Sign up to our newsletter
Note: This blog article expands on some of the content that originally appeared in a lengthy article on support scams for ITSecurity UK, and subsequently in an article for the ESET Threat Report for December 2015.
I’m returning to the theme of what to do if a scammer actually gets a foothold on your system, because I still see a number of blog comments from people worried about the implications of such an intrusion and wondering what action they need to take. In fact, there is no single clear-cut answer to that question.
That’s because there is no single ‘support scam’, though I often see articles that describe a single type of scam as if they all worked the same way.
They don’t all involve being cold-called by a scammer claiming to be from Microsoft, Cisco, BT, anti-virus companies and so on. Many of the reports I see nowadays come from people who’ve been lured by fake alert pop-ups into ringing a deceptive support desk number. Nowadays, there’s an accelerating trend among support scammers towards luring victims using pop-up ‘security alerts’ and fake system crashes. These invariably incorporate a phone number which is supposed to be to an ‘appropriate’ help line, thus trying to trick victims into making the initial telephone contact. For the scammer, this approach has an additional advantage: the scams can easily be changed to target users of OS X and iOS, Android and even Linux.
Furthermore, as long as people aren’t aware of this variation on the scam theme, it can be implemented without the complicated social engineering sometimes involved in misrepresenting system utilities, or messing about with the command line after tricking the victim into allowing remote access. As far as the scammer is concerned, it’s better to get the individual to ring their helpline than for them to waste time cold-calling individuals who in many cases have been hearing the same rubbish for years, and will either ring off or try to waste their time. (I certainly don’t have a particular objection to wasting a scammer’s time, but I don’t particularly advocate it, either, unless you know exactly what you’re doing.)
They do, however, still often include the use of ploys such as the deceptive use of Eventviewer and ASSOC, as described in a paper that Martijn Grooten, Craig Johnston, Steve Burn and I wrote for Virus Bulletin: these are used in order to convince the victim that the scammer really knows something about his (the victim’s!) PC. Utilities like EventViewer do have their uses, of course, for a tech looking for real problems. The trouble is, it’s easy for a scammer to misrepresent their output when talking to someone who isn’t knowledgeable about Windows internals.
They don’t all originate in India, though many clearly still do. Some of the reports I see are from people who’ve used a search engine in order to track down support for a specific product and have come across a fake site rather than the product’s real support team, and some of those reports concern companies in the US or Europe.
The same call centers that are peddling support scams are often peddling other scams such as dubious home improvement schemes, accident compensation schemes and PPI reimbursement fraud. (Which sound very strange when the scammer clearly knows very little about the legislation that applies in the country where the victim lives.) But some of the social engineering techniques used are common to most of these schemes: not least, pretending to represent a legitimate company or government department and to ‘solve’ an issue that doesn’t exist. Some scammers actually even claim to be offering recompense for money obtained fraudulently by support scammers, in the same way that 419 scammers sometimes claim to be offering repayment to 419 victims.
They may also be providing genuine support to the customers of legitimate companies – Symantec, Avast! and Microsoft are among the companies who’ve found their trust in an external contractor betrayed by the use of fraudulent sales techniques.
Blog comments come up time and time again from people who’ve been sucked at least part way into the scam, asking ‘What should I do now?’ I’m not comfortable making some sort of blanket recommendation: it’s a question best answered on a case-by-case basis, though I’m afraid I can’t generally offer one-to-one support. For example, a comment on one of my articles on support scams was concerned that the (limited) access he apparently gave the scammer might have put him at risk of identity theft.
I can’t make any guarantees (reassuring or otherwise), of course, but this kind of scam isn’t usually reported as being directly associated with ID theft: they usually just want payment for their ‘services’. However, a recent Moneybox broadcast on leaks of TalkTalk customer information to scammers suggests that a customer was told ‘to download TeamViewer software, which was used to try to make a number of money transfers using third-parties’ credit card information’. And you may consider that to go beyond simply demanding money for deceptive services, though not necessarily any less fraudulent.
American readers can, however, check the FTC advice page for people who think their ID might be at risk.
I often get requests for help from people who ran ASSOC, or Event Viewer or Netstat, and wonder if that could that have allowed the scammer to hack their systems.
I can’t give authoritative advice regarding a system I’ve never seen, but the answer is generally no. A scammer at the far end of a phone can’t do anything directly to a system if he doesn’t have remote access to that system. That doesn’t mean you shouldn’t give a real support tech access your PC when you have a real system problem, if the nature of the problem allows. And utilities like EventViewer do have their uses, for looking for (some) real problems. Unfortunately, however, it’s easy for a scammer to misrepresent their output.
Still, ‘what should I do?’ is perhaps a question most easily answered when the victim has actually given away pretty much everything the scammer has asked for.
The best way to counter the problem, though, is to forestall it by thinking ahead.
You can’t trust unsolicited phone calls: anyone can ring you up and say they’re calling from or on behalf of Microsoft (or anyone else).
The circumstances under which some random caller can really know anything about your computer(s) are very rare. In general, if someone rings and says your PC is infected, it’s a scam. If he or she asks you for money to fix it, it’s always a scam. Or, at best, aggressive marketing, which is sometimes barely distinguishable from fraud.
If you (or your employer) have some sort of support contract that might just possibly involve someone calling you out of the blue about a security issue, make sure you have a way to verify their bona fides. If you see some sort of pop-up message or even a Blue Screen of Death including a ‘helpdesk’ telephone number, expect the worst. If it turns out you really do have a problem, find a more reliable source for a helpdesk number.
If you really think it might just be a genuine call, ring back to a known genuine number, and make sure the initial caller is really disconnected. (Here’s an extract from an earlier blog on another scam to explain why that’s important):
When you put your phone down, it doesn’t mean the line is immediately cleared. This may be changed at some point because of the ways in which this feature can be misused, but the system does have legitimate advantages: for instance, if the phone is put down on 999 call, it allows the operator to trace the call (for instance, where the caller has disconnected under duress). I can’t say if the same is true with 911 calls.
[There have even been reports of scammers using a recorded dialing tone so that the victim doesn’t realize the scammer is still on the line.]
If you need to look up a suitable support service, bear in mind that a search engine is likely to find links to scam pages as well as to companies offering genuine support services, including sites that have deceptive names suggesting links with Microsoft or Windows or Apple or Android. By sites, I mean not only company sites, but secondary sites such as Facebook pages and blog pages, where a great deal of unpleasant content of all sorts can be found lurking.
Many of the ‘what do I do now?’ questions I see seem to come from people who don’t have a regular security product installed, not even a free one. Given what I do for a living, you won’t be surprised that I strongly recommend using security software, even a free product, though a good for-fee product usually has the advantage of more reliable support. Don’t forget, though, that there is plenty of software passed off as a security product that ranges from useless to downright malicious. If you’re not sure which product to get (I could make a suggestion, but I’m not in marketing!), check out the mainstream security product testing organizations. I don’t always agree with the testing industry’s methodologies and claims, but reputable testers are not usually fooled into recommending fake products.
A good starting point would be the testers who are represented in AMTSO. (That’s the Anti-Malware Testing Standard Organization.) Testers and vendors that join AMTSO are usually trying to improve the accuracy of testing rather than just trying to manipulate it: participating testers do look at genuine products, and they do tend to conform to ethical guidelines.
Author David Harley, ESET