Cyber Crime category
News | Threats

Browser Ransomware hides behind CloudFlare, smartens payment system

Posted: December 19, 2013 by Jérôme Segura

We’ve covered the browser-based ransomware several times before on this blog, ever since it appeared back in July and again each time it evolved.

A tip from security researcher Malekal today got us to look at it again. The main novelty with this one is that instead of using the typical algorithmically generated domain names (i.e.  http://fbi.gov.id396126511-5382106440[dot]r0172.comhttp://fbi.gov.id517256300-7218768350.z6629.com), it is now hiding behind the anonymous CloudFlare service.

This is not the first time cyber-criminals abuse CloudFlare. The free service not only offers better loading times for websites but also masks their actual IP address, thus making them harder to block.

alert.police-agent-secure[dot]com

cloud_flare

Screenshot courtesy of Robtex.com

Another interesting thing about it is the payment process. Contrary to its old cousin where you could enter the same voucher number multiple times, this version actually logs them into a database.

Before submitting the voucher’s number, a quick validation is done locally with some JavaScript and regular expressions:

validation

The previous version of the brower-based ransomware had a much more simplistic check. For example, it only made sure that the voucher’s number was 14 digit long.

If everything looks good, a POST request with the user’s voucher ID, IP address and the type of payment (MoneyPack or MoneyGram) is sent to the server:

post_request

The server validates the voucher and sends back the response to the browser.

Case #1: bad voucher

bad
wrong

Case #2: good voucher

good
processing

Most browsers are capable of exiting the fake “lock-down” but yet the bad guys are still using all sorts of tricks to annoy the end-user such as an extra-long alert window:

police

We’ll keep an eye on this developing story.

Hat tip to Steven Burn for passing on the information.

Update: we’re pleased to see that CloudFlare has taken prompt action and is flagging this domain as a phishing site:

cl
forbidden

Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.

RELATED ARTICLES

leaking bucket in the cloud
News | Privacy

4.8 million healthcare records left freely accessible

December 13, 2024 - Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

CONTINUE READING 0 Comments
patched Apple
Apple | News

Update now! Apple releases new security patches for vulnerabilities in iPhones, Macs, and more

December 12, 2024 - Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

CONTINUE READING 0 Comments
data brokers have lots of location data
News | Privacy

Data brokers should stop trading health and location data, new bill proposes

December 12, 2024 - Senators introduced a bill to stop data brokers from trading in health and location data and enable the FTC to enforce the new rules

CONTINUE READING 0 Comments
TikTok logo
News | Privacy

TikTok ban in US: Company seeks emergency injunction to prevent it

December 10, 2024 - TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

CONTINUE READING 0 Comments
Matrix encrypted messaging service seized
News | Privacy

Encrypted messaging service intercepted, 2.3 million messages read by law enforcement

December 9, 2024 - Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Jérôme Segura

Jérôme Segura

Sr Director, Research

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams