New Malware Demands Pay-By-Phone 'Activation Fee'
A Web search of the 900 number shown to U.S.-based victims is associated with a porn site registered to Global Voice S.A.
Microsoft may have decided to drop the "kill switch" it developed to penalize Windows Vista users who failed to activate their operating system software, but criminal hackers are taking up the slack.
A new Trojan called Backdoor.Win32.Delf.ctk is capable of locking users out of vulnerable systems and demanding a pay-by-phone activation fee.
Victims are presented with the option of sending a text message to an SMS number, billed at a rate of about $10 to $20, or of calling a phone number, billed at about $3 per minute, to obtain a "license code" that will ostensibly unlock their compromised computers.
While system hijacking has been around for years, as the existence of the term "ransomware" proves, Adam Thomas, a malware researcher with Sunbelt Software, said the use of the telephone system for payment is new. "It's the first time I've seen this type of scam being used," said Thomas.
Alex Eckelberry, CEO of Sunbelt Software, in a blog post notes that a Web search of the 900 number shown to U.S.-based victims is associated with a porn site registered to Global Voice S.A., a company that appears to be based in the Republic of Seychelles, an archipelago nation in the Indian Ocean. "Apparently, this is a payment processor that's now being used for malware, whether they know it or not," he said.
Global Voice S.A. lists an e-mail address at global-voice.com in its domain registration contact information. That domain is for sale, according to the Web page at that address.
A company with a confusingly similar name, Global Voice Group, S.A., says that it is a telecommunications company based in Port-au-Prince, Haiti. It does not list a Seychelles branch office.
The domain registrar associated with Web page shown in the Sunbelt blog (backdoor-guard dot com) is ESTDOMAINS, Inc., a Web hosting company based in Wilmington, Delaware with a reputation for hosting malware sites. The backdoor-guard.com malware Web site is registered in Tirana, Albania.
Recently, the government has shown some interest in going after payment processing companies that enable the malware economy. In December, the Federal Trade Commission and seven state attorneys general charged Your Money Access, LLC., a payment processor, with making unauthorized to debit from consumers' bank accounts on behalf of phone-based and Internet-based merchants. It announced a similar lawsuit in January, 2007, when it sued InterBill Ltd., another payment processor.
No doubt there will be more such suits.
Editor's Note: This story was modified Jan. 15 to include the correct links to ESTDOMAINS and the backdoor-guard.com Web site.
About the Author
You May Also Like