Sophos Cloud Optix
Thanks to Benjamin Humphrey of SophosLabs for the
behind-the-scenes effort he put into this article.
Recently, we came across an intriguing phishing campaign that combines two feared products of the information age.
Gatsos (speed cameras) and ransomware, rolled into one attack!
It all started with a phishing email claiming to be from the Office of State Revenue in New South Wales, Australia.
The subject matter is a speeding fine you are alleged to have clocked up:
Details are scant, notably that the location is identified only by a code number and your registration number (a.k.a. licence plate or tag) is not given.
But the time of the alleged offence is stated as 11.21pm, presumably a time at which most people wouldn’t be driving, giving a glimmer of hope that some sort of mistake was made.
(Or someone else was driving your car. Wouldn’t you love to see if the speed camera could tell you who it was?)
You ought to smell a rat, of course, not least because the word “offence” is spelled in two different ways in the email, and the penalty notice number is inconsistent:
But, as we said, Gatsos get many people’s knees a-knocking, so you might be inclined to click on ACT NOW anyway.
→ Did you know that the name Gatso comes from a Dutch rally driver called Maurice Gatsonides, who ironically came up with the idea of a speed camera so he could learn to drive faster?
The next step in the phish takes you to a what looks like a download portal page belonging to the State Debt Recovery Office (SDRO).
To add a touch of realism, the crooks have made it harder, not easier, to access your penalty notice by making you solve a CAPTCHA first:
The real SRDO portal looks vaguely similar, but has one important difference:
There’s a warning entitled SCAM ALERT posted across the top of the real page, advising you about just this sort of scam.
Interestingly, we regularly see scams that try to add a veneer of legitimacy by incorporating real warnings and anti-phishing advice from the very sites they are impersonating – advice you would be well-advised to take!
The ransomware download
Once you solve the CAPTCHA shown above, you are redirected to a download site that serves up a file called offence_id_37984264.zip.
Again, you ought to smell a rat, especially if you unzip the file and notice it contains an undisguised program called offence_id_37984264.exe.
Sophos Anti-Virus will block this file with the name Troj/Ransom-ANH, and with good reason: it’s ransomware, that dastardly brand of malware that scrambles your data and offers to sell it back to you.
This one calls itself CryptoLocker, borrowing the “brand name” of one of the best known ransomware variants ever distributed:
The original CryptoLocker reached its peak of notoriety towards the end of 2013, giving you three days to come up with $300 if you wanted to see your data again.
By March 2014 it was estimated that in the UK alone, about 1 in 30 users had their system hit by CryptoLocker, and 40% of those paid up.
The original CryptoLocker was neutralised after a US-led takedown operation managed to confiscate the servers it used to generate and store the decryption keys.
→ CryptoLocker took care never to have a copy of the decryption key on your computer (not even in memory), where you might be able to intercept it without paying the ransom. That meant generating a public-private key pair on its own servers, and then releasing only the public key, used for encryption. In other words, if the malware couldn’t call home, it couldn’t get an encryption key, so it didn’t scramble your data. Taking the servers offline therefore had the handy side-effect of preventing further ransoms from being demanded.
The Troj/Ransom-ANH ransomware even has a handy Frequently Asked Questions page:
This explains that the only way to get your data back is to pay up, and refers you to a website accessible via the anonymising service Tor:
The fee is the BitCoin equivalent of US$500 if you pay up within five days (120 hours), or US$1000 if you wait.
A common “feature” of recent ransomware, shown above, is the option to decrypt a single file for free – a crooked version of “try before you buy” aimed at convincing you that the crooks really do have your decryption key, but without giving you so much as a hint what that key might be.
The bottom line
Fortunately, in this case:
- The phishing email contains some rather obvious errors. (Although the absence of mistakes doesn’t prove that an email is legitimate, egregious errors should persuade you that it is fake.)
- The links via which the ACT NOW button takes you to the fake SDRO page would be blocked by Sophos’s web filtering products.
- The downloaded ransomware would blocked by Sophos Anti-Virus as Troj/Ransom-ANH.
- The ransomware’s “call home” would be detected by the Sophos UTM as a malware command-and-control operation.
- The fake CAPTCHA site and the malware download site have been taken down anyway, making detection a moot point now.
This reminds us of two things: that defence in depth really works, and that a little caution goes a long way.
Image of speed camera available under CC BY-SA 2.0 licence.
Excellent!
Seen this Scam last month, my suspicion was aroused by the fact that so many spelling mistakes had been noted that my first call was to inform the ticket issuing office
One of my users got the first of these a few weeks ago, the link for act now looked wrong and I knew from painful experience that speeding fines all arrive via snail mail.
Anyone have the typical Subject field info and is the body content in text format or image format?
Sorry…I didn’t make that clear – I cropped the image a bit tightly to save space.
The text at the top, “Penalty notice number: 891571934”, was the subject line.
The body was HTML, no images, with a text-only alternative.
Great, thanks for the update Paul. Not seen anything here on our systems in WA yet, but wouldn’t be surprised it this one morphed a little to other Aus states.
Samples I saw asked for $1200 worth of bitcoin not half that, are you guys sure thats from the right sample
Well, that’s the think with download links…the crooks can change the payload at will.
FWIW, this one didn’t ask for half of what you saw (which would be $600). The screenshot is as you see in the article: $500 now or $1000 later.
Same thing, really: you didn’t even *think* of paying up, did you 🙂
Thanks. They got me. I didn’t pay up but I have wasted most of the day trying to get my PC fixed. Of course, files are still encrypted – anyone know where/how to get the right key?
If the crooks’ servers have been taken down then there is no way to retrieve the key. Just restore your data from your latest backup. You do backup your data, don’t you?
When I uploaded this file to VIRUSTOTAL, SOPHOS was shown as “clean”???
Hmmm. Difficult to comment on the what/how/why given only that you uploaded a file (perhaps it was different?) to VirusTotal.
I’d suggest submitting the sample directly to SophosLabs, which makes sure we get exactly what you are sending in, and means you can add a note to explain the circumstances:
https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx
I had to deal with case of ransomware here in FL that came thru the USPS Mail software. The best prevention and cure, and maybe the only one is, make sure you have a strong back up system in place. If you fall in this scam, and I hope you don’t, getting out is not a problem, the lost of data is what hurts you. My client lost years of work!… So make sure your backup is a backup not a daily data usage, because even if it is in a cloud it’s going to be affected or loss.