and an efficient security solution to block malicious URLs and cyber-threats.

This article is based on the technical information provided courtesy of Bitdefender malware researcher Alexandru RUSU.

Leave a Reply

Your email address will not be published.