It so happens that I live over 5,000 miles from the ESET North America office in San Diego, and so tend not to have water cooler conversations with the people located there. Of course, researchers working for and with ESET around the world maintain contact through the wonders of electronic messaging, but there are lots of other highly capable people working at ESET that I don’t have much to do with. Like the support team at ESET North America who, like the other ESET support teams, dedicate their working days to sorting out malware problems for the company’s customers, but whom I rarely get to talk to, even on my occasional visits to California.

Strangely enough, although I’ve written an awful lot of blogs (and not a few papers and presentations) about support scams, I spend a lot less time tracking them than you might expect. Not only because I’m thoroughly bored with having the scammers themselves ring me to tell me that there is a non-existent problem with PC that they can fix for me for a few hundred pounds (dollars, yen, zlotys…), but because I don’t have that direct contact with their victims. But it turns out that while ESET support teams are mostly focused on real malware problems, they also get to talk to customers who believe that they’ve been getting support from ESET or its partners, but turn out to have been tricked by scammers.

An old friend now working with the support team at ESET recently mentioned a support call he received from a customer who believed he’d received a call from an ESET 3rd-party tech support rep who told him that his system had been corrupted and that it could be fixed for a not-so-small fee.  Sound familiar? Of course it does, though hopefully it’s not a sales technique you expect from the real ESET. Yet this is almost where I came in, back in 2010 when I first came across support scams. On that occasion the report mentioned a scammer “claiming to be from Microsoft, and informing him that notification had been received concerning a virus infection on his PC, and offering to help him to install antivirus software. When asked what antivirus software was being offered, the caller claimed that it was ESET's.” (On that occasion, we think the scammer was installing a cracked version of ESET’s software.)

There is something different here, though: while it’s common for scammers to claim to be representing (or being affiliated with) Microsoft, as well as slightly less obvious companies such as Dell, or Cisco, or even BT, it seems they may now be claiming to represent ‘your’ anti-malware vendor.

In real life, of course, the scammer is no more able to tell what security software you can use than he is to determine anything else about your system. His aim is to convince you that he knows more than he really does – for instance, by convincing you that a standard CLSID identifier which is exactly for the same for countless Windows PCs is really a unique identifier for your system – so that you’ll give him access to your system and your credit card. However, since these scams are generally only successful with people who haven’t been reading my blogs become aware that such scams exist, it may be that saying something fluffy like “I’m calling on behalf of your AV vendor” is enough to convince them. ESET’s support team believe that this approach may be expanded to a dialogue something like this:

Scammer: Hello, we are calling you because we see your computer has a lot of infections and is approaching a system crash.  If you let me remote in I can assist with removing the infections to save your computer for only $300.00

User: Well that’s odd, I typically use <Insert Antivirus Name Here> and their support for issue like this.

Scammer: We are 3rd party support for <Insert Antivirus Name Here>, so we can support you.

User: “Oh that’s great!” or “Let me call <Insert Antivirus Name Here> first.”

Well, that’s a mild example of the sort of social engineering we associate with fake psychics or the Mentalist, where seemingly miraculous insights are actually developed from cues from the victim’s body language or a throwaway remark. In the present instance, the victim may not even realize that he was the first to mention the vendor’s name.

However, being cold-called by a scammer probably isn’t the only way in which people fall into the support scam trap. Martijn Grooten, Steve Burn and I wrote on this blog some time ago about a company with a very suspicious Facebook page, stuffed with testimonials with curious similarities in tone, phrasing and even misspelling, and apparently used to bolster a cold-calling campaign. (That FB page is still there, but almost all of its content has been removed.) We wrote at the time:

This line of investigation set us off looking at other support sites still under investigation where the content may be more original, but the quality of the advice leads to the suspicion that the idea is less to provide a proven step-through process than to create difficulties that will persuade the victim to follow the copious links to “computer technical support providers” or “Dell technical support” or “Linksys support”, all of which lead to the same support site.

…What is clear is that there are a lot of companies and sites out there offering support, and even if they aren’t the same people making scam cold-calls – which in some cases seems pretty unlikely – they are basing their appeal to visitors to their web sites on bona fides that are pretty difficult to verify…

Unfortunately, it also seems likely that we’re increasingly going to find Facebook pages and blog pages with scraped or even frankly deceptive content similarly used to add credibility to web sites whose authenticity doesn’t stand up to scrutiny.

In my discussions with the ESET support team and Aryeh Goretsky, it’s become clear that the situation has indeed deteriorated. Using Google and other search engines using search terms like ‘ESET support’ the team found tens of thousands of search hits and sponsored ads of one sort or another. Not all of these are malicious, or fake ESET sites, of course: some actually are ESET resources and some that aren’t may actually offer good advice, albeit at a price. Some undoubtedly are suspicious at best.

I’m not sure, though, why customers wouldn’t seek advice from the support resources provided by the vendor whose product they’ve bought rather than risk the random links (of very variable reliability) that a search engine is likely to bring up, even if it means not getting an instant response because your query arises out of hours. (And, of course, seeing what other avenues there are for contacting ESET support.) It’s fair to say, though, that it’s easier to get support for some products than for others. A few years ago, when I contributed answers to a site that encouraged security-related questions from the public, one of the most common group of questions related to getting support for an anti-virus product distributed through a well-known chain of supermarkets, for which contact details were very hard to find. However, most mainstream AV products will have a [Contact] link on their homepage.

Here’s how to contact ESET if you’re a customer with malware-related problems:

  • If you’ve received specific information about support from your local distributor when you bought the product, that’s the first place to look.
  • Go to http://www.eset.com  and check out the resources on the Support tab. This tab will offer a number of options, including a search facility, access to the ESET Knowledgebase, a form that enables you to contact Customer Care to submit a specific case, and a link to contact pages for ESET’s offices around the world.
  • You can also get there via the help and support facility in the product itself.

Aryeh points out that you can always receive support from your local ESET distributor or office, use the support form to contact support directly, or post a message on the ESET Security Forum (to which ESET staff contribute as well as other users of ESET’s products).  If you are in North America, you can also call the North America office toll-free at +1 (866) 343-3738 for assistance, or contact a US reseller.

Perhaps I should make it clear that different vendors handle support in many different ways: for example, support packages for enterprises may be very different to consumer packages, and there may be ‘premium rate’ packages that offer an enhanced service for consumers.

At the other end of the scale, vendors who have a product version that is completely free for non-commercial use (as opposed to a time-restricted trial version) generally don’t offer one-to-one support for the free version, though they may well have a forum for discussion with other users of the product, which may also be monitored by company employees. Free versions represent a problem for companies that offer them because there is no direct income to underwrite customer support for those products, and support services are expensive to provide.

One company did, for a while, offer support for its free product through a support centre in India that was able to underwrite its own costs by offering value-added for-fee services. The arrangement fell apart when the call-centre was believed to be expanding its operations far beyond that brief, in ways that were indistinguishable from the gambits used by support scammers, and quite rightly, the security company pulled the plug.

Hat tips to Bruce, Aryeh, James, and Lesley for an interesting and productive discussion.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow