Japanese Porn Extortion

UPDATE: – Due to a little confusion in the BBC article about this blog entry, I am mistakenly attributed in many stories as saying that this malware is linked with the name Shoen Overns which in turn is linked to ZeuS and Koobface campaigns. This is not the case. When talking to the BBC I was pointing out the parallels in the modus operandi of this threat and a separate recent extortion threat in Europe detailed by Dancho Danchev here. The two are not at all linked to the best of my knowledge.
 

A colleague of mine, Noriaki Hayashi, brought my attention to an interesting Trojan that has begun circulating in Japan. The malware is aimed at extorting money from its embarrassed victims and here’s how it works.
 
The victims are initially hooked when they download what they believe to be illegal copies of games from file sharing networks, in most cases the malware is masquerading  as illegal copies of ”over 18″ hentai-themed games such as the below
 

Example of legitimate Japanese game from Abel Software


 
 

Once the installer is launched it brings up a form requiring the user to enter personal information including their full name, date of birth, game password, email address, postal address, gender, annual income, company name and telephone number along with a few other things for good measure.
 
While all this is going on, the malware is also automatically collecting details about the victim’s computer including user account, domain and computer name, OS version information, clipboard content, file use history and Internet Explorer favourites. It also grabs a few screen shots just in case they don’t already have enough dirt.
 

Trojanised installer collecting information


 
All of this information is then subsequently published on a publicly available website and it’s not long before the victim receives a “helpful” email.
 
The email comes from a company calling themselves “Romancing Inc” (who coincidentally also own the domain where the stolen information has been published) and they alert the unfortunate mark to the predicament offering to resolve the “copyright infringement” and get the information removed… For a fee.
 
It may well be that the attackers have a second trap up their kimono as well, the installer also plants a few mp3 files onto the victim machine called Buck Duck, Chukar and Quail. These mp3 files are up for sale at a very high price on a separate website (58 million Yen is about 402 thousand pounds)
 

Music for sale…

 
Could it be that once a victim has shown themselves to be extortion-friendly they will get hit with yet another “copyright infringement” notice from Romancing Inc? Japanese copyright law was strengthened this year largely in an attempt to address the problem of illegal downloading
 
This is certainly another illustration of why, in the long run, you may well be better off paying up front for your downloads and steering clear of file-sharing networks.

16 thoughts on “Japanese Porn Extortion

  1. Pingback: Malware threatens victims using copyright laws « The FORWARD project blog

  2. Pingback: Malware chantageia usuários que baixam conteúdo adulto « Vitrinando

  3. Pingback: InfoWester Notícias » Malware chantageia usuários que baixam conteúdo adulto

  4. Pingback: un virus rançonne des amateurs

  5. Pingback: Le virus qui publie l’historique porno de ses victimes | Actualité Internationale

  6. Pingback: Virus pornophobe et hacker en culotte courte | Les Concepts

  7. Pingback: Jogos hentai contaminam PCs no Japão « Alify-Z WebBlog Portal

  8. Netaji

    ‘you may well be better off paying up front for your downloads and steering clear of file-sharing networks.’

    OR

    You could switch to a mac OS.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>