Home Internet Security Poisoned Bing Search Result on ‘Katie Matysik’ Leads to Ransomware that Locks Browser

Poisoned Bing Search Result on ‘Katie Matysik’ Leads to Ransomware that Locks Browser

Posted: July 4, 2014

poisoned bing search result ransomwareThreat delivery vehicles can take many forms, and one of the latest ones spotted by malware researchers include something as innocuous as a search result. Web surfers who use Microsoft's Bing engine to find search results could be subjecting themselves to new attacks – provided that they're searching for 'Katie Matysik.' This attack campaign is a possible spinoff of a similar attack planted to target searchers of the American, Arizona-based gymnast Katie Matusik. Similar attacks using typo-riddled Web domain addresses for popular websites reoccur routinely.

Regardless of the original intent of poisoning this search, Bing results for Katie Matysik will display a threatening domain link in the first page. Clicking this link will redirect the victim to an unsafe domain that malware experts verified as a host for threatening JavaScript exploits. Instead of installing threats directly onto your PC, this attack locks your Web browser and displays a pop-up ransom demand.

Current ransom demands for the Katie Matysik/Bing attack campaign disguise themselves as law enforcement warnings punishing illegal erotica-related activities, such as trafficking in child pornography, and preventing IP-related infringements. The highly embarrassing and illegal nature of this hoax makes it likely that any victims caught will be highly tempted to pay the demanded ransom without asking questions. However, there are no advantages to doing so, and submitting to the payment request will not unlock your Web browser.

The fraudulent warning message does use different variants for targeting different nationalities, such as American or French-based messages, with appropriate references to regional law enforcement agencies. Under another perspective, the people responsible for this attack have not bothered to change the actual ransom quantity appropriately; regardless of the currency referenced, this attack always will request 300 of the specified denomination. The ransom demand is, as usual for such operations, easily identifiable as fraudulent by the unofficial cash transfer methods requested: MoneyPak, Ukash and PaySafeCard, for example.

This attack also constrains your Web browser in ways that are typical of other fake police Trojan and ransomware-styled attacks. Your browser will be unable to open new tabs, close, interact with other sites already open or respond to attempts to leave the website.

Unlike Trojans that accomplish similar attacks, you aren't prevented from closing the pop-up via Task Manager and similar memory-managing utilities. For their part, malware researchers would recommend that you do so, and then scan your PC to protect against the possibility of threat installation through the domain.

Although this campaign is an international threat, it's a threat that primarily requires its victims to be ignorant of its true intentions and limitations. Educated PC users and PC users who disable scripts in their Web browsers will be less at risk of suffering from this attempted ransom hoax. However, it also displays a certain level of social engineering in the course of its attack, indicative of how some persons are more than happy to blackmail Web surfers with potentially embarrassing hobbies. The moral of the story? Adult entertainment is best kept to reputable websites.