Support scams: social engineering update

In my previous blog, I promised you that I'd look at the implications of some of the other reports we've received as comments to blogs on this topic.

In fact, we have seen reports of quite a few  snippets of social engineering that are worth noting.

• One person reported getting a repeat call from a scammer wanting to refund his money. However, that was clearly just intended as a way of getting more exploitable information, and when the scammer realized he wasn't getting there, he resorted to swearing. There seems to be a lot more of this aggressive and sometimes downright threatening behaviour: hopefully, this is due to the frustrations of trying to scam an increasingly sceptical population. It probably doesn't help that the same potential victims are called time and time again.
• Another person was 'reassured' by the scammer that 'IF WE WANT TO WE COULD HACK INTO YOUR PC AT ANYTIME'. Fraud and extortion: nice…
• Someone else was told that all four of her PCs would crash in the next hour. Would anyone be naive enough to fall for that one? Aren't there laws about pretending to foretell the future?
• Yet another commenter was asked to back up his files to their Live Support web page: hopefully no-one will be that naive, either. It has been asserted recently that support scams might be used against businesses to exfiltrate sensitive data, but that seems to be based on one individual's speculation, not a verifiable incident. Still, if a scammer was trying to steal data, offering a 'backup service' would certainly be one way of doing it.
• A correspondent in the US was told that her computer was being used to make illegal downloads. Well, that might be a consequence of bot infection, but it doesn't explain how the scammer 'knows' that your system is being used in that way (or any other).
• A UK correspondent was told that he needed the scammer's help because antivirus software only detects viruses, not other forms of malware. Yeah, right… The scammer also misrepresented the CLSID as a Computer Licence Secret Identifier, When the recipient of the phone call kept asking awkward questions, he was told that he would be blacklisted from the Windows server so that he wouldn't be able to use Microsoft products ever again, even his Xbox! (Another correspondent was also told that he needed to let them help him, as otherwise they would have to blacklist him to protect the Windows server.)
• Another scammer claimed to be calling about a problem with the Windows firewall. That's the only one I've seen so far, and I don't have detailed information.

There are other aspects to the problem that have been highlighted in comments to our blogs that are worth mentioning.

We have seen indications recently of scammers wanting to receive payment via PayPal: unfortunately, we rarely have enough direct information to pass on usefully, even if those who report incidents gave us permission to share their data.

We're also getting more and more reports from countries where most people's first language is not likely to be English, including Scandinavia, the Netherlands, France, Switzerland and Portugal. I guess you could include South Africa in that category, too. Recipients of the call in these countries who have asked why they were calling in English rather than the native language of the region were told that the were not allowed to use other languages. Well, that's convincing…

Many of the comments I see ask are concerned about what damage the scammer might have been able to do while he or she had access to their system. My usual response is that while I can't comment on the state of their individual system – Microsoft isn't calling me to tell me that anybody's machine is infected ;-) – I haven't been seeing reports of scammers deliberately planting malware onto a system, though I did receive a report earlier this year of a known scam site linking back to fake AV.  A TV channel in the US is in contact with a computer expert who claims that malware planting is happening and that he tricked a scammer into infecting a virtual machine. However, I'm not able to verify that claim from the article or the accompanying video, or to determine what malware might have been involved. We do have documented evidence of scammers uploading free versions of legitimate but largely irrelevant utilities as part of their 'service' – indeed, Martijn Grooten will be talking about this in our Virus Bulletin presentation – and it may be that this is what happened here. I've asked for more information, and will pass it on accordingly if I receive it. Certainly we'd be interested to hear if anyone knows of a confirmed instance of such an infection.

However, interesting though all these stories are, the takeaway message for most people must be that if someone calls you out of the blue about computer problems you weren't aware you had, it's almost certainly a scam. If you care to pass on information about such calls as a comment to this blog, we're always interested in seeing what the latest ploys are, but we don't recommend that you give them any access to your machine unless you know exactly what you – and they – are doing. For most people, the safest course of action is to refuse to get into any discussion with them.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow