The FBI is warning consumers about a new scam that’s using a piece of malware called Citadel to redirect users to a scam site that installs scareware on their machines and demands a $100 payment to unlock them. The twist in this scam is that it uses the threat of prosecution by the Department of Justice as the prompt to get victims to pay.

The malware is part of a drive-by download attack that’s used to install the scareware on users’ machines. The attack is not much different from many others that have been in use for the last few years, with the infection routine involving users being sent to a malicious site as the first stage. Typically, the site then uses an exploit against a vulnerability in the user’s browser, which then installs the scareware program.

In some cases, scareware will then tell the user that her computer is infected with some piece of malware or other and offers to remove it for a fee, of course. In this case, the scareware hangs the victim’s machine and tells the victim that she has violated U.S. law and faces potential prosecution.

“The message further declares the user’s IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content,” the FBI warning says.

“To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user’s IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.”

Scareware is one of the more common attack vectors on the Web these days, and it’s been surprisingly effective for several years now. Adding in the element of a threat of prosecution by the federal government only brings that up a level or two.

Categories: Malware, Social Engineering

Comments (3)

  1. Shelley
    1

    Ok so I got this FBI warning which looks incredibly real. Except my name wasn’t on it and there was a little window saying video recording like they were recording my reactions even tho there’s no camera on my pc. Anyway by opening in safe mode I could get into my virus scanning programs and was able to get it “unlocked”. How do I get this citadel thing off my computer?

  2. Anonymous
    2

    Don’t do a clean install. As long as the ctfmon.exe or “Reveton” is deleted it should be find. Make sure to turn off windows trying to start the ctfmon.exe in msconfig. 

  3. Anonymous
    3

    It is best to do a clean install of windows, to be 100% sure no more malware or other viruses present.

Comments are closed.