Trojan Malware Demands Ransom over Phone
Sunbelt Software's Alex Eckelberry detected a malicious Trojan that would hold PC hijacked unless a ransom is paid. Securitypronews published this on January 2, 2008.
The software vendor announced the Trojan-Backdoor.Win32.Delf.ctk on December 31, 2007. First a warning is signaled to the user, but the user should check for spellings, as hackers don't perform spell check, said Sunbelt Software.
Once the Trojan infects the user's system, a message is displayed that poses as a Windows-generated error. The message, displayed by the Trojan that fully locks the computer, reads "Browser Security and Antiadware Software component license expired! (sic)".
The fake Window update also instructs the user to click to obtain a button that activates a license. But this leads to another Window screen telling users in the US to dial 900 on the telephone and provide a PIN or Personal Identification Number. But if the number fails to work, then users are instructed to dial other numbers - one connecting to Cameroon in West Africa, and another connecting to a satellite.
By displaying screens, Eckelberry showed the manner in which the Trojan provides numbers for French and British computers. He said that the company offering the phone numbers is apparently processing a payment linked to malware.
The bogus scheme doesn't try to steal personal information like credit card number, it just tells the victim to dial 900 in order to stay clear of the Delf.ctk Trojan horse. The number has been found to link to a fee payment processor called "passwordtwoenter.com" that porn sites also use to charge visitors to access their content.
In that sense, the risk for criminals installing the Trojan is reduced, for if the payment processor entails them quick money, the criminals needn't take the risk for selling stolen information such as of credit cards.
In Google search, the three digit 900 number generates results relating to passwordtwoenter.com, a website for Global Voice SA, an organization located in the Republic of Seychelles in the waters of Indian Ocean. The site's IP address is also for other domains such as "chargemyphonebill.com" and "pintoenter.com" that too belong to Global Voice.
Related article: Trojans to Target VoIP in 2006
» SPAMfighter News - 14-01-2008