The World of the Technical Support Scam

Image

According to new research published by Microsoft last month, one in three users fell victim to a tech support scam in the last year. One in five followed up on a suspicious interaction by downloading software or visiting a fraudulent website, while nearly one in ten lost money.

The classic scam

The traditional form of a tech support scam has been around for some time. An amalgamation of social engineering and confidence trickery, the fraudsters' classic modus operandi follows a very basic pattern. Interactions are generally initiated through cold calling. Indeed, organized groups ring up people under the guise of being "from Windows Technical Support" or "from Microsoft." After establishing a sense of trust, they convince the unsuspecting victim that their computer has been "taken over by dangerous malware" and that this has been confirmed by Microsoft's security team. A succinct explanation of the risks posed by the (non-existent) threat often accompanies the opening ploy. At this point, the habitual fraudster may employ one of several confidence tricks to assert proof of the threat and further proceed with the scam. These are as follows:

• The scammer prompts the victim to open the Windows Event Viewer, review the Application Logs, and look for any "Warning" or "Error" items. While almost all of these are harmless false-positives, the scammer maintains that each error is evidence of malware activity that must be rectified immediately.
• The fraudster asks the victim to open the Windows Registry and identify keys or values with a certain name or value. Despite being completely harmless, the scammer classifies these as malicious and explains that the malware has "corrupted" system space.
• Several researchers have witnessed scammers prompting victims to visit Temporary Files and cache directories. Despite being completely benign files, the scammers claim that the unusual file names and formats are indicators of harmful activity.
• The scammer misuses the output of Command Prompt tools (such as "tree" or "dir") to frighten the victim, even going so far as to manually change the output color to red or green and type threatening messages into the window. The exact nature of a Command Prompt maneuver depends on if remote access has been attained beforehand.
• The victim is prompted to locate and read out their Product ID or GUID (globally unique identifier). The fraudster pretends to "check their system" before confirming the "virus protection warranty" has expired and that they are at immediate risk of further virus attacks.

Each of these con tricks shares a subtle commonality: to cement the idea that their computer has actually been infected, the scammer always gets the victim to complete the steps and discuss the results. Even with Command Prompt, the fraudster sometimes compounds this technique with the Event Viewer beforehand. We can also see how the scammers rely on the use of textbook social engineering techniques throughout this portion of the call. Contextual manipulation and urgency put pressure on the victim to proceed with the next stage of the interaction. Next, the scammer introduces their universal remedy—a comprehensive protection package or tool to remediate the threat. The victim is instructed to download and run a piece of legitimate remote access software, so the infection can be fixed. Popular examples include TeamViewer and AMMYY. The scammer then initiates the session from their end or asks the victim to provide the necessary details. Unsophisticated scammers pop up a Notepad dialog and type the order form manually. More nefarious outlets have websites primed and ready to steal users' card details. In extreme cases, scammers leave adware on a victim's computer or use utilities like SysKey to deny future access. Common SysKey passwords include "1234" and various expletives.

Modern case studies

While scammers haven't given up on the classic technique, last month's Microsoft research indicates a "startling number of millennials" are now falling victim to tech support fraud. Fifty percent of all respondents who proceeded with a "fraudulent interaction" were part of the 18 to 34 age bracket. A clear and present threat is now emerging—the scammers' tactics have started to evolve. We'll be taking a look at some real-world examples of modern technical support scams shortly. Instead of flipping through the telephone directory en masse, contemporary scammers leverage spam email, fake AdWords listings, pop-ups and even their own adware to mislead and defraud innocent consumers. As researcher Courtney Gregoire surmises, it is important to maintain that the scammers' M.O. remains the same regardless of the manner of insertion. The scammers use urgency and misrepresentation to present a fake threat, gain remote access and obtain payment details. Mac attacks Early iterations of the technical support scam were solely focused on Windows. Mentioning that you own a Mac was a quick way to get a scammer to hang up. As this analysis from Malwarebytes shows, however, scammers have now started using AdWords and Bing Ads keywords focused around potential Mac issues to defraud victims. The scammer described the threat and initiated remote access before using the "ping" command to demonstrate a "threat." Impersonating ISPs and Netflix Modern scams have also started to enter the realm of phishing. This 2014 example incorporates a mix of classic and contemporary elements. Interestingly, these scammers requested that the victim hold their ID and credit card up to the webcam (with the TeamViewer video feed turned on). It wasn't long before copycat fraudsters began adapting the scam for other streaming sites, as well as North American ISPs, such as Comcast and AT&T. Zeltser notes that several unscrupulous outlets have gone so far as to detect the victim's ISP and present a targeted warning page. Mobile ads and Android tricks Scammers have also started using AdWords and Bing Ads injection to target Android users. In these examples (first detected in 2014), the scammer follows a highly familiar routine, with the exception of having the victim plug their phone into their PC (before proceeding to examine the user's Windows Prefetch folder). Screen lockers and mock ransomware An unfortunate evolution of the technical support scam has its roots in ransomware. Degenerate scammers have adapted the bog-standard fake anti-virus alert and engineered screen lockers that deny consumers access to their PC until a "license fee" is paid. Many of these scams have been exposed by Malwarebytes' lead analyst Jérôme Segura. I'll finish with a reflection from Jérôme:

"People can no longer simply rely on common sense or avoid the typical cold calls [...] scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion."

Tips for staying safe

• Stay informed about the latest techniques that scammers are leveraging to trick users.
• If the scammers gain remote access, restart your PC to kick them out.
• Scan your computer for malware and persistent tools that the scammers might have left behind.
• Look for logs left behind by the remote access software to help track the scammers down.
• Change your passwords and online credentials. Thieves might have stolen these during the scam.
• If the scammers obtain card details, get in touch with your bank to block the card.
• Report the fraud to the relevant authority (e.g. US/UK/Australia).
• Get in touch with friends and family to share your experience and help others stay safe.

The Microsoft survey was conducted in summer 2016 and included respondents from Australia, Brazil, Canada, China, Denmark, France, Germany, India, Singapore, South Africa, the United Kingdom, and the United States.  

Image

About the Author: Yasin Soliman lives and breathes information security. In addition to working as an independent research analyst, Yasin writes for the award-winning site Graham Cluley Security News. You can find him on Twitter at @SecurityYasin. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.