Thousands of Australians have been held to ransom by eastern European hackers, who "lock up" computers by encrypting data, only to then demand a fee to decrypt it.
Senior NSW police have revealed there have been "hundreds of victims" each month since the sting began targeting businesses and home PC users around the country earlier this year.
Fairfax Media understands one of the most high-profile victims of another, similar, ransom has been bookmaker Tom Waterhouse, whose online betting agency was hit in the lead up to the running of the Cox Plate on October 26.
Hacked. Photo: Kate Simon
Sources revealed tomwaterhouse.com was forced offline for up to two hours, but a spokesman for the company declined to comment.
It's unclear whether tomwaterhouse.com paid the ransom sought, but police say many victims have, believing it is the only way to regain control of their systems.
Know more? Email us
Northern Territory business TDC Refrigeration and Electrical is another that paid a ransom of $3000. Its data was accessed and encrypted by hackers who demanded money to decrypt. Another that paid was a NSW bus company.
NSW fraud squad police have told Fairfax Media many companies have handed over the amounts, usually between $1000 and $5000, rather than lose days or weeks of trade.
One of the companies who refused to pay a ransom was Miami Family Medical Centre on the Gold Coast. It had thousands of patient medical records hijacked by hackers who demanded payment of $4000 for files to be decrypted in December. It had to use a year-old back-up to recover files.
Byron Bay Community School in NSW was another victim who didn't pay the ransom. It is yet to recover its data after handing over hard drives to police.
Detective Inspector Bruce van der Graaf from the computer crime investigation unit of the NSW fraud squad said he wouldn't be surprised if victims of the encryption scam now numbered in the "tens of thousands". There was no way of knowing exactly how many were affected as many people did not report their instances to police.
Queensland Police Detective Superintendent Brian Hay said some 30 Queensland businesses had been targeted since September, among them three medical centres.
But it's not just businesses being targeted. So too are everyday Australians. They are told “police" have discovered crimes ranging from copyright infringement to viewing child abuse material on their computers. Victims are generally asked to pay a fine of about $100.
Scamwatch, run by the Australian Competition and Consumer Commission, said it received 190 complaints about the “police” scam in October and November.
Detective Inspector van der Graaf said Russian and eastern European syndicates were the best in the business when it came to such online fraud scams.
The encryption scam is deployed "on mass in two different ways, one is a virus that arrives by email, infecting the systems", van der Graaf said. "The other is brute-forcing the remote desktop protocol."
The latter, he explained, let hackers gain control of a computer remotely, by force, in the same way a help desk operator might access a computer with a user's permission.
"They then demand payment of the money to [decrypt] the data," he said.
They find their victims by scanning the internet for open remote access ports, Superintendent Hay said.
Once the hackers found one, they would often try default passwords and eventually get in that way.
“They've got ... the software to scan for remote access ports. They've [then] developed a piece of software that will test known default passwords on the equipment they're looking at,” he said.
Detective Inspector van der Graaf said the ransom notification - seen on the screen after data has been successfully encrypted - is often written in both Russian and English, giving police clues as to the identity of the fraudsters.
Victims are often asked to pay through Western Union, Liberty Reserve and Ukash, an anonymous cash-for-voucher system, generating hard to track transactions.
"We haven't had a successful prosecution yet but we haven't given up, there's lots of work being done in this area," he said.
"What we just say to people is don't pay - but some people are, because reports we are receiving is that it's the only way to get control of your systems back."
Victoria Police Detective Sergeant Gavin Carroll agreed with this advice.
"There is no guarantee that this will lead to your files being unlocked and payment of an initial amount could encourage the scammers to continue their demands,” he said. “Also, even if they were to unlock your computer, scammers could still retain access to your data and passwords which could lead to identity theft and manipulation of your bank accounts.”
But Queensland Police's Hay said many businesses would have to end up paying.
“The reality is businesses have to make decisions that will continually make them commercially viable. The ideal scenario is you don't pay the ransom, but if you've got no choice and the success or the life of your business ebbs and flows on the basis of your data you've got to.”
“What we do know is that people are not encrypting their data, they are not applying appropriate security measures to their data and to their file servers and they are not backing up appropriately,” he added.
When businesses are targeted, Detective Inspector van der Graaf said it was important to contact the federal government's CERT Australia, the official national computer emergency response team. Visiting scamwatch.gov.au could help too - and of course police.
NSW fraud squad head Detective Superintendent Col Dyson said the encryption scam was just one of many that target unsuspecting citizens and businesses.
"What are actually pretty traditional frauds are now moving into online businesses, and targeting them in the same way that might have done before computers," Detective Superintendent Dyson said.
While the majority of Australians believe they know enough about online security to protect themselves, significant numbers of internet users have experienced an online security breach. In the 12 months to May 2012, Australia's communications regulator, the ACMA, estimated that 3.2 million internet users in Australia had their computers infected with a malware virus.
Figures released in July revealed that one in 10 Australian internet users have lost money to online fraud over the previous year, with losses totalling $1.286 billion.
The VeriSign Online Fraud Barometer figures showed a significant increase on figures previously reported by the Australian Bureau of Statistics, which surveyed Australians in 2007 and found that just over 800,000 had been victims of personal fraud.
Back then, combined losses were $977 million.
Detective Superintendent Brian Hay said the truth was that many cyber crime incidents went unreported. “So when you see that volume of reporting in such a short period of time what alarms me is how much is not being reported because traditionally the majority is not,” he said.
“So to me this is just an indicator of what is occurring.”