JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Web hijack gangs hold businesses to ransom

Date

Lisa Davies and Ben Grubb

Zoom in on this story. Explore all there is to know.

import

import

Thousands of Australians have been held to ransom by eastern European hackers, who "lock up" computers by encrypting data, only to then demand a fee to decrypt it.

Senior NSW police have revealed there have been "hundreds of victims" each month since the sting began targeting businesses and home PC users around the country earlier this year.

Fairfax Media understands one of the most high-profile victims of another, similar, ransom has been bookmaker Tom Waterhouse, whose online betting agency was hit in the lead up to the running of the Cox Plate on October 26.

Hacked.

Hacked. Photo: Kate Simon

Sources revealed tomwaterhouse.com was forced offline for up to two hours, but a spokesman for the company declined to comment.

It's unclear whether tomwaterhouse.com paid the ransom sought, but police say many victims have, believing it is the only way to regain control of their systems.

Know more? Email us

Northern Territory business TDC Refrigeration and Electrical is another that paid a ransom of $3000. Its data was accessed and encrypted by hackers who demanded money to decrypt. Another that paid was a NSW bus company.

NSW fraud squad police have told Fairfax Media many companies have handed over the amounts, usually between $1000 and $5000, rather than lose days or weeks of trade.

One of the companies who refused to pay a ransom was Miami Family Medical Centre on the Gold Coast. It had thousands of patient medical records hijacked by hackers who demanded payment of $4000 for files to be decrypted in December. It had to use a year-old back-up to recover files.

Byron Bay Community School in NSW was another victim who didn't pay the ransom. It is yet to recover its data after handing over hard drives to police.

Detective Inspector Bruce van der Graaf from the computer crime investigation unit of the NSW fraud squad said he wouldn't be surprised if victims of the encryption scam now numbered in the "tens of thousands". There was no way of knowing exactly how many were affected as many people did not report their instances to police.

Queensland Police Detective Superintendent Brian Hay said some 30 Queensland businesses had been targeted since September, among them three medical centres.

But it's not just businesses being targeted. So too are everyday Australians. They are told “police" have discovered crimes ranging from copyright infringement to viewing child abuse material on their computers. Victims are generally asked to pay a fine of about $100.

Scamwatch, run by the Australian Competition and Consumer Commission, said it received 190 complaints about the “police” scam in October and November.

Detective Inspector van der Graaf said Russian and eastern European syndicates were the best in the business when it came to such online fraud scams.

The encryption scam is deployed "on mass in two different ways, one is a virus that arrives by email, infecting the systems", van der Graaf said. "The other is brute-forcing the remote desktop protocol."

The latter, he explained, let hackers gain control of a computer remotely, by force, in the same way a help desk operator might access a computer with a user's permission.

"They then demand payment of the money to [decrypt] the data," he said.

They find their victims by scanning the internet for open remote access ports, Superintendent Hay said.

Once the hackers found one, they would often try default passwords and eventually get in that way.

“They've got ... the software to scan for remote access ports. They've [then] developed a piece of software that will test known default passwords on the equipment they're looking at,” he said.

Detective Inspector van der Graaf said the ransom notification - seen on the screen after data has been successfully encrypted - is often written in both Russian and English, giving police clues as to the identity of the fraudsters.

Victims are often asked to pay through Western Union, Liberty Reserve and Ukash, an anonymous cash-for-voucher system, generating hard to track transactions.

"We haven't had a successful prosecution yet but we haven't given up, there's lots of work being done in this area," he said.

"What we just say to people is don't pay - but some people are, because reports we are receiving is that it's the only way to get control of your systems back."

Victoria Police Detective Sergeant Gavin Carroll agreed with this advice.

"There is no guarantee that this will lead to your files being unlocked and payment of an initial amount could encourage the scammers to continue their demands,” he said. “Also, even if they were to unlock your computer, scammers could still retain access to your data and passwords which could lead to identity theft and manipulation of your bank accounts.”

But Queensland Police's Hay said many businesses would have to end up paying.

“The reality is businesses have to make decisions that will continually make them commercially viable. The ideal scenario is you don't pay the ransom, but if you've got no choice and the success or the life of your business ebbs and flows on the basis of your data you've got to.”

“What we do know is that people are not encrypting their data, they are not applying appropriate security measures to their data and to their file servers and they are not backing up appropriately,” he added.

When businesses are targeted, Detective Inspector van der Graaf said it was important to contact the federal government's CERT Australia, the official national computer emergency response team. Visiting scamwatch.gov.au could help too - and of course police.

NSW fraud squad head Detective Superintendent Col Dyson said the encryption scam was just one of many that target unsuspecting citizens and businesses.

"What are actually pretty traditional frauds are now moving into online businesses, and targeting them in the same way that might have done before computers," Detective Superintendent Dyson said.

While the majority of Australians believe they know enough about online security to protect themselves, significant numbers of internet users have experienced an online security breach. In the 12 months to May 2012, Australia's communications regulator, the ACMA, estimated that 3.2 million internet users in Australia had their computers infected with a malware virus.

Figures released in July revealed that one in 10 Australian internet users have lost money to online fraud over the previous year, with losses totalling $1.286 billion.

The VeriSign Online Fraud Barometer figures showed a significant increase on figures previously reported by the Australian Bureau of Statistics, which surveyed Australians in 2007 and found that just over 800,000 had been victims of personal fraud.

Back then, combined losses were $977 million.

Detective Superintendent Brian Hay said the truth was that many cyber crime incidents went unreported. “So when you see that volume of reporting in such a short period of time what alarms me is how much is not being reported because traditionally the majority is not,” he said.

“So to me this is just an indicator of what is occurring.”

46 comments

  • Miami Family Medical Center had to use a year-old back-up to recover files? What the? That's one irresponsible business right there. Stop going to them NOW, as they obviously don't think your medical records are worthy of a daily backup. That's just insane.

    Commenter
    Paul
    Date and time
    December 23, 2012, 12:40PM
    • Miami Family Medical Centre's daily back-up was connected to the server targeted by the hackers, which they also encrypted.

      Commenter
      Ben Grubb, deputy technology editor
      Date and time
      December 23, 2012, 3:53PM
    • Miami Family Medical Centre should be regularly archiving to tape, these are important records.

      Commenter
      TedF
      Date and time
      December 23, 2012, 8:16PM
    • That's just as bad Tech Ed. Backups should be off server at least, and off site when ever possible. To lose your backups simply because your server was compromised is unacceptable.

      Commenter
      Bob
      Date and time
      December 23, 2012, 8:44PM
    • They still had a flawed back up strategy. If the backups are connected to their server and someone breaks in they are going to pick up all the hard drives connected to their server.

      Data is gone.

      That's pretty irresponsible for important records.

      They should have offsite storage.

      Server Admin 101

      I'll bet cash money the last time they tested their backups with a restore was more than a few months ago to.

      Your backup is not any good if your restores don't work

      Commenter
      FFS
      Date and time
      December 23, 2012, 10:31PM
    • Ben Grubb: So you've added that comment in bold, but nowhere in the news story does it state the word "daily" at all. So I was right to assume that no daily backups existed as it wasn't mentioned in the original article.

      Commenter
      Paul
      Date and time
      December 25, 2012, 12:07PM
    • As I said above, Miami Family Medical Centre's daily back-up was connected to the server (it was an external  hard drive) targeted by the hackers. The daily back-up was encrypted by the hackers. Many experts say that back-ups should be taken offsite. They didn't do this.

      Commenter
      Ben Grubb, deputy technology editor
      Date and time
      December 26, 2012, 11:06AM
  • I haven't used anti-viral software for years... & I'm careful about opening emails. Haven't had any major problems, ever.

    Can't believe these people don't run backup systems. It's not hard to unplug - reformat - reinstall Windows - restore backup.

    &/or ::

    Run 'services.msc' and disable 'Remote Registry'.

    Hit 'Start+Pause'... Click on 'Remote Settings' (left) and deselect 'Allow Remote Assistance connections to this computer'. Below that, ensure 'Don't allow connections to this computer' is selected.

    Keep your firewall maintained too.

    Commenter
    Kel
    Date and time
    December 23, 2012, 12:47PM
    • Kel,December 23, 2012, 12:47PM, you are just incredibly lucky so far rather than by good management. The greater number of websites you visit the more likely you are to pick up a Trojan, especially if you pull down data, photos etc even from well respected websites. Tens of thousands use AVG Free anti-virus for example. Recently when you updated to their latest free version they removed the automatic link scanner that works on your google page. For it to work now you have to use their AVG search page and not google. I found out the hard way. After uploading photos on Ebay to make my first sale it confirmed those photos back with a Trojan embedded in the photos I sent up. I sent up clean ones and they confirmed back infected ones with a Trojan that my link scanner did not pick up because AVG had deleted the link scanner unless you used the paid for anti virus version. Result? 5 different programs had to be used to eradicate the Trojan that was all through my computer. One antivrus cleaner would not do it. Then blow away my PC to factory start and spend 5 days reloading all the software and backups of data. It will happen to you eventually no matter how much protection you have and how smart you think you are. You can count on it. it's just a matter of time.

      Commenter
      Jode
      Location
      Melbourne
      Date and time
      December 23, 2012, 11:17PM
    • Oh well Jode... Maybe don't "pull down" other people's data from other people's websites !!

      & it's not luck at all... It's utilizing 'smart' management. Have you heard of spyware scanners? Emptying your 'temp' file folder? Cleaning your registry ??

      & if you ask me... The Anti-virus co's are the culprits.

      Commenter
      Kel
      Date and time
      December 24, 2012, 12:51PM

More comments

Comments are now closed
This Column is advertiser content
Advertisement
Featured advertisers
Advertisement