Sign up to our newsletter
Security news, views and insight from the ESET experts
We don’t seem to have talked here about tech support scams lately, but that doesn’t mean they’ve gone away, as the continuing flow of comments to our previous articles on the topic bears witness. (Indeed, I still get the occasional call of this type, along with PPI scams and offers to help me with my claim for a road accident I haven’t actually had.)
Since this is going to be quite a wide-ranging article, here’s a brief reminder of how the basic scam works, extracted from the paper presented by myself, Martijn Grooten, Craig Johnston and Steve Burn at Virus Bulletin in 2012.
The basic scam is very simple. The victim is cold-called and persuaded that that he needs to pay the company the caller represents to fix a problem with his computer remotely. The scammer claims to call on behalf of an authoritative entity, usually some kind of service provider and more often than not Microsoft.
[…]
When (or even before) the victim is persuaded that the call is genuine, the scam caller either claims that they have been notified of problems with the victim’s system, or offers to check that system for problems. More often than not, the pitch involves the misuse of system utilities … to ‘prove’ the existence of problems. It also usually involves persuading the victim to allow the scammer remote access to the system in order to check its condition and, in many cases, to install software that will ‘fix’ the problem.
Many of those comments are from people who’ve been contacted by scammers and have come across our articles while searching for more information. Clearly, despite the amount of attention we (and, more recently, other people in the security industry) have given to this type of scam, there are many people who’ve not previously experienced it, or did not immediately realize that it’s a scam.
Other comments come from people who are well aware of the scam, but have taken advantage of being cold-called to waste the scammer’s time and be generally infuriating (from the scammer’s point of view).
My colleague Aryeh Goretsky recently called my attention to an article by journalist Steve Ragan centred on a recording of a conversation he had with a scammer. I’ve heard many such recordings in recent years, but this one includes an interesting gambit for persuading the victim that his system was under attack. I’ve seen and written about many such gambits, of course, but this one was new to me. The scammer asked him to run the System Configuration utility msconfig. When he did so, the scammer told him to click on the Services tab and told him that the services showing a ‘Stopped’ status were a symptom of the ‘problem’ with his computer.
Actually, it’s perfectly normal for some services to be stopped because they aren’t needed under the configuration of Windows that you choose to run, or because it isn’t necessary for them to run all the time. Unsurprisingly, Ragan was quite aware of this, but took the opportunity to indulge in a little scammer-baiting.
When the scammer realized that she’d been led up (or down) the garden path by someone who was well aware of the fraudulent nature of the call, she tried to tell him that she was able to hack his system because she knew its CLSID. A waste of an empty threat, since she could hardly expect a security journalist not to know what a CLSID really is (even if it is misspelt in the article), and that it can’t be used to identify a specific system, let alone expose it to attack. Still, it appears he got off lightly: a Canadian who declined to avail himself of a scammer’s services was threatened with assassination, while there have been reports of other threats of rape and violence like this. In fact, a less aggressive scammer advised me several years ago to take a holiday right now, as I would soon be dead, so this particular anti-sales tactic isn’t all that new.
Here are a couple of related links:
http://www.geek.com/news/listen-to-a-microsoft-tech-support-scammer-threaten-to-kill-a-man-1617055/
The sort of damage that we tend to see reports of ranges from direct financial loss due to payment for unnecessary and sometimes damaging installations, through the installation of intentionally malicious software and theft of sensitive data, to the intentional trashing of the system, or rendering it inaccessible using some form of encryption in the manner of classic ransomware. One way in which support scammers often impact seriously on victims happens when a victim is incautious enough to allow access to their PC, then decides not to pay for the scammer’s help. I’ve seen frequent reports where this scenario has arisen and the scammer takes advantage of the remote connection to trash the system. A tech-savvy scammer – and they do exist, unfortunately – can render the victim’s system unusable. The scammer may even booby trap the system immediately he gains access, either in order to trash it if the victim doesn’t play ball, or so that he can get access to the PC (and the victim’s credit card) again in the future.
We get many comments from people who actually let the scammer have access to their PCs, wanting to know what to do now. Unfortunately, this isn’t like a single malicious program (or variant) where we usually have a good idea of what the program will do as long as we’ve seen and analysed the same variant. While the underlying scam is fairly standardized, the actual ‘payload’ is not. The scam is carried out by many different organizations and individuals, using different scripts, and if victims do let them get access to their PCs, we can’t say what they did in a particular instance.
This being so, we can’t tell you what has been done in a particular case: there is no one-size-fits-all step-through solution we can offer to all those people whose PCs have been exposed, and we can’t offer one-to-one support through the blog. ESET customers can of course get advice by contacting ESET Customer Care from another computer or mobile device, via the web during business hours, or at any time by email using this form. If you’re not a customer, you might want to consider ESET Support Services.
If you use a product from another vendor, of course, you might well want to contact that vendor’s support services. Free products don’t usually come with free support – except through user forums, where the quality of advice given may range from excellent to – well, not-so-excellent – but you may be able to pay for one-to-one help. If you don’t have a security product at all, your options are very limited. You might, of course, use one of the free online scanners around – ESET’s is here – but the range of actions the scammer might have taken is pretty wide. Even top-flight for-fee security software can’t be guaranteed to diagnose any and all problems a scammer might have introduced. Consider finding a reputable local tech service to come and take a look at it (preferably in person).
However, the best way of avoiding problems like these is to avoid giving access to your PC to anyone you can’t – or at least shouldn’t – trust. And the problem will be easier to deal with if you already have the means to boot from external media. It’s also worth considering using a third-party registry backup tool to supplement System Restore. And, of course, make a point of backing up files and data regularly: Aryeh Goretsky’s paper Options for backing up your computer is a good starting point for understanding how to set about this.
While it’s always interesting to read of the experiences our readers have had with support scammers, we’re not in a position to investigate specific incidents in depth. There are other organizations interested in your experiences, though, as a means of gathering background information, although not necessarily with a view to investigating a single incident.
One commenter on one of my earlier blogs on the subject pointed out that tech support scams can be reported to Microsoft’s report/survey page here. As Ken W. points out, apart from the direct financial impact on their victims, the fact that the scammers more often than not claim to represent Microsoft (or a company somehow allied with Microsoft), which is bad for the real Microsoft’s reputation, so it’s not surprising that the company is seeking further information about known scammers.
Quite rightly, the report form discourages anyone filling it in from including ‘sensitive or personal information – such as your credit card number….’ but does ask in question 1 for information including the name of the company and individual making the phone call, and the company’s URL, phone number and street address. In fact, it’s common for support scammers – indeed, scammers in general – to be evasive about these details or simply to lie about them, but even if some of the information is false, it may be of forensic value.
The second question asks when the ‘communication with the company’ took place, which I suppose may also be use if any of the identifying information is of value.
The third question asks whether the contact was unsolicited – a cold call, as is most often the case with reports that reach me – or whether the victim (or intended victim) initially made contact with the company carrying out the scam. This is an interesting attempt to broaden the scope of investigations into support scamming. My own research into this area has mostly been confined to cold-call scamming, since that’s the kind of support scam that’s mostly reported to me, and I have only limited time to spend on scouring the Internet for web sites and Facebook pages that act as additional lures for the unwary, though Virus Bulletin’s Martijn Grooten, Malwarebytes’ Steve Burn and I did look in some detail at some such sites for a blog published in 2011 and a couple of subsequent conference papers (of which Craig Johnston was also a co-author) for Virus Bulletin* and CFET**.
Unfortunately, such lures continue to flourish. In an article by Greg Keizer for Computer World, North Carolina computer consultant Nat Garrison Jr. was quoted as saying that three of his customers who fell for the scam had initiated it.
Two of them were trying to get technical support for Microsoft Outlook and the third was trying to add another license to his Office 365. All three of them used Google to find the phone number for Microsoft’s technical support. They all got connected to someone with a strong Indian accent who wanted to remotely connect to their computers.
And the scope of the attack continues to broaden. Johannes Ullrich described for the Internet Security Center an example of typosquatting where mistyping http://login.microsoftlonine.com instead of http://login.microsoftonline.com redirected the potential victim to a site that popped up a warning along the lines of ‘WARNING Time Warner Cable Customer: your Internet Explorer browser and computer may be compromised by security threats’ and gives a number to call. (Ullrich assumes that the scam site ascertains the victim’s ISP by looking up his or her IP address with whois.)
Perhaps it’s worth quoting a passage from that article with Martijn and Steve, though its scope is narrower:
What is clear is that there are a lot of companies and sites out there offering support, and even if they aren’t the same people making scam cold-calls – which in some cases seems pretty unlikely – they are basing their appeal to visitors to their web sites on bona fides that are pretty difficult to verify. It’s not that difficult to set up one or more new Facebook accounts and pages: unfortunately, there’s no simple and foolproof way of telling which accounts might be “dummies” set up purely to promote a product or service. Even where an account looks genuine and well-used, it’s perfectly possible that the victim of a rogue service has been persuaded to “Like” it as part of the scam, and anyone could fake a testimonial using stock photos and made-up names. Unfortunately, it also seems likely that we’re increasingly going to find Facebook pages and blog pages with scraped or even frankly deceptive content similarly used to add credibility to web sites whose authenticity doesn’t stand up to scrutiny. But it’s harder to trace and verify the accounts behind social media sites than it is a registered domain, and even those have their challenges.
The next question asks (more or less) whether ‘the person you spoke with’ claimed to be representing Microsoft. Clearly, this is a concern for Microsoft in terms of bad PR, but it also gives them some leverage when it comes to identifying rogue partners and affiliates as well as companies claiming falsely to be affiliated. As long, that is, as the information given in answer to question 1 is reliable.
Question five asks whether the scammer accessed the possible victim’s PC remotely. While the scammer can sometimes convince the victim that he knows enough about that victim’s PC – for example by quoting the so-called ‘unique’ CLSID ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} – to be able to convince him there’s something wrong with the system, it’s more or less essential in terms of performing the ‘service’ for which the scammer will charge. It’s also pretty essential when it comes to answering the 6th question: “Did the person you spoke with remove, stop, disable or cause any malfunctions on your computer?” You can, of course, persuade someone from a distance to cause damage or compromise to their systems, but the opportunities for profiting directly from a compromise on a PC to which you have no access are somewhat limited. By contrast, having remote access offers the ability to fix a problem (or, more likely, put up a pretence of fixing a problem) by editing or removing files, installing programs which may or may not be useful, and generally giving the impression that you’re doing something worth paying for. And, of course, for deliberately causing damage.
Actually, the wording may sound rather eccentric here: if the scammer removes, stops or disables malfunctions (as opposed to causing them), maybe they deserve your money. However, question seven asks ‘Since your interaction, does your computer function better, worse, or the same?’, apparently considering the possibility of a justifiable charge, and the next question asks whether the respondent paid for the service, whether or not they tried to get a refund. The final question asks whether you’re willing to be contacted for further information.
This isn’t the only attempt that has been made to get information about such scams, of course. SANS has had a report form up for some time – https://isc.sans.edu/reportfakecall.html – and it’s quite interesting that the questions posed there are significantly different, though they aren’t always clearly expressed:
While there has been little direct information shared from the data entered there, SANS has published quite a lot about the scam in general recently.
Back in 2012, Lenny Zeltser edited an issue of SANS’s security awareness newsletter that provides a reasonable overview of the problem. Sometimes it’s too easy to get caught up in the minutiae of scammer techniques and tricks when quite simple advice is enough to enable people to protect themselves in most situations. (I’ll get back to that at the end of this article.)
Much more recently, Zeltser was one of the many people to have recorded or summarized his interaction with a scammer, and it’s a pretty useful article. For a start he refers to the increasingly common practice of finding ways to persuade the potential victim to call the scamming call centre, rather than cold-calling. This makes a lot of sense from the scammer’s point of view, since the pool of potential victims has been so over-phished by cold-callers in the past few years that many people now automatically assume that an unsolicited phone-call from someone with an Asian accent is suspicious. While we reported some time ago on the beginnings of this trend towards getting the victim to make the initial contact, this and some of Zeltser’s other articles suggest that the scam has progressed in sophistication. Among the decoy approaches he mentions are:
This conversation is particularly interesting in a number of respects.
So, I hear you ask, what about some more advice to potential victims? Here are some thoughts, some of them abstracted from previous blogs on the topic, on things that should ring alarm bells.
Think. Why would you give access to your system to anyone who rings you out of the blue? Probably because you have one of these fraudsters on the other end of the phone trying to panic you into giving them access to your system and to your credit card. Because pressure through panic is one of the scammer’s favourite weapons. We sometimes see it said that Microsoft will never call you about a malware problem with your computer, but that isn’t strictly true, though the circumstances under which this might happen are very limited.
We do hear of ISPs contacting customers (directly or indirectly) telling them they have such a problem, and telling them that service will be withdrawn if they don’t correct it. Even under these circumstances, you shouldn’t let anyone frighten you into granting access to someone whose bona fides you haven’t been able to verify. After all, we have also heard of support scammers claiming to be an ISP or some other entity, making similar threats of service withdrawal.
What if it was you that made the initial contact? Well, how and where did you find the company you made contact with? If it was through some sort of pop-up message informing you that you have a virus and giving you a phone number to ring, there’s a good chance that you’ve been conned by the sort of web site described by Zeltser or Ullrich, as described above. Unfortunately, a guide to finding dependable local PC repair and maintenance services is way beyond the scope of this article. But certainly, it’s a job that calls for far more careful research than picking the first name that crops up on a Google search.
***If you feel the urge to indulge in a little scammer-baiting, I strongly suggest that you don’t go as far as allowing them remote access to your machine. Some very IT-proficient people have allowed a scammer access to a virtual machine so that they’ve been able to recover the system even after he tried to trash it, but even then you need to know exactly what you’re doing.
All photographs by permission of David Harley and Small Blue-Green World
Sign up to our newsletter
