funsec mailing list archives

Re: Ransomeware

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 19 Mar 2006 08:43:31 +1200

Tom Van Vleck wrote:

I shepherded a a paper for the 1996 Oakland conference on
"Cryptovirology: Extortion based security threats" by Adam Young and  
Moti Yung.
I spent a lot of time helping them deal with objections from the  
security
community that this subject should not be discussed at all.
They have since written a book.

See Adam Young's article from last year, "Has Ransomware Learned from
Cryptovirology?" http://www.newsfactor.com/story.xhtml? 
story_id=011000008HCO
I shall not discuss his claim to have "discovered" cryptovirology.


I cannot get to this URL at the moment and Google does not cache 
NewsFactor articles...

I'd ask, of course, whether he ever published or otherwise decribed his 
ideas before Popp "invented ransomware" with his "AIDS Information 
Disk" scam in the late 1980's??  If not, I guess he stole his basic 
idea from Popp as surely any vaguely serious academic investigation of 
these issues could not have remained _ignorant_ of the Popp case...

There are vague claims that use of PayPal or e-Gold (as in the Cisco  
case)
might allow a perp to get paid anonymously.  Digicash was much  
discussed in
the 90s as a way of moving money anonymously, and govt resistance to  
this
idea probably cause their downfall (they made me a job offer in 98 after
CyberCash laid me off, glad I didn't take it).

In order for the perp to get paid, there must be some party to
whom the payment is transferred, unable or unwilling to cooperate with
law enforcement, and yet trusted by both ends not to just steal the  
money.
You might be able to come up with a zero knowledge transfer that would
do this. I don't want to think about it. :-)


As I briefly described elsewhere, and as we see every day, mule chains 
with Western Union as the medium of transfer fits the bill.  The 
cooperation and unable/unwilling to help LE issues are dealt with by 
the perps "selling" the idea of the operation as a "real job":

   Work for us as a finance manager

   Earn thousands in your spare time

with a (to the well-informed) dodgy sounding premise that tends to seem 
"quite reasonable" to the slightly naive -- perhaps something like:

   People in your country like our top-class widgets but do not trust
   sending payments to our country [usually some shady Eastern European
   country] and won't make payments via Western Union.  They will,
   however, remit money with no questions asked to businesses in their
   own country, so if you agree to accept payments for our orders in
   your country and send them on by Western Union, we will gladly pay
   you 10% [or more], which is much cheaper and faster for us than
   going through [complex, expensive and time-consuming sounding
   process for "officially" transacting foreign currency deals in "some
   shady Eastern European country"].

So, the mules have no idea who they are really working for but pretty 
much genuinely believe they are enjoined in legitimate business 
transactions with their new-found Eastern European friends.  After all, 
they do receive regular payments into their bank accounts with 
annotations such as "buy 10 widgets" and they never get any complaints 
from the folk that apparently are buying the widgets so presumably 
their "partner" is delivering them as ordered.  The only slightly dodgy 
thing the mule may have an inkling of is that their partner is possibly 
evading the "proper" monitoring of funds transfer into "shady Eastern 
European country", but hey, the mules never intend going there for a 
holiday anyway (just in case the officials in "shady Eastern European 
country" ever back-track the Western Union transfers to them) and 
surely that is really only a problem for the widget maker should "shady 
Eastern European country" officials ever figure out what is happening; 
it's not illegal in the UK [etc, etc] for the mule to send money to 
"shady Eastern European country" via Western Union.

The mule is, of course, actually receiving funds transfers from ID 
theft victim bank accounts now "owned" by Eastern European organized 
crime, other mules higher up the chain (closer to the initial fraud), 
etc, etc.  The folk running the scam keep the transactions via Western 
Union under US$10,000 (??) or whatever amount triggers higher degrees 
of scrutiny and auditing in "shady Eastern European country", the UK or 
whatever countries are involved in each transaction and it's all but 
untraceable at that point...

It's one of the classic money laundering frauds that has, in various 
guises, been going on for decades (any LE folk like to jump in here 
with better details, please do!).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Ransomeware Randall M (Mar 17)
- Re: Ransomeware Nick FitzGerald (Mar 17)
  - Re: Ransomeware Gadi Evron (Mar 17)
    - Re: Ransomeware Valdis . Kletnieks (Mar 17)
    - Re: Ransomeware Nick FitzGerald (Mar 18)
- Re: Ransomeware Drsolly (Mar 18)
  - RE: Ransomeware Richard M. Smith (Mar 18)
    - Re: Ransomeware Tom Van Vleck (Mar 18)
    - Re: Ransomeware Nick FitzGerald (Mar 18)
    - RE: Ransomeware Nick FitzGerald (Mar 18)
  - Re: Ransomeware Nick FitzGerald (Mar 18)
    - Re: Ransomeware Drsolly (Mar 18)
    - Re: Ransomeware Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 19)
    - Re: Ransomeware Nick FitzGerald (Mar 19)