14 DAY TRIAL // Cybercriminals running one-click frauds started to expand their business to Hong Kong, deploying thousands of attacks against users in this area in the past month.
The scam is similar to ransomware, with a permanent pop-up window becoming available and asking for payment to sign up to an adult website.
Crooks could have made millions with the scam
Although this type of scam has been making victims for well over 10 years, it was somewhat geographically limited, as users in Japan were the main target.
However, new findings from security vendor Symantec show that cybercriminals are also aiming at the Chinese market and adapted their scam with messages written with Traditional Chinese characters used in Hong Kong.
“It seems that one-click fraudsters have decided to become multilingual in an effort to expand their horizons and explore new market opportunities,” Himanshu Anand informs in a blog post published on Thursday.
Anand says that Symantec products stopped over 8,000 attacks during the past month, which could have defrauded users for more than $5 / €4.46 million in Hong Kong dollars.
In this particular campaign, the potential victim is required to download an HTML application (HTA), which, if granted permission to run, executes a malicious script inside.
IE users are the target, pop-up is removed for a large payment
The file seems benign and it is served when the user navigates to an adult content website and accesses a video player window or an age gate. The nefarious activity is masked by the player rolling the video.
Anand says that the subscription pop-up survives computer reboots, which is designed to rush the victim into paying up (5,000HKD / $650 / €575) in order to have it removed from the screen.
The attacks affect only Internet Explorer users because HTA files rely on the mshta.exe engine to run code, which is present only in Microsoft’s web browser.
Since HTAs are launched as fully trusted applications and are not isolated in the sandbox, the cybercriminals could compromise the computer in a much worse manner than this, and funnel in malware for different purposes, from stealing private information to enrolling the system into a botnet for spewing spam or executing DDoS attacks.