Anti-Malware , Fraud , Phishing

Ransomware Gets a New Twist?

Symantec Describes Dual Attack Now Targeting Consumers
Ransomware Gets a New Twist?

Security firm Symantec has issued new warnings about a malware strain known as Poweliks, noting that this year-old Trojan is now being used in conjunction with ransomware to target consumers.

See Also: Detecting Insider Threats Through Machine Learning

Yet, there is some disagreement between fraud/security experts over the severity of the Poweliks threat.

Financial fraud expert Avivah Litan, an analyst for consultancy Gartner, says this new, dual attack is concerning. "Criminals are having to resort to attacking consumers directly, as banks get much better at protecting customer accounts," she says.

But Jon Miller, vice president of strategy for security firm Cylance, says the ransomware connection to Poweliks does not appear to be intentional, and therefore the overall threat posed by Poweliks remains relatively low.

"Poweliks is not a prevalent infector on the Internet," Miller says. "It is easily defeated by keeping systems up-to-date and/or deploying next-generation antivirus [software]."

About Poweliks

Poweliks, first discovered in August 2014, is an emerging adware click-fraud attack that is distributed via phishing. It targets Windows-based operating systems by installing itself into the Windows registry, where it hijacks existing entries. When essential Windows functions are performed, Poweliks launches itself, according to Symantec.

The Poweliks Trojan also stores its own code within registry entries, which allows it to remain persistent on a computer but not have any of its files stored directly on the computer file system, making it very difficult to detect, Symantec notes.

"Once installed, Trojan.Poweliks may contact its command and control servers to download further instructions," Symantec writes in a June 11 summary about Poweliks. "The primary goal of Trojan.Poweliks is to perform click-fraud operations, which involves covertly downloading large numbers of online advertisements onto the compromised computer and then automatically clicking or interacting with them with a view to earning fraudulent advertising revenue for the attacker."

But now Poweliks' link to recent ransomware attacks, specifically Cryptowall, waged against consumers raises new concerns, the firm finds.

In a blog posted June 9, Symantec researcher Kevin Gossett points out that this connection between click-fraud and ransomware is likely proving profitable for attackers.

"It requests ads based on keywords, pretends the victim legitimately searched for the selected keywords, browses to the URL returned by the ad network, and then allows the attacker to receive money," he writes. "The selected ads are not shown to the victim, so they remain unware of Poweliks' presence on their computer."

Add in the ransomware, and it's a two-fold, profit-generating attack for the hacker, Gossett adds.

"Poweliks can request as many as 3,000 advertisements per day on a computer," he writes. "As it requests so many ads, and doesn't really care where they come from, it could eventually download malicious adverts onto the compromised computer. This can cause other malware to be installed on the computer, and we have observed that Trojan.Cryptowall, or one of its variants, was installed on computers already compromised by Poweliks. So, while a victim may be initially unaware that Poweliks was displaying ads on their computer, they could eventually end up locked out of their computer while being prompted to pay a ransom."

But Cylance's Miller says ransomware's connection to Poweliks is purely coincidental, and doesn't really reflect an evolution in how Poweliks is being used.

Poweliks attempts to drive revenue through ad clicks with the user being aware that the malware is present, Miller says. Cryptolocker, on the other hand, is an obvious and transparent infection that freezes the user's computer or mobile device to demand a payment, he says.

"Halting the use of the computer in demand for payment essentially disrupts the revenue stream that Poweliks is exploiting," Miller explains. "It's not that they are being used together, as much as one infection, Poweliks, is inadvertently infecting the system with another piece of malware, Cryptolocker."

Ransomware Worries

While Symantec still rates the overall risk level of Poweliks as "very low," the tethering of a ransomware attack to Poweliks infections does heighten concerns, the firm says.

Security experts and law enforcement have for months been issuing warnings about new-and-improved ransomware attacks that are increasingly fooling unwitting consumers into paying extortion fees to hackers after their computers have been infected.

Ransomware attacks are typically waged in two parts. First, a device is infected with malware, such as Cryptowall, that locks the user out of devices or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the user's device screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased. In some instances, the attacks also involved convincing users that they have broken a law that will result in arrest if they don't pay the fee.

In May 2014, researchers warned that a new form of ransomware attack aimed at employees and customers of banking institutions in Europe had infected mobile phones with a Trojan known as Svpeng (see New Ransomware Targets Mobile).

Then, in July 2014, emerging ransomware attacks aimed at businesses, rather than individual consumers, got researchers' attention (see Ransomware Attacks' New Focus: Businesses).

"Ransomware is flourishing as the criminal community appreciates its viability and the ease by which ransomware can be shared," says Tom Kellermann, chief cybersecurity officer at security firm Trend Micro.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network