Another law enforcement group co-opted in extortion scheme

Variant of Citadel malware and Reveton ransomware uses Internet Crime Complaint Center name, claims victims' activity is being recorded

A cybercrime group has raised the scare tactics used in an increasingly sophisticated Trojan-ransomware combo to frighten victims into paying a bogus fine to unlock their computers.

The latest iteration of Citadel malware and Reveton ransomware uses the name of the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center,in a warning that claims victims have violated federal laws. In a new twist, the ransomware claims victims' computer activity is being recorded.

The scheme begins with luring a person to a website hosting the malware. Once Reveton is installed, it locks up the victim's computer and displays a screen saying the FBI has found that the computer's IP address has been used to access child pornography and other illicit content.

[Bill Brenner in Salted Hash: Cybercrooks make millions off ransomware, Symantec says]

The ransomware uses the IC3 name to frighten people into paying a fine using prepaid money card services, the FBI said. The malware uses the geographical location of the victim to direct to a particular payment service.

"In addition to instilling a fear of prosecution, this version of the malware also claims that the user's computer activity is being recorded using audio, video, and other devices," the FBI said in a statement

The scheme also involves installation of Citadel, which waits in the background to steal online banking credentials and credit-card numbers. 

Criminals have used the Reveton-Citadel combo before. In August, the pair was used in a scheme that co-opted the name of the FBI to frighten victims, the agency said. The FBI first learned of the malware in 2011.

Symantec recently predicted that ransomware such as Reveton would surpass fake antivirus in 2013 as the biggest online scam. Fake AV scams typically warn visitors to a malicious website that their computers are infected with viruses and then installs malware under the pretense of removing the infection.

"From here on out, we're going to see [Reveton-like] threats get much more professional looking and sophisticated as cybercriminals refine the scam and up the fear factor," said Kevin Haley, director of Symantec Security Response.

Symantec has noticed that the spread of Reveton (also known as Ransomlock.G) has increased lately in the U.S. and other countries. "It's particularly effective because the attackers behind it are quick to implement the latest exploit kits and social engineering tricks," Haley said.

More than 16 gangs are behind the spread of ransomware, he said. The majority of infections occur when people click on ads featured on adult-oriented websites.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies