Last week we blogged about how Apple’s Mac OS X users are vulnerable to the FBI Ransomware attacks. These social engineering scams come in the form of a stern warning from the FBI stating you have been caught doing something illegal. The user’s machine is then locked and a ransom of $300 must be paid to restore normal access to the computer.
The ransom pages came with two designs based on the victim’s geolocation: FBI or Europol.
Today, I discovered further customizations showing that the bad guys are busy updating their templates for each country’s police force.
The Royal Canadian Mounted Police is featured here, with a custom URL: rcmp.gc.ca.id657546456-3999456674.i5843.com/?flow_id=2019&&453640=45513/case_id=39994
We see a new domain name (i5843.com) showing the same pattern we discussed before. Its IP address is still located in Russia but slightly different (91.220.131.192).
French victims are also getting their own design (Gendarmerie Nationale):
A couple things to note:
- Google has updated their Google Chrome on Mac and can now defeat the ransom page. You can close it despite the JavaScript loop that attempts to prompt you 150 times.
- Safari users are still stuck and must employ one of the two methods described here to get rid of the page.
Not all countries currently have their own ‘theme’ but it is only a matter of time before the bad guys roll them out.
Last week the Internet Crime Complaint Center (IC3) issued a warning that the FBI would never use such methods to apprehend criminals. It is a reminder that user awareness is the best protection against these attacks.
Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.