Business & Finance
News
1/2/2008
06:08 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

New Malware Demands Pay-By-Phone 'Activation Fee'

A Web search of the 900 number shown to U.S.-based victims is associated with a porn site registered to Global Voice S.A.

Microsoft may have decided to drop the "kill switch" it developed to penalize Windows Vista users who failed to activate their operating system software, but criminal hackers are taking up the slack.

A new Trojan called Backdoor.Win32.Delf.ctk is capable of locking users out of vulnerable systems and demanding a pay-by-phone activation fee.

Victims are presented with the option of sending a text message to an SMS number, billed at a rate of about $10 to $20, or of calling a phone number, billed at about $3 per minute, to obtain a "license code" that will ostensibly unlock their compromised computers.

While system hijacking has been around for years, as the existence of the term "ransomware" proves, Adam Thomas, a malware researcher with Sunbelt Software, said the use of the telephone system for payment is new. "It's the first time I've seen this type of scam being used," said Thomas.

Alex Eckelberry, CEO of Sunbelt Software, in a blog post notes that a Web search of the 900 number shown to U.S.-based victims is associated with a porn site registered to Global Voice S.A., a company that appears to be based in the Republic of Seychelles, an archipelago nation in the Indian Ocean. "Apparently, this is a payment processor that's now being used for malware, whether they know it or not," he said.

Global Voice S.A. lists an e-mail address at global-voice.com in its domain registration contact information. That domain is for sale, according to the Web page at that address.

A company with a confusingly similar name, Global Voice Group, S.A., says that it is a telecommunications company based in Port-au-Prince, Haiti. It does not list a Seychelles branch office.

The domain registrar associated with Web page shown in the Sunbelt blog (backdoor-guard dot com) is ESTDOMAINS, Inc., a Web hosting company based in Wilmington, Delaware with a reputation for hosting malware sites. The backdoor-guard.com malware Web site is registered in Tirana, Albania.

Recently, the government has shown some interest in going after payment processing companies that enable the malware economy. In December, the Federal Trade Commission and seven state attorneys general charged Your Money Access, LLC., a payment processor, with making unauthorized to debit from consumers' bank accounts on behalf of phone-based and Internet-based merchants. It announced a similar lawsuit in January, 2007, when it sued InterBill Ltd., another payment processor.

No doubt there will be more such suits.

Editor's Note: This story was modified Jan. 15 to include the correct links to ESTDOMAINS and the backdoor-guard.com Web site.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.