Blogger turns tables on cyber-scammer by infecting them with ransomware

BBC News reports:

A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware.

Technical support scams try to convince people to buy expensive software to fix imaginary problems.

But Ivan Kwiatkowski played along with the scheme until he was asked to send credit card details. He instead sent an attachment containing ransomware.

On one level I feel like just about everyone else reading the story. The scammers deserved everything they got, and isn't it hilarious that a "victim" turned the tables and managed to infect the criminals' computer with a copy of the Locky ransomware.

But another part of me feels uncomfortable.

I don't think the existence of online crime gives any of us a green light to break the law ourselves, tricking others into running malware and making changes to their computer systems without their permission.

Yes, waste scammers' time if you want to. But I would not recommend breaking the law.

Nonetheless, I'm sure some of you will be tickled by the story. You can read it in full on Kwiatkowsi's blog.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

28 Responses

  1. john smith

    August 15, 2016 at 8:27 pm #

    is this a joke? You don't think these people deserve it? they are scum bags "we shouldn't break the law ourselves?" you probably are against piracy to aren't you? What a joke you are.

    • Graham Cluley in reply to john smith.

      August 15, 2016 at 11:19 pm #

      I don't that someone breaking the law is a good reason for you to break the law in response. Especially when you could do something which was lawful like hang up the phone, or waste the scammers' time etc etc…

  2. Rich

    August 15, 2016 at 8:28 pm #

    Laws against attacking hostile agents are like gun control laws; they leave the public essentially helpless and vulnerable in the face of escalating crime. I've about had it with phony credit protection phone calls and cybercrime perpetrators!

    • Graham Cluley in reply to Rich.

      August 15, 2016 at 11:24 pm #

      I understand the frustration. I really do. I just do not believe that it's wise for everyone to become a vigilante and take the law into their own hands.

  3. Resa

    August 15, 2016 at 9:18 pm #

    So he sent them an infected file. How does he know they opened it? Did they pay his ransom?

    • Graham Cluley in reply to Resa.

      August 15, 2016 at 11:17 pm #

      The researcher was in an online chat with the scammers. The scammers kept asking for his credit card details. The researcher claimed his eyesight wasn’t good enough, and so sent a “photograph” (in actuality a copy of the Locky ransomware) to the scammer. The scammer said he had tried opening the file but “nothing had happened”.

      Seems plausible that the scammer opened the file.

      The researcher wouldn’t know if they paid the ransom or not, because that would be heading towards an entirely different cybercrime gang. :(

  4. Zaphod

    August 15, 2016 at 9:58 pm #

    "But another part of me feels uncomfortable.

    I don't think the existence of online crime gives any of us a green light to break the law ourselves, tricking others into running malware and making changes to their computer systems without their permission.

    Yes, waste scammers' time if you want to. But I would not recommend breaking the law."

    I'm going to steal Graham Cluley's wallet because he's a giant pussy. Then when he gets a new one I'm going to steal it again. How many wallets before you stop being a giant pussy, Graham?

    • Graham Cluley in reply to Zaphod.

      August 15, 2016 at 11:21 pm #

      Allow me to put on my peril-sensitive glasses before replying to you…

      In this case you're not only breaking the law (by infecting the scammer with malware), but you're also potentially putting more money into the hands of whoever was behind the ransomware campaign and /potentially/ damaging evidence that could be later used by law enforcement to bring the scammers to justice.

  5. Chris L

    August 15, 2016 at 10:14 pm #

    Exactly what law did the Blogger violate?

    A scammer was attempting to access his system, and he protected it.

    Its no different than a burglar trying to break into your house, and you use a baseball bat to protect it.

    • Graham Cluley in reply to Chris L.

      August 15, 2016 at 11:23 pm #

      To protect the user's "home" they only needed to hang up the phone. They didn't need to go round to the burglar's house and pour gasoline through his letterbox.

      What laws? Infecting other people's computers with malware without authorisation is a crime in most countries – law enforcement use such legislation all the time to collar online crooks.

      • Chris L in reply to Graham Cluley.

        August 15, 2016 at 11:29 pm #

        If the scammer feels laws have been violated, they're free to contact the police themselves.

        But since their own activity is illegal, I doubt law enforcement will help them.

        Its similar to a drug dealer calling the cops if someone steals their drugs. They will receive no help since having the drugs is illegal in the first place.

      • Joseph in reply to Graham Cluley.

        August 16, 2016 at 2:25 pm #

        Mr Cluley sounds absolutely clueless. He must be one of the more fortunate victims, who can clearly afford to lose tons of cash to the likes of the scammer being discussed here. Most of us have to work for weeks, if not months, to acquire the funds we are being scammed out of. Those funds would ordinarily be applied to such mundane things like food for the kids, cancer medications, and rent payments. Mr Cluley seems to summarily dismiss the need for kids to eat, for cancer patients to have their medications and the right for us to not be cast out on the street as homeless. He seems to be comfortable with the role of sheep being willingly led to the slaughter by the predatory scammer. His attitude flies in the face of reality, which is that the scammers act pretty freely, with very little fear of the authorities. Thankfully, there are people among us like Ivan, who offer the hope that sometimes justice can prevail.

        • Graham Cluley in reply to Joseph.

          August 16, 2016 at 2:35 pm #

          "He seems to be comfortable with the role of sheep being willingly led to the slaughter by the predatory scammer."

          Not at all. I've spent the last 25 years helping people protect themselves from scammers and online crooks.

          I believe that education is key to helping people defend themselves from the scumbags and internet low lives who attempt to defraud us out of our savings.

          What I don't believe, however, is that it is sensible for the average Joe in the street to hack other people's computers, to spread malware, to launch denial-of-service attacks or whatever next is dreamt up by the internet vigilantes.

          Chaos and madness lies down that path.

          It's bad enough that law enforcement agencies seem to be comfortable spying and hacking into people's computers without due legal process (see other articles on this site for details of that) without the public being given carte blanche to use similar hacking tactics themselves.

          • Alex in reply to Graham Cluley.

            September 12, 2016 at 12:22 pm #

            On the contrary, the public needs carte blanche to use any tactics available to protect themselves from online scammers AND unruly, invasive governments.

            Most folks simply want to get on with their business and will leave others alone if left alone. But nobody should be asked to take a punch in the nose without recourse to self defense.

            I agree that education is key, so long as that education not only teaches you how to recognize an attack but fend it off and riposte as well.

  6. Philip Le Riche

    August 15, 2016 at 10:57 pm #

    I agree that it would be temping to follow the example of this security researcher, however, assuming the scammer was infected and paid the ransom it'd be enriching one criminal by punishing another – not something that'd give me great satisfaction. Better to leave Law Enforcement to do this sort of thing – we may not see it and may rarely see the results, but that doesn't mean they aren't applying more sophisticated tools and techniques than any disgruntled target of the scammers could, and without the risk of being hacked back.

    • Josh in reply to Philip Le Riche.

      August 16, 2016 at 12:23 am #

      Well, if it was a decent security researcher, he could have just built his own version of the ransomware and instead of being a "Ransom" to pay it would have been null and all data encrypted and put an end to these people. The authorities are not doing anything about it. There is no way for the people to know if things being done on the back-end. If these scammers are any good "Technical" people they would be protected, but again the security researcher may not be the best in the world. There are far too many easy ways to put this type of malware to bed and that's really going to be Software Restriction Run policies being implemented on the system accordingly. I doubt this "Security Expert" really thought through the entire process of whether it "Really" infected them or not. Again should have wrote their own program/variation to ensure it really did do it. With that, its worth a shot to put them down if you can. I've seen far too many people fall victim to these bologna pop ups that their system is infected and to call them. Its fraudulent activity of them to do it and sure you can hang out, but what about the 65 year old for the next call that's told their system is infected with a virus and for this person to pay them $500.00 USD to remove it and receive some extra services. I see no issue with attacking back. These people won't be coming for him or anyone else who fights them back… They'll eventually stop.

  7. TBRACKETT

    August 16, 2016 at 12:01 am #

    TWICE THIS YEAR SOMEONE HACKED INTO MY BANK ACCTS FOR A TOTAL OF OVER 10k. EVEN THOUGH I DID GET IT BACK, I JUST WISHED SOMEONE WOULD HAVE SHOT AND KILLED THE BASTARD FOR IT. SO HEARING ABOUT THIS WAS GOOD FOR ME EVEN THOUGH I WOULD HAVE LOVED TO SEEN THE GUY REALLY GET HURT, AT LEAST HE IS GOING TO HAVE TO GET A NEW COMPUTER OR PAY SOMEONE TO FIX THE ONE HE HAS OR BOTH.

    • Graham Cluley in reply to TBRACKETT.

      August 16, 2016 at 2:35 pm #

      Sorry to hear about your experience. At least the thief seems to have left your CAPS-LOCK behind.

  8. douglas

    August 16, 2016 at 12:37 am #

    YES!!! i hope you take down there HOLE network!!!!

    • daemonchild in reply to douglas.

      August 16, 2016 at 2:58 pm #

      *their *whole. *I

  9. coyote

    August 16, 2016 at 1:10 am #

    It's amusing how many people failed here in reading comprehension.

    No one feels sympathy for the scammers; they're asking for it, it is exactly what they're doing to others without any remorse. But it would be irresponsible of him to encourage others to break the law; it would also be stupid as someone could turn it against him and try to blame him when they are in trouble because they were reckless. And yes some would try it whether you admit it or not (if you don't admit it then you're actually more vulnerable than you know).

    But there are other implications; it isn't as simple as you get treated the way you treat others. Those who don't understand this (and I do not refer to legalities) should instead educate themselves a bit. Or you could instead down vote my message; I don't mind – it will only prove my point and there are much worse things than someone disapproving of me (and sometimes it can be good!).

    • Alex in reply to coyote.

      September 12, 2016 at 12:27 pm #

      Thank you mister. pompous. Was wondering when you'd lend your big mouth to weigh in.

  10. Ivan Kwiatkowski

    August 16, 2016 at 1:57 am #

    There is a distinction between law and ethics. Being no lawyer, I'll only discuss the latter and dismiss "it was wrong because it might have been illegal" as slightly off-topic.

    There is no question that vigilantism will always be controversial. I would argue that it's an imperfect response to an imperfect society. What moral right did I have to right this particular wrong myself? None, I have to concede this. But the scammers also put me in a catch-21 situation: I can decide not to act and let them keep doing what they do, or I can pick up the phone, make their lives harder and maybe prevent a couple of people from being taken advantage of. Either way, some moral rule gets broken.
    So what's the right thing to do when there's no right thing to do? I think most people would reply "the least wrong".

    It is my personal belief that in this case, where there was no risk of collateral damage, trying to stop the scammers was the best possible option. If I had had the opportunity to rm their machine, I would have, because that would have stopped them longer. Barring this, I did the best I could think of in the spur of the moment, because I care less about their welfare (I think most people agreed that they kind of deserved it) than I care about their victims'.
    So this is my argument in favor of hacking back: the instant they enter my life, I have to make a decision which will end up being somewhat unethical, and walking away seems worse. I will not dispute that it wouldn't have felt as good either, but that's beyond the point (as far as ethics are concerned).

    I'll finish by addressing a few points from random comments:
    – It's highly unlikely that the ransomware infection caused the scammers to pay other criminals to get their data back. In all likelihood, they had to spend a few hours of their time reinstalling a clean machine.
    – Retooling ransomware is no simple task, and doing so during a phone call in less than an hour is simply unrealistic. Even for a "decent security researcher".

    Regards,
    Ivan

    • Joseph in reply to Ivan Kwiatkowski.

      August 16, 2016 at 2:33 pm #

      Mr Cluley is obviously preoccupied with observing the law versus obtaining justice. His position can only be justified if there is good evidence that there are effective countermeasures being applied by law enforcement against the scammers, a VERY misguided position, given the reality we all face today in connection with these scammers.

  11. Rod

    August 16, 2016 at 3:07 am #

    all they have to do is recover to an earlier saved backup and ransomware is gone.

    • Rich in reply to Rod.

      August 23, 2016 at 1:48 pm #

      Exactly. Backup your stuff and the ransomware scammers can't hurt you. It's that simple.

  12. user12345x

    August 16, 2016 at 4:30 am #

    that's fine if you don't agree with it. just like Chris Hanson and to catch a predator. i'm sure you argued against that. it's just not "right" for police to mis-represent themselves either!

  13. Carl

    August 16, 2016 at 12:50 pm #

    The problem is this; if no one will defend you, then you have to defend yourself. The Scammers seem to be running rings around the Police (and other authorities). Our company was scammed recently; I reported it and got absolutly no where- just a standard"dont call us we'll call you" auto response from the police-no one is interested. The Scammers Business Model is working and no one seems to be able to stop them. they create a huge amount of damage, and suffer no consequences. so well done to the blogger for sending them their own crap; i would have done it myself if i knew how.

Leave a Reply