Fake Online 'Ransomware' Targets Porn Viewers, Hijacks Browsers
Don't let this website fool you! It's not FBI--it's just a rather clever ransomware-like online scam.
No, the FBI isn't going to give people who illegally download porn the opportunity to get away by paying $300 — that's just what a new type of online scam wants you to think.
Technically, this scam is fairly straightforward. It "locks" computer screens by sending users to a website designed to look like an official FBI website. Conventional methods of leaving the page or closing the browser will not work unless users agree to pay $300, a fee that the website claims will go to the FBI but really gets rerouted to cybercriminals.
But Jerome Segura, a security researcher at Malwarebytes who discovered the scam, said the ransomware is unique in a few more ways — namely, this fake FBI scam works on several major browsers and all computer platforms, including Macs, which many people think are immune to cyberattacks. However, the scam doesn't work on mobile devices, Segura said.
You'll probably come across it while searching for porn or illegal downloads in a search engine (though Segura also found this malicious link by searching for "Taylor Swift" in Bing, so presumably, it's intended to turn up in a number of popular searches).
The website is designed to look like an official FBI page, but the URL, "fbi.gov.id" — followed by a string of numbers and ending in ".com" — should be a giveaway that it isn't the official government site.
Text on the website claims that "your browser has been blocked due to at least one of the reasons specified below," which include downloading or distributing pornography, or illegally downloading copyrighted content — a wise scare tactic, considering many users have engaged in such activities at least once. What's more, Segura found that this website turns up more frequently when users are searching for illegal material, which makes this apparent "warning" seem more official.
But the malicious website also has a plan for users who are particularly virtuous and haven't engaged in these behaviors: It claims that the computer might be infected with malware. Having a malware infection isn't a crime, of course, but scammers often try to use this as a scare tactic.
The website demands that "to unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300." Attempting to close the page merely brings up a pop-up box claiming, in all caps, that "all PC data will be detained and criminal procedures will be initiated against you if the fine will not be paid." If you try to close this pop-up box, another one will appear, thus preventing you from closing the browser.
Segura calls this "social engineering." Nonetheless, this "lock" is easy to break, as it lacks technical complexity.
Force-quitting the browser will end the lock, but if your browser has a "restore tabs" feature for recovering web pages in the event of an unexpected shutdown, the next time you start up the browser, the fake FBI website will reload, and the lock will resume.
The best way to get rid of it without paying the $300 is to reset the browser by going into your browser's settings and selecting 'reset.' There are also two other methods for killing the ransomware: You can click the Leave Page button on the pop-up box 150 times, at which point the code runs out of loops to perform and simply ends, or you can enter a fake "voucher code" without having actually paid the $300. The website doesn't perform any kind of verification on that code and will let you leave the page.
However, this scam doesn't need to download anything in order to work because it's not a malware — meaning it's not a malicious type of software that gets downloaded to your computer.
"[Malware] is much more difficult to eradicate because the computer itself is infected, so this [scam] is an easy approach to defeat," said Segura. "But because it's based on social engineering and tracking you and what your browser was doing prior [to arriving on this site], the chances of [it] working are pretty high."
Malwarebytes calls the scam a "ransomware" even though it isn't technically a ransomware because it's not a type of malware. Segura said he decided to use the term since the scam operates from an end-user perspective, much in the same way ransomware does.