Kenzero

Kenzero is a Japanese Trojan that collects and publishes users' porn surfing habits, and then blackmails them to remove the information.

EDITED TO ADD: There's a paper at the upcoming ACM CCS conference examining similar Japanese scams.

Posted on September 13, 2010 at 6:46 AM • 32 Comments

Comments

Clive RobinsonSeptember 13, 2010 7:29 AM

Now that is going to prove interesting...

You may not have any questionable browsing habbits but once someone posts your details (plus fake history) how do you prove it's not true...

I can also see such a system being used for secondary blackmail in other ways. Afterall you don't have to have viewed the questionable content, you only have to appear as though you have...

Oh and when they have your CC details what are you going to do when they decide to take a second or third payment down the line. You've made one payment which could easily be seen as an admission of guilt...

Nob0dySeptember 13, 2010 8:33 AM

Blackmails me to who? My fiancee` knows I do it...

As far as anyone else goes, I don't care...

Curt SampsonSeptember 13, 2010 9:03 AM

I can't imagine that it would be so hard to track down the criminals. If they're taking credit card payments, there's an audit trail. If there's a shell company, it has bank accounts (not to mention directors and an address, though of course the address could be fake).

So how do they hide?

IanSeptember 13, 2010 10:05 AM

@Curt

This is speculation, since I only read the BBC article, but they might not even actually run the charge - they just want the credit card info, which they can then sell. Ten pounds is probably less than they'd get for the card info, and then they don't run into the problem you're describing.

Not sure if that's actually the case, just thinking. :)

IanSeptember 13, 2010 10:10 AM

@nob0dy

I don't care if people know what kind of porn I actually look at, but as Clive points out, how do I prove that they didn't just make it up? I bet your boss/the local police would be very interested in knowing that you're active on known child-pornography sites... even though you're really not.

IvanSeptember 13, 2010 10:37 AM

@ Curt: This scam works by creating fear about their reputation in the victim -- they pay to keep information hidden that they deem a threat to their reputation.
Reporting them to the authorities would necessarily involve disclosure of the information the victim paid before to keep hidden, thus actively and by themself causing the consequence they fear. Maybe this reduces the amount of reports down to a level "manageable" by other means.

Also, you just gave them your credit card details; they are not limited to charging your credit card "like reputable merchants" but can basically proceed with any other scheme popular for exploiting fished CC information.

Peter MaxwellSeptember 13, 2010 11:11 AM

@Clive Robinson at September 13, 2010 7:29 AM

Exactly what I was thinking. As soon as people believe the data published is accurate then it is open for third-parties to arbitrarily spoof other peoples' browser histories.

If this type of attack becomes more common place, it is conceivably possible to setup a site in the guise of having retrieved the victim's browsing habits but actually being entire made-up; same effect but no infection necessary. Names+addreses, etc, can be obtained from another database (e.g. a marketing list).

Or the converse: similar setup is arranged to the example in the articles but the malware visits certain dubious sites on the behalf of the victim before erasing itself from the system. Next day when the Police turn up to the victim's house, serious questions are asked. The corollary is that the tighter access control your system has, the harder it is to prove that it was not the victim browsing those sites.

Nobody In ParticularSeptember 13, 2010 11:57 AM

"You may not have any questionable browsing habbits[sic] but once someone posts your details (plus fake history) how do you prove it's not true..."

That eventually becomes a self-solving problem. The fake history is only a trustworthy as the site that posts it and/or the idea behind it. Once word (or even a widespread suspicion) gets out that bogus histories are being created, most people will stop caring. It's like 419 scams - in the beginning you could draw people in, but now you've got be living under a wi-fi shielded rock to not know someone is trying to scam you.

It will suck for the first people to be caught up in it, but eventually, it will stop being taken seriously.

CornerstoneSeptember 13, 2010 12:07 PM

Yes, the scariest version of this is malware that could actually download "illegal material", store it on your system, even if in deleted form, and then blackmail you into paying. A digital age version of the shop owner protection racket. And what about at a corporate espionage level?

Clive RobinsonSeptember 13, 2010 12:44 PM

@ Nobody In Particular,

"It will suck for the first people to be caught up in it, but eventually, it will stop being taken seriously."

The history of operation Ore in the UK suggests otherwise. The man in charge Jim Gamble is guilty of making at the very least false representations to courts and to the UK's House of Lords (which at the time was the senior court in the land).

Many complaints about his and the officers under his command where made to the Independent Police Complaints, some by the relatives of those. Driven to take their own lives by Mr Gamble's officers behavior. Sadly although the IPCC has effectivly upheld the complaints they have failed to carry out their statutory duty to investigate them.

http://ore-exposed.obu-investigators.com/...

Mr Gamble has a shady past and was intermatly associated with Ronnie Flanagen both of whom had to leave their positions in N.I.

Further many investigations that Jim Gamble was involved with are now considered not just tainted but toxic and are being re-investigated.

He is thankfully nolonger a police officer many say he jumped before he was drop kicked out the door.

Sadly thought he is still peddling his old nonsense only currently as CEO of the UK's new Child Exploitation and Online Protection Centre (CEOP).

From what Mr Gamble has been saying it appears Microsoft have "got into bed" with CEOP, I wonder if the did due diligence on it's CEO or not, or as is more likely Mr Gamble is at best stretching the truth yet again.

BF SkinnerSeptember 13, 2010 12:55 PM

Shouldn't work.

The central threat of blackmail is to create the belief in the victim that only if coercion doesn't work with the discreditable secret then be revealed. The payment is to prevent the disclosure not to reward it. An innocent person has nothing to lose by making a police complaint at the first threat.

Hitoshi and Niko Piranha began what they called the "operation" and select a victim and then threaten to beat him up if he paid the so-called protection money. I suggest they review their goals, methods, core compentencies, and skip right to the other, other operation.

Seems that for this to work it depends on public shaming. Hard to feel publically shamed on a website. We have county tax delinquents in a database that publishes to the web by query. I have even been on it a time or two myself. Didn't even know it was there and now that I do? Not so much shame. That requires a sense of people before you feel shame, that people know who you are, a community _not_ the internets.


good paper if dated by an Economist from the late 50s -

"The Theory and practice of Blackmail", Elsberg, D., 1959, RAND http://www.rand.org/pubs/papers/2005/P3883.pdf, Accessed 9/13/10

Get me a service where I can pay to have information expunged from Equifax and my birth certificate and _then_ we'll talk.

AppSecSeptember 13, 2010 1:29 PM

@BF Skinner:

Theory meets practice. Depends on who you are directing the blackmail and their impression of the Internet as well as those whom the information is disclosed to and their perception of the reliability of the data.

Some people firmly believe everything that read is true.

BF SkinnerSeptember 13, 2010 1:59 PM

@Appsec

Given that.

It still shouldn't work. Because the embarrassing disclosure has still already been made.

The Tams are no longer a threat. Damage done.

AppSecSeptember 13, 2010 2:43 PM

@BF Skinner (almost said @AppSec, and I know I tend to talk to myself sometimes, but that would have been embarassing?? Ironic?)..


Anyway.. I guess I'm thinking more of specific attacks than attacks at the community level. It isn't necessarily about embarassment. It's more about personal risk assessment.

Similar to how some lawsuits are settled not because the defendant is "guilty" but because of other reasons -- fighting costs more than the settlement, public exposure (is that a bad word to use in this scope) isn't necessarily in and of itself embarrasing -- but commulative exposure could be, etc..

I don't know.. it was just a thought... You could be right..

poldergeistSeptember 13, 2010 5:16 PM

I just wrote to the BBC: The virus does not infect PCs, it infects Windows. I think explaining why porn surfers should switch to Linux would make an impact. More readily grasped than the merits of OO or Gimp, for instance.
Regards, poldergeist

debianUserSeptember 13, 2010 6:04 PM

@poldergeist
It's primarily social engineering. What part of it do you think would not work on Linux?

Davi OttenheimerSeptember 13, 2010 8:07 PM

This just reminds me of the parking ticket/wheel lock scam in the UK that I mentioned here.

http://www.flyingpenguin.com/?p=6971

People there said they'd rather just pay a ticket than figure out if it's real or enforceable.

Good social engineering preys on a particular behavior or bias. In Japan there must be a shame trigger for the porn or similar whereas in England it has become a respect for authority reaction. People will pay without thought if you touch the right nerve.

This is the foundation of my social engineering research and presentation (I'll be giving it again next week at the HTCIA). So I could have a biased lens but the delivery mechanism is mostly irrelevant.

It also reminds me of the unlock code trojan in Russia.

http://www.flyingpenguin.com/?p=6807

Why would people pay so much when it is easy to unlock themselves? It's not a tech failure -- it's a social and probably cultural facet of risk management.

Nobody In ParticularSeptember 13, 2010 10:41 PM

@ Clive Robinson

So your contention is that since this "Jim Gamble" fellow hasn't been arrested/publicly discredited/whatever, that people will believe what they see on any random website of unknown providence, even once it's been demonstrated that the information on such websites is suspect at best and a complete fabrication at worst?

And I thought that I had a low opinion of people.

Clive RobinsonSeptember 13, 2010 10:49 PM

@ Davi,

"People there said they'd rather just pay a ticket than figure out if it's real or enforceable"

In the UK most "fine systems" have a nasty little "pay without question" bias. Put simply if you payup within 14days of issue (not recipt) you pay X if you do not pay within that time it goes up to 2X. All have rules about contesting that take you ino 2X or more.

The monetary value of X appears to be based on a "normalised pain" threshold such that 2X is above the threshold and X below it.

Interestingly for most of the "official scams" of this sort, of those that "contest" the fine something like 85% of them are successfull. Of those that are not those that go through an appeals process appear to have a better than even success rate.

So only about 5-8% of these fines are found to be vallid when those receiving them chalenge them.

My own experiance was with a rail operator of very low repute in }ondon called South West Trains, due to the failure of their automatic ticketing machine system I could not get a ticket. On using their "platform help system" I was told to seek a member of SWT staff either at the station or at some point during my journy. I did this and was told I had to pay a fine of 20GBP, I contested it and was told "sorry you have failed" I wrote to the "company secretery" of SWT Head Office (that also just happened to be the same as the supposadly "fully independent" appeals organisation) and was brushed off. I was then sent a "getting heavy" letter of "pay the fine or go to court" with the threat of "get a "criminal record" and "pay court costs of several hundred GBP".

In all my letters I very clearly stated what had happened including being assulted by a member of the Metropolitan Police, being illegaly detained, and the fraudulent paperwork from SWT staff. SWT's "Company Secretary" again failed to investigate what the SWT staff where upto. When the court summons arrived it was incorrectly filled out. I was told by SWT staff if I paid the costs within seven days I could stop the court case. I refused and "put them to proof" and asked for copies of the CCTV footage names etc of those involved so they could be summoned to court. SWT sent back a letter saying I was out of time and that they where not obliged to give me the evidence I had requested untill 14 days before the court date. No evidence turned up and just days before the court date the person who was representing me was told verbaly by SWT they had withdrawn the case. On contacting the court however I found that SWT had not informed them they had withdrawn the case. Being a naturaly suspicious person I actually went to the court on the day and SWT had sent down a legal representative, who only on being told that I was present and that evidence had not been supplied etc addmitted that he had not been given instructions by SWT to withdraw. He phoned SWT and then said he would speak to the magistrate about withdrawing the case...

I saw red and told the court clark I wanted compensation for time etc. The magistrates decided to hear my side. I presented the letters etc and they where visably shocked as was the Court Clerk. I was told that unfortunatly as SWT had withdrawn the case they court could not make them pay me my costs. However the Court Clerk told the magistrates that due to the fact that I had attended court it was within the courts discretion to pay me a sum of money directly from the court, the magistrates agreed and I was awarded an appropriate sum for lost earnings etc.

I then went and did some digging around and found out that there where a number of cases where SWT had said they where withdrawing a case to a defendant or their representative but actualy not doing it and getting judgment against the defendant simply because they did not show. Apparently on the defendent going through the process of "reclaiming their rights" SWT blaimed "clerical / paperwork errors" in their defence.

Further investigation showed that most magistrates courts hated dealing with SWT for a whole host of reasons. I was told by one member of a court's staff it was obvious that SWT where bringing cases before the courts they had no hope of winning so often that even SWT could not be that incompetent. When I suggested that SWT where using the courts to leverage fine payments they said it was a "not unreasonable interpretation of the facts"...

So you could say that many UK GO's/NGO's with fine raising powers are "socialy engineering" money out of inocent people. Personaly I prefer that good old word "extortion" as defined in many dictionaries.

Oh one thing, in the vast majority of these "fine systems" those at the bottom of the system that "hand out the fines" are on "minimum wages". BUT they get a significant percentage of the "fines they issue" which can easily quadruple this as an incentive... So I'll leave it to you to decide just how impartial they are, and if they are likley to "issue fraudulant" fines as South West Trains Revenue Protection Officers did with me. Further just how complicit the entire orginisational chain above them to director level is, as they must know and turn a blind eye as long as "The revenue is protected".

Clive RobinsonSeptember 13, 2010 11:19 PM

@ BF Skinner,

"Get me a service where I can pay to have information expunged from Equifax and my birth certificate and _then_ we'll talk"

I'm curious... why would you want to "have information expunged from... ...my birth certificate"?

Are you an immortal or an American who is thinking about becoming President but unfortunatly was born outside the US?

I don't know about US birth certificates but the UK one's have very little information on them and we have a system called "Deed Poll" whereby you can change your name to get rid of quaint curious or embarrassing names your parents or guardians might have foisted on you.

Hopefully you are not like "Frank" in "Seven Brides for Seven Brothers" where "Frank" is short for "Frankincense" because his mother could not find a boys name begining with F in the bible for her sixth son...

Clive RobinsonSeptember 14, 2010 12:11 AM

@ Nobody In Particular,

"So your contention is that since... ..., that people will believe what they see on any random website of unknown providence even once it's been demonstrated that the information on such websites is suspect at best and a complete fabrication at worst"

Yes, I guess you did not follow the link I provided.

Operation Ore was a witch hunt for downloaders of "child pornography" based on the use of the US website "Landslide" which was a payment gateway to many forms of adult entertainment on other illegal sites.

The US Government sent a list of names and CC details they had from investigating Landslide to the UK Gov and Operation Ore was setup to investigate the list...

Well Mr Gamble and his subordinates assumed that every one on the list (except for close friends of prominant UK politicians) where all guilty of downloading "Kiddie Porn".

Only that was very far from the case, even before LandSlide was closed down it was well known that it was being scamed by Internet Fraudsters with stolen CC details (it would appear in the UK case that they where stolen from a well known highstreet grocery chain).

Amongst other things Mr Gamble presented false evidence in court (a doctored image of landslides front page making the "child porn" refrences considerably more prominant than they realy were)

The interrogation techniques used by the officers involved telling suspects that they would tell all and sundry know that they where pedophiles. And it appears they did just that with many suspects losing their jobs, homes, families, friends and freedom, even when there was overridingly clear evidence that it was stolen CC details that had been used by Internet Scammers.

Some of the suspects who where not sufficiently familiar with technology took their own lives others are still fighting to have their names cleared and those responsable for the mess to be brought to book.

One of the reasons the sham that was Operation Ore investigation came to light was the US FOI act that alowed one suspect to show that stolen CC details had been used.

Some estimates say that Operation Ore was not only unsuccesfull and harmfull to many inoccent people, it also has set back nearly all otherrrrrrr

Clive RobinsonSeptember 14, 2010 12:32 AM

@ Nobody In Particular,

Sorry my LG Android "smart phone" did it's occasional part piece (keyboard driver does strange things and the phone has to be hard booted).

So just to finish what I was saying... the last paragraph should read,

Some estimates say that Operation Ore was not only unsuccesfull and harmfull to many inoccent people, it also has set back nearly all other child explotation / protection investigations several years and has thus been a very real disaster that has done nothing but cause far reaching harm.

BF SkinnerSeptember 14, 2010 7:04 AM

@Clive Robinson
Let's be Frank! Aldis wasn't it?

A shame the courts payed out your damage instead of it coming from SWT coffers. Bad incentive and gives them no cause to change.

@Nobody In Particular, "...that people will believe what they see on any random website of unknown providence even once it's been demonstrated that the information on such websites is suspect at best and a complete fabrication at worst"

What's your point? Of course they will.

1 in 5 people in the U.S. say they believe that the President is a Muslim even though the evidence of decades says otherwise. The fact that this correlates to their opposition to him politically, socially and racially is telling.
The fact that it's written down in the amplyfying echo chamber that is the internet is contributatory but secondary.

There are people who will say any shite and people who will believe it because they want to. These people will seek support from the 'written' word. "They wouldn't let them say it if it weren't true."

Sad to say in the U.S. even lies are protected speech if they are about public figures (the libel and slander laws still apply) or, even better, groups of the unrighteous. But anyone can get on their cable 'newsiness' show and make unfounded allegations and be accepted as fact by them that want to believe.

1 in 5. I'd feel worse but half the people in this country have IQ's of less than 100 and their education usually stops at high school. Reading, 'righting and 'rythmatic...don't ask us about critical reasoning.

As many have pointed out here the goal of the social engineer is to engage emotional responses (anger, fear, hate, hope, sympathy) to bypass reasoning. As soon as they do we get stupid people. People who are feeling arn't thinking and people that arn't thinking are easier led.

HatSeptember 14, 2010 11:37 AM

You always have to be careful about what information you put online. Singular lesson.

Confidence criminals always try and pressure you to make snap decisions to give out personal information. Sometimes that is just like when you are at Taco Bell and taking too longer to order and the clerk gets angry and forces to you to go ahead.

Complain instead or walk out.

Nick PSeptember 15, 2010 1:21 AM

@ Late

Clive, you should really stop one upping yourself with fake aliases. At least this time you posted a 1 line compliment: the last one's 20 paragraphs kind of gave you away. It seems you've learned your lesson.

:P

Clive RobinsonSeptember 15, 2010 3:14 AM

@ Nick P,

Sorry bad call it's not me.

I'm sure Bruce will be able to confirm the difference in IP adds (and the one I'm posting from now is the Royal Brompton Hospital in London where I'm awaiting some holes to be put in me).

I thought @ Late might have been you as you often say that your late to the party.

Nick PSeptember 16, 2010 12:19 AM

@ Clive Robinson

"Sorry bad call it's not me."

Dude, I was kidding. The IP stuff was totally unnecessary. And yes, I'm often late to the party, but at least I'm always *fashionably* late. Unlike the other guy... ;)

pdf23dsSeptember 17, 2010 3:49 PM

Nobody In Particular said to Clive,

"So your contention is that since... ..., that people will believe what they see on any random website of unknown providence even once it's been demonstrated that the information on such websites is suspect at best and a complete fabrication at worst"

Clive said:

"Yes, I guess you did not follow the link I provided."

Actually, I think he was just being stupid, but your exposition on Operation Ore was a good read.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..