New variations on the ‘pay us to fix your non-existent viruses’ scam: Windows Indexing, the Frost Virus, and scam globalization.
David Jacoby's excellent work on researching phone support scams (good to meet you at Virus Bulletin this year, David!) has been mentioned here before, and he's just put up another blog article with some useful info on one or two gambits I haven't seen before.
First of all, the scammer told him he was infected with the Frozen Trojan, but was only able to direct him to Google searches for 'frozen viruses' that turned up links relating to bird flu. (Must have been a bit of a birdbrain, if he didn't know the difference between trojans and viruses. He should have asked David, who is a researcher for Kaspersky and certainly knows the difference.) When I did a little googling of my own, I did find a reference to Warcraft III: The Frozen Throne – which apparently one of our competitors (briefly) falsely identified as a trojan backdoor some years ago – and one or two other interesting snippets that I may come back to another time, but no malware that seemed immediately relevant.
We have seen instances of scam calls relating to specific malware, most notably Win32/Quervar/Dorifel, detections of which spiked in the Netherlands, though I'd hardly call it an epidemic. I also had a scam call a while ago where the caller tried to convince me that I was infected with a virus that was epidemic in the UK, but she was unable to tell me which virus. I guess we'll just have to wait until one of our research labs manages to thaw out the Frozen Trojan to find out what it is. ;-)
Secondly, and more innovatively, the scammer tried to use the Windows Indexing service to persuade David that his security was screwed because the Software Licensing Service wasn't running. He was instructed to open the Computer Management (Local) window and use the query function to search for 'software warranty': David's blog includes a screenshot, but as it was captured on a Swedish machine, I've reproduced it on one of my own systems here.
Naturally, the utility returns a 'Service is not running' error message, since there is no such service.
Subsequently, he allowed them to download a utility to his (newly installed) virtual machine which managed to find 32,390 unprotected items and smaller numbers of other improbable problems and issues.
You may remember that we've seen large numbers like this before, as noted in a paper by Martijn Grooten, Steve Burn, Craig Johnston and myself at this years Virus Bulletin: My PC has 32,539 errors: how telephone support scams really work.
I can't help thinking that at some time someone is going to realize that when it comes to flagging dubious system errors, less is more, but for the moment, support scammers are clearly more focused on Windows Scare than Windows Care. In any case, making the numbers more believable wouldn't reduce the manifest improbability of some random cold-caller knowing more about the state of your PC than you do.
There's plenty more useful detail in David's blog, and I won't try to summarize it all. I know security bloggers aren't supposed to give free PR to bloggers from competing security companies, but I'd really like you to read his article. :)
In the meantime, let me leave you with some slightly disturbing information from a different source.
Today, my colleague Anders Nilsson of Eurosecure directed my attention to a site that offers phone numbers to which you can redirect telemarketers so that they end up being recorded in conversation with a bot. Many of the calls weren't that entertaining, but I particularly liked the recording of an increasingly exasperated caller trying to persuade a doddery Australian that his computer had a security problem. (She rang off in disgust before explaining what the problem actually was.) What I didn't like so much is that she claimed to be calling from Algeria. And in fact, her accent could indeed have been North African: however, her English was very proficient and very well-articulated.
From time to time, I see blogs and articles that assume that this type of scam always originates in India. In fact I have heard of an example of a scam call where the recipient was fairly sure that the caller was English, but that's very unusual. However, I'm pretty sure we're reaching a stage where the crude 'Indian accent = scam' heuristic becomes even less reliable. Not only because many legitimate call centre services are outsourced to India, but also because it would be a very bad idea to assume that someone who speaks good English (UK English or US English) is automatically more credible.
In the end, you need to understand the mechanics of the scam, rather than make assumptions based on ethnicity.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow