Archive for the ‘Scams’ Category

gpcode.ak: New-gen Ransomware

June 10, 2008

This isn’t new, but worrying. A ransomware virus from over a year ago, called ‘gpcode’ has resurfaced. The new version is called ‘gpcode.ak’.

What’s interesting about this virus is that, when infection occurs, it encrypts a victim’s documents (.doc, .pdf, etc) and leaves a ransom note on the computer demanding money in return for the decryption key. The original version of this particular virus used a 660-bit asymmetric key which was eventually cracked, but this new version uses 1024-bits. The internet security company Kaspersky has stated:

“Along with antivirus companies around the world, we’re faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key.”

Obviously this is very bad news for anyone infected by gpcode.ak, but it does provide some evidence as to the strength of good cryptography. For example, in the OpenVPN guide I’m putting together, I recommend using a 2048-bit key for certificate generation. That’s 2^1024 harder to crack than a 1024-bit key and, going on Kaspersky’s calculation, it would take 15 million modern computers 2^1024 years to crack. While computers are always becoming more powerful, this sort of key strength will surely remain safe for some time to come.

There’s a good page explaining all the details of gpcode.ak here.

Phishermen with Better Bait

April 8, 2008

Most of the phishing emails I see are obviously fakes. Many don’t bother to spoof the sender address, clearly link to third-party sites (eg. http://www.yourbank.com.46dyu.ru/verify/) and/or use terrible grammar and spelling. While it’s always a give-away when I’m not actually a customer of the purported bank, a few emails certainly make me look twice before I work out their trick.

Here’s one allegedly from St. George bank in Australia.

Have a look at their official website: http://www.stgeorge.com.au/

Then this email:

While some of the grammar is slightly amiss, this email is a step above the bulk of what I’ve seen. Their trick, while not new, is that the text, http://ibank.stgeorge.com.au/verify, is HTML linked to a phishing site at http://www.stgcorge.com/verify, much like I can have http://ibank.stgeorge.com.au/verify link to Google or anywhere else. Only in the case of this email, on a cursory glance, “stgcorge” could easily be read as “stgeorge”.