Support scams, malware and mindgames without frontiers


It might not have escaped your notice that I write quite a lot about support scams, an issue in which most commentators in the security industry take only sporadic interest and tend to regard as of only niche interest. (As when a scammer is damaging their brand or product in some way, for instance by claiming to represent them or that the victim needs his help because their product is inadequate or worse.)

Certainly if it was still all about scammers calling victims out of the blue to tell them they have a virus infection and wanting remote access to their PCs so that they can ‘fix it’, I wouldn’t have much to say about it all at this point. But it isn’t. And I’m not just talking about minor variations on the CLSID or Event Viewer or Task Manager gambits, in which various legitimate utilities are misrepresented as ‘proving’ that your PC has a problem with malware. (Although we still see plenty of reports of such gambits in action: if you aren’t familiar with them, quite a few of them are described in articles and papers like this: My PC has 32,539 errors: how telephone support scams really work. (Is it really three years since we presented that paper? Apparently it is, and much longer since I first started writing about the topic.)

Postcard from Scamdinavia

scamdinavia-copy1Still, you might think that there can’t be much more mileage in such a well-worn scam: is there anyone in the English-speaking world who hasn’t been cold-called several times by these fraudsters and parasites? I have a few observations to make on that, and there have been a wide range of interesting and relevant articles looking at recent support-scam-related trends in Scamdinavia.

Lingua Franca (et Anglica)

I refer to the English language in the introduction for a very particular reason. Classic cold-call tech support scams are very much associated with India, and almost entirely executed in English (at least according to the reports I see), to the best of my knowledge the only European language still to be an official language in some parts of India. Sorry, but I’m going to quote myself.

I would speculate that the real issue behind this emphasis on English is this: poorly-paid operators may well be fluent in a number of local languages, but not necessarily in non-Indian languages. English is something of an exception, for historical reasons: quite a high percentage of residents of India speak it. … Given the still widespread ‘official’ use of English, then, it’s not surprising that support centre operators generally seem to prefer to cold-call in countries where English is the first language (US, UK, Australasia, Republic of South Africa, and so on) and to stick to English even where it isn’t the first language 

Plus ça change

…or ‘the more things change, the more they stay the same’.

In an excellent recent blog, Jérôme Segura points out that The Multi-language Tech Support Scam is Here. However, the approach is a little different. The traditional cold-call scammer would struggle to explain why a site claiming to be Microsoft or one of its affiliates was insisting on speaking in English to people in France or Scandinavia (for instance), there were sporadic attempts to engage with speakers of other languages. Spanish, for instance. In an article cited by the Malwarebytes article, I remarked:

…my colleague Josep Albors subsequently mailed me to let me know that the support department at ESET España has been contacted by a number of customers who’ve received scam calls from operators who initiated the conversation in English, but when this wasn’t going well, they ‘started to try in Spanish (sort of).’ This isn’t, of course, quite the same scenario, and there aren’t too many reported cases so far, but it does indeed show a somewhat novel willingness to use European languages other than English to give instructions.

However, the Malwarebytes article isn’t really about cold-calling, though one or two of the news stories based on it have focused on that aspect of the problem. It’s based on the more recent trend for web pages to be seeded with pop-up messages like the French-language screenshots described here. Jérôme’s article includes screenshots of Japanese, Spanish and German pop-ups. (And lots more information – I recommend that you give it a look.) He says:

These fraudulent pages typically show up via malvertising campaigns or as part of a bundle within Potentially Unwanted Programs.

The point is to persuade the victim to call the number included in the pop-up, which puts him in touch with a call centre where the operator will talk to him in his native language, with varying degrees of fluency.

We called one of the numbers for the French campaign and talked with an agent that spoke fluent French. He turned out to be working from Québec, Canada, something that was given away in the scam page URL:

He doesn’t go into detail about his conversations with the scammers, but it seems from the French blog that once the victim is suckered into contacting the operator, the scam continues along similar lines to the classic Windows support scam, with the scammer wanting remote access so that he can ‘fix’ the non-existent problems. But the scam has moved on from Windows PCs.

Crossing the Platform

PlatformsThere have been attempts to execute the scam along the lines of the classic cold call but targeting Mac users, and also indications recently of the use of deceptive pop-ups on OS X Safari to get the victim to initiate the telephone contact. As Josep Albors pointed out in a Spanish language blog for which I published a translation here, there has been a rash of similar pop-ups targeting users of iOS devices. Though as our friends at F-Secure pointed out, some at least of the deceptive messages aren’t exactly pop-ups: at any rate, using Safari’s own pop-up blocking won’t necessarily stop them. A useful article by Thomas Reed on Tech support scam pop-ups offers quite a lot of useful information, including ‘Getting rid of the message’ in Safari, Chrome and Firefox.

I hope Josep won’t mind my re-using some comments I made that he quoted in his original article, as I think they bear repeating. (Your mileage may vary…)

There are a couple of interesting aspects of this variation on the support scam: one is that it’s a further indication of a trend away from cold-calling and towards luring potential victims into calling the scammer. In the past it’s also been done by seeding social media sites with testimonials, or fake support sites using scraped content and dubious generic advice, as Martijn Grooten and I discussed in a blog some years ago.

There have also been many reports recently of tech support services advertised in the US where calling gets you into a conversation with someone using very similar, misleading sales techniques to those we associate with the classic cold callers from Indian call centres: see, for instance, Tellingly, one of the ‘confessions’ I quoted there made the point that:

‘Basically we had “marketers” who would put pop ups on people’s computers saying that they may be infected with a virus and giving them a number to call.’

The advantage of seeding the Internet with fake pop-ups is that the technique has the potential to work across almost any platform […] (For instance, similar attacks have been reported on OS X/Safari very recently.)

The third interesting point – though it actually follows on from the second – is that when people call you to describe their problems, you don’t have to invent over-used gambits like the Windows-specific CLSID and Event Viewer tricks to convince them that they have a problem [the pop-up already did that]. So again, it’s platform non-specific.

However, there is a further, supplementary trend to which I’d like to bring your attention.


Virus Bulletin’s Martijn Grooten, with whom I’ve frequently traded scammer information in the past as well as collaborating on articles and presentations, recently reported on an interesting case he came across while developing VB’s comparative web filter tests. Obfuscated javascript had been added to the compromised site. That’s not so unusual, but in this case, two URLs were opened. One served the Nuclear exploit kit to deliver Glupteba via a Flash Player exploit. The assumption is that Glupteba would be used to download further malware.

The other, however, was a bit more unusual. We are, of course, accustomed to the use of some sort of pop-up as a way of serving fake AV, ransomware and so on. In this case, it’s another instance of a pop-up that tries to trick the victim into ringing a toll-free number in the US. Well, yes, that’s much the same technique that we’ve seen above targeting users on other platforms. The interesting feature, however, is that in this case the pop-up is a fake Blue Screen of Death (BSOD). Martijn observes:

It is unclear why both pages were served. It might be that the malware authors were just being greedy and trying to maximise their chances of success. It might also be a bug on their site. In any case, for once, support scammers wouldn’t have been lying about there being malware present on the victim’s machine.

It turns out, though, that this type of attack, while new to me, was previously reported by Jérôme Segura – who has done lots of interesting research in this area recently – in an article on TechSupportScams And The Blue Screen of Death.

The purpose of this approach is to create a more persistent way of nagging users by using malware-like techniques, which are described in some detail in the article. This simple but effective scareware requires a hard boot to recover: if you follow the ‘advice’ in the blue screen, you get to talk to a call centre in Delhi, where the operator uses a snazzy – well, unpretentious but effective – batch file masquerading as a ‘Microsoft Internet Safety and Security Center’ to prove that he’s earning your money.


In his conclusion, Josep said:

It seems clear that criminals continue to incorporate new techniques to ensnare new victims. As far as telephone scams specific to fake support are concerned, the claims we see are more-or-less complete fiction, but we will watch with interest to see what further innovations they come up with.

Sadly, we seem to be seeing a continuation of the trend away from pure social engineering and the fraudulent misrepresentation of legitimate utilities towards the creation of something the wrong side of the dividing line between adware and PUAs, and between Possibly Unwanted and unequivocal malware – the SenseIUpdater executable that generates the fake BSOD is detected by ESET as MSIL/FakeAlert.E. However, the degree and type of programming required for this generation of attacks is in a sense irrelevant. Scareware, fraud, even the deliberate trashing of a victim’s system, it all has a long and dishonourable history inside and outside malicious software. A few years ago I used to hear people dismissing support scamming as over-enthusiastic marketing and a somewhat liberal ethical mindset. I think we’re long past that, don’t you?

For some years I have maintained a support scam information page on the AVIEN blog here. Malwarebytes have a resource page here. ESET resources include a couple of conference papers by myself, Martijn Grooten, Steve Burn and Craig Johnston, including this one for Virus Bulletin: My PC has 32,539 errors: how telephone support scams really work.

Author David Harley, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.