Skip the navigation

'Ransomware' extorts payment with phone call

Pay $35 by dialing a 900 number, or forget using the PC, says researcher

January 2, 2008 12:00 PM ET

Computerworld - New "ransomware" that locks up a person's PC and demands $35 to return control to its user is on the prowl, a security researcher said this week.

The extortionists tell victims of the Delf.ctk Trojan horse to dial a 900 number, said Alex Eckelberry, CEO of Sunbelt Software Distribution Inc., a Clearwater, Fla.-based security developer. That number can be traced to "passwordtwoenter.com," a payment processor also used by hardcore pornography Web sites to charge for access to their content, added Eckelberry.

Users infected with the Trojan horse see a full-screen message posing as an error generated by Windows, according to screenshots posted by Eckelberry on the Sunbelt company blog on Monday. "ERROR: Browser Security and Antiadware [sic] Software component license exprited [sic]," the message reads. "Surfing PORN, ADULT and some other kind of sites you like without this software is dangerows (sic) and threatens with infection of your computer by harmful viruses, adware, spyware, etc."

The bogus update window includes a "Click to activate new license" button that in turn brings up another screen, this one telling U.S. users to dial a 900 telephone number and enter a personal identification number (PIN). If the 900 number doesn't work, the page instructs users to dial alternate numbers -- one in the West African nation of Cameroon, the other a satellite telephone number.

"You're completely locked out of the system" after the Delf.ctk Trojan horse installs and runs, said Eckelberry. The only way to regain control is to pay up by dialing.

A search on Google for the 900 number returns results pointing to passwordtwoenter.com, a Web site registered to Global Voice SA, a company based in the Republic of Seychelles, an island nation in the Indian Ocean. The IP address used by passwordtwoenter.com is shared with similar domains, including "pintoenter.com" and "chargemyphonebill.com," which are also registered to Global Voice.

Global Voice did not respond to e-mail sent to the address listed in the domain registration information for passwordtwoenter.com.

Ransomware, a term used to describe malware that tries to extort money from users after an infection -- usually to return access to suddenly-encrypted files -- is rare, but not unknown. The last outbreak of any note was in July 2007, when another Trojan horse, dubbed "GpCode," demanded $300 to unlocked frozen files.

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies