A rogue anti-virus product that blackmails people by secretly taking their picture with their webcam is on the rise.
Security solutions firm Webroot warns that the malware family – which includes the fake ‘Antivirus Security Pro' software – disables your computer then claims to have detected viruses and demands around £100 from users to ‘buy the full version of product' and remove the threats.
If the user doesn't respond within a few minutes, the malware takes a picture of whatever is in front of their webcam, shows them the image, and warns them the ‘infection' is trying to send the photo to unidentified users. It also threatens that the virus may attempt to steal their personal data, such as credit card information, photos and emails.
Webroot threat researcher Roy Tobin told SCMagazineUK.com that the virus family, which first appeared around two years ago, has recently resurfaced and been discovered on thousands of computers in the last few weeks.
He said that because hackers who use the malware can customise it, the appearance can vary, along with the fake name of the software involved and the price demanded for fixing it. Tobin said the software typically demands around £100, but ransoms have ranged from £75 to about £200.
He told us: “The human element to this infection really helps the malware creators generate revenue. When users see their face on the computer screen, they are far more likely to hand over credit card information.”
Webroot researcher Tyler Moffitt said in a blog post that the webcam photo scam “is a really impressive step in social engineering to scare people and I'm sure has increased the percentage of people who pay out”. Webroot reassures users that the malware does not actually distribute their image if they refuse to pay up. And unlike viruses like CryptoLocker, it does not encrypt your data, so it can be fixed manually after the event.
But Tobin pointed out: “Once you pay the money, it depends on the particular variant - it may remove itself or it may not.”
He said the virus typically uses a Java-based or other exploit kit to download itself when people are surfing the web. Occasionally it embeds itself via email, but does not originate from people looking for AV software and downloading it deliberately.
Tobin explained: “It's not initiated by the user and they're not aware of what they're getting. For instance a user will be on a website and they probably won't even know they get this download. They might see a little Java icon spinning and that's the file being downloaded. By the next time they restart their machine, they get the pop-up with this infection.”
Tobin advises on how people can safeguard themselves: “As well as anti-virus protection there's other things the user can do – making sure they've got the latest in secure browsers. The latest version of Internet Explorer, Chrome, Firefox will block a lot of malicious downloads before you've even got to them. Make sure you have the latest flash updates, Java and Adobe Reader because a lot of these infections come down to using security vulnerabilities in out-of-date software.”
White-hat hacking experts are obviously alert to the dangers and one such expert, Michael Belton, head of Rapid7's assessment team, was recently seen by SC staff on a hacking course supplementing the anti-virus route by adopting an effective but low-tech pre-emptive option of black tape permanently over his web cam – “Just in case.”
More details on how to recover from the malware are provided in Tyler Moffitt's blog at http://www.webroot.com/blog/2013/11/27/new-rogue-now-takes-screenshots/