Some attackers are reported to use PRISM to scare unsophisticated users into installing ransomware. Zscaler researchers report to identify 20 affected websites that are used to spread fakeAV.
Zscaler reports-‘These websites seem to have been hijacked. They are all hosting the malicious content over port 972 and use similar URL patterns. Here are a couple examples:
Not only this but they reported that the files seem to be changing from FakeAV to fake PRISM warning. But the common thing is that in both the cases it is used to frighten the target and ask them for money to ‘fix’ the computer. Thus making a lot of money.
Fake AV were mostly used to lock the desktop of the user and asked for money to unlock it or it used to run a fake computer scan in the browser and the victim had to pay to remove the threats.
Well PRISM was used to fool the user and said that the victim’s computer has been blocked because it contained some illegal pornographic content. The victim has to pay $300 through MoneyPak, a prepaid card service.
It has been reported that:-“Both malware connect to the same couple of IP addresses over ports 80 and 443 that include:
The attackers are clever and shrewd and can use any trick to fool you for their benefit, so beware the next time.