My friend and former colleague Craig Johnston has just had an article published in the January 2011 edition of Virus Bulletin in which he describes conversations he's had recently with "support technicians" who cold-called him at home, offering him "help" with virus problems.
While this is ground we've been covering in this blog since around the middle of 2010 (which doesn't mean we're no longer tracking this kind of scam…), it's a good article and adds to our increasing store of knowledge about the mindset of some of the people concerned. Unfortunately, you won't be able to read it at the moment unless you're a subscriber to Virus Bulletin, though if you have a professional interest in malware-related cybercrime, you probably are.
Without going into detail, I found it particularly interesting that one of Craig's conversations dovetails with other reports I've received recently (not to mention some personal experience) that suggests that the misuse of legitimate brands to support scams and generate profits from "support services" may be widening. I won't compromise ongoing investigations by citing specific cases, but I will stress that just because a caller suggests a link with a recognized, legitimate product, it doesn't mean that the service is legitimate. In fact, I have reason to think that some of the callers concerned probably don't realize that they're paddling in legally dubious waters.
In fact, while the season for the traditional end of year crystal ball-gazing is pretty much over, I'll venture a few extra predictions based on recent observations:
- This kind of cold-calling will be used more frequently by more-or-less legitimate service providers in ways uncomfortably close to the legal limit.
- It will also originate from places much more widespread than the immediate neighbourhood of Kolkata
- There will be more interest in other regions – the main focus at the moment seems to be the UK and Australia.
- There'll be more use and misuse of legitimate brand names: not necessarily antivirus, and not necessarily legal or genuine copies.
So, I hear you mutter, what about some advice to users and potential victims?
- Don't trust anyone who cold-calls. If you live in a jurisdiction with a "don't call me" opt-out registry of some sort, consider subscribing to it. Then, if someone calls you offering any sort of service, you have a means of assessing their honesty by their reaction to you asking them why they're cold-calling you.
- If someone says you have a virus problem, ask them how they know. There are circumstances under which a service provider may have the ability to identify the owner of an infected machine, but most people -and companies – won't generally be able to do that.
- We've mentioned the walled-garden issue here before. One of the reasons Australia is a current target may well be the "icode", intended to offer best practices for ISPs so that they and their customers can take responsibility for "minimising the risks inherent in using the internet." This includes the implementation of "a notification/management system for compromised computers", which means (among things) that a consumer might receive a legitimate and unsolicited call from or on behalf of his ISP regarding a malware infection. So be proactive: see what the terms of your contract are and find out what means are available for verifying the authenticity of a phone call under those circumstances. (That might be worth doing for non-Australians, and not only as regards ISPs: think banking services, for example.)
- Further to point 3, be alert to the use of the icode as a vehicle for sales pitches. In the case of the icode, ISPs should be referring users to a website that offers guidance on remedial action, including lists of reputable solutions. If, instead, the call seems to be directed towards a single solution, that's a danger signal. (While you're at it, be alert for spoofed web sites!)
David Harley CITP FBCS CISSP
Author David Harley, We Live Security