LIMASSOL, CYPRUS–The scareware and rogue anti-virus epidemic that has been earning attackers millions of dollars for the last few years has spawned a devious new offspring: SMS blockers. This class of malware, which demands that users send SMS text messages to premium numbers, has recently taken off in huge numbers in Russia and parts of Asia, experts say.
SMS blockers, or simply blockers, as they’re known, are a clever evolution of the old ransomware or scareware tactic of demanding a payment in exchange for either removing some malware on a PC or decrypting the user’s hard drive, which the ransomware encrypted in the first place. These tactics have been extremely profitable for scammers in the last four or five years, earning some gangs millions of dollars per year.
In recent months there has been a major uptick in the volume of SMS blockers hitting users in Eastern Europe–particularly Russia–and parts of Asia. The scam is as simple as it is effective: A victim visits a malicious site, or perhaps a legitimate site that has been compromised and loaded with attack code, and her machine is infected with a piece of malware. The victim will then start seeing dialog boxes with a message demanding payment in order to disinfect the machine.
But, in order to disinfect the PC, the victim must send an SMS message from her mobile phone to a premium number controlled by the attacker, typically at a cost of about $10, said Boris Yampolsky, a malware researcher at Kaspersky Lab, in a talk at the company’s Security Analyst Summit here Wednesday.
In some variations of the scam, victims see a pornographic picture in a pop-up window, which is impossible to remove until the SMS message is sent. Some of the scams also require victims to send two separate messages, totaling $20. Other variations tell the victim that her Windows license is invalid and she must send an SMS to re-activate it. In all cases, the machine essentially becomes unusable until the payment is made.
The new scam relies on an ecosystem of entities behind the scenes in order to work. In a typical set-up, the scammer buys a short SMS number from an aggregator, who in turn has purchased the number from a mobile operator. Once a victim is infected, the SMS that she is instructed to send will typically contain a code that essentially identifies the scammer who infected her. The mobile operator pays the aggregator his fee, half of which is then forwarded to the scammer.
Yampolsky, who has been tracking these scams in Russia, estimates that there are as many as 500,000 SMS blocker infections each day.
“The code is sophisticated. They use obfuscation and anti-emulation techniques to make it hard for us to analyze it,” he said.
SMS blockers haven’t made much of a dent in the United States and other Western countries as yet, Yampolsky said, because it’s more difficult for scammers to get the SMS numbers required for the attack. But that may change in the future as they figure out ways around the restrictions in the U.S.