UK journalist Kevin Townsend has blogged today on what sounds like two support scam phone-calls of a type I’ve mentioned here a few times since a colleague at another company drew my attention to it last month.
UK journalist Kevin Townsend has blogged today on what sounds like two support scam phone-calls of a type I've mentioned here a few times since a colleague at another company drew my attention to it last month.
Interestingly, while one story sounds like a classic "you have a virus" call, the other is a "your computer is running slow" call. Now that sounds bizarre to me. There are circumstances under which a third party might conceivably get a notification that a PC at a given IP address (say) is behaving suspiciously like a zombie (for example), though those circumstances are far likelier to arise in a corporate context than at home, because of the use of dynamic addressing and shared gateways. To believe that your PC is broadcasting the fact that it's running slow to a third party requires a greater leap of faith (that's a polite way of saying gullibility) on the part of the customer.
Here's a thought that's been troubling me since I saw that blog, though. So far, all the instances I've heard of have claimed some form of affiliation with Microsoft or Cisco, or at least to have support technicians with appropriate certifications approved by Microsoft or Cisco.
However, one of the ideas around at the moment is that ISPs might (or even should) regulate customers whose systems are compromised by malware such as bots by not allowing them to connect until those systems are cleaned. That's a logical extension of standard practice for corporate network administrators (yes, I used to do it too). But for every good idea there's a way to misuse it for malicious purposes.
I have a horrible feeling that we might start to see support scammers claiming to be working for or affiliated with ISPs: the threat of disconnection would be an effective way of putting pressure on victims. Social-engineering malware carrying malicious links or attachments have used the same technique for many years.
ESET's ThreatSense Report for July, due out tomorrow, includes an article on the same topic by Urban Schrott, of ESET Ireland. It should be obtainable from the ESET Threat Center page soon after. There's also a white paper by Urban, Jan Zeleznak and myself going through the publishing process at the moment: I'll put up a pointer here when it's available on ESET's White Papers page.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow