Computer users around the world are increasingly accustomed to managing their bank accounts, paying their bills and performing other activities online. The use of technology to manage finances has long been a target of attackers, and malware authors continue to create scams that try to persuade potential victims to provide access to their valuable personal information, including logon credentials for online accounts. Trojan:Win32/Reveton.A is a recent example of malware that attempts to phish these details from victims using the great motivator - fear.
Trojan:Win32/Reveton.A displays a warning that alleges that the affected computer has accessed "pornographic content, elements of violence and child pornography." The message also suggests that the computer has been "locked" and that the user is "obliged to pay a fine to unlock", as shown below:
This phishing and ransom message is also detected by MMPC as Trojan:HTML/Ransom.A. The scam in this attack attempts to phish user accounts for the electronic payment services Ukash and Paysafecard. We wrote about this type of ransom attack in a previous blog post.
Account information provided by the user is stolen and sent to a remote server at “22.214.171.124”. Indications are that this allocated server IP address may be physically located in Russia:
inetnum: 126.96.36.199 - 188.8.131.52
description: ZAO GeoSystem Navigation
If you've been a victim of this scam, or similar, review these steps to take, to minimize your financial loss and/or damage to your identity.
As always, we advise you to be cautious when providing sensitive personal information, such as electronic account details, as it could lead to identity or financial theft.
Patrick Estavillo, MMPC