An alarming "new form" of cyber-extortion uncovered by security vendor Websense in recent days now looks as if it could be nothing more than an elaborate practical joke.
An alert put out by the company on Dec. 11 described a new type of cyber extortion attack whereby a webmail account could be compromised in such a way that the affected user would have to pay to have their inbox contents returned to them. Composed in bad Spanish, the attackers left an unwanted message, translated by Websense:
"If you want to know where your contacts and your emails are then pay us or if you prefer to lose everything then don't write soon!"
If true, the attack would have been the first of its kind, a disturbing extension of previous cyber-extortion attacks from 2006 which focused on encrypting files and demanding a ransom to have them unlocked.
To quote the description of the attack from the Websense Security Labs website:
"Unlike previously documented cases (where end-users were infected with malicious code, certain file types were encoded or encrypted, and a ransom message was left on the machine), this attack compromises users' online web mail accounts. When end-users logged into their web mail accounts (in this case Hotmail), they noticed that all their 'sent' and 'received' emails were deleted along with all their online contacts."
It now looks as if only a single user was affected by the scam, and that the attack happened after they had visited an Internet cafe. "This is not a widespread attack," admitted a source on behalf of Websense.
The technical details of such an attack are critical to judging its seriousness. By what means was the attack launched? How did the attackers gain access to the user's webmail account? Given that the affected user is now said by Websense not to be responding to requests for information, it is possible that the criminals gained access to his or her account simply because the victim forgot to log out of a cyber-cafe-owned PC.
That ranks the threat as little more than an elaborate practical joke and hardly a "new form" of cyber-extortion. The only interest here for security researchers would be that it demonstrates the hypothetical potential of webmail to be abused using extortion-based malware, if such malevolent software existed.
A Websense source was able to confirm some further details. "There was no encryption involved here. The data was removed rather than encrypted. The channel used was email. The customer did not respond to the email so we do not know what the drop request was but our guess would be eGold."
Previous Websense cyber-extortion reports have been altogether more serious -- and significant. In May, came news of a sophisticated cryptographic attack, while more recently came the predictable follow-up. Both were originally uncovered by Kaspersky Labs. Encryption extortion is being touted as one of the malware trends of 2007.