Browlock Ransomware Uses Malvertising to Direct Internauts to Malicious Site

Security researchers of security firm Symantec say that Browlock ransomware uses malvertising to draw Internauts to a malicious web site.

Earlier this year (referring to early 2013) researchers discovered an interesting strain of browser-based ransomware. The threat (Browlock) does not encrypt files and does not lock computer's screens and it merely exhibits a warning note in the browser using JavaScript (JS) to avert Internauts from shutting the window.

Experts from 'Symantec' have been observing Browlock and found many Internauts have been struck. For instance, in November 2013, Symantec obstructed over 650,000 links to the tainted web site utilized by 'Browlock'.

Essentially, these attacks were only aimed at customers of Symantec and the actual number of links is perhaps much higher.

So how do Internuts end up landing on the tainted web site?

Experts say that attackers of Browlock appear to purchase traffic which redirects many visitors to their malicious website. They are using malvertising which is an increasingly common approach involving purchase of advertising from legitimate networks. The advertisement is directed to an adult Web page which then redirects to the Browlock website.

When a victim is directed to the Browlock website, a URL specific to the victim and their country's law enforcement is generated. For instance, users from US will be provided a link which looks similar to "fbi.gov.a5695.com" and the alert seems to be arising from the Federal Bureau of Investigation or the FBI.

There are two notable elements of this URL. The first is the fbi.gov value and the second is the actual domain, a5695.com.

Judging by the number of blocked redirections by Symantec since September 2013 (1.8 million), the malvertising approach is extremely successful. Who knows how many redirections have been blocked by other security companies and how many were successful because users don't use a capable security solution.

Victims are advised to update their anti-virus technology and to never pay the miscreants behind these scams. Experts conclude that removing ransomware is normally possible with the help of a security solution but often the process becomes complicated and may require restoration of one's operating system resulting the loss of documents or applications.

» SPAMfighter News - 12/26/2013