Support Scams and Diagnostic Services

Every so often I get requests for help from people with a computer problem that may or may not be malware-related.

When I have to refuse help, which is more often than I’d like, I try to refer the people concerned to a more appropriate person or forum, and to suggest they do what they can to ensure that the advice is from a reputable and competent source. I’m more cautious about recommending specific resources, even well-known commercial organizations, unless I’m in a position to confirm their competence and bona fides.

Sadly, this reluctance has been reinforced by accusations against Office Depot, which is alleged to have tricked customers into paying for unnecessary repairs to their systems.

I’m not sure it’s that simple, though. As I discuss at some length in an article for ITSecurity UK: Support Scams and Diagnostic Services

David Harley

 

Dr Solly Yanks a Support Scammer’s Chain

Dr Alan Solomon, one of the pioneers of the anti-virus/anti-malware industry (though not one of its biggest fans these days) describes a game of ‘upstairs downstairs’ played with a hapless scammer who made the terrible mistake of ringing him to tell about his malware ‘problem’.

Another tech support scam

It might not tell you anything you didn’t already know about the classic cold-call scam, but it’s very likely to afford you a minute or two of entertainment.

David Harley

Support scammer targeting TalkTalk customer (again)

There have been suspicions before that TalkTalk customers have been targeted by tech support scammers who know more about their intended victims (and their issues with TalkTalk) than they should. I’ve alluded to them in some articles on this site.

I don’t, of course, know the facts behind those suspicions, but I note that Graham Cluley has encountered another curious incident – I won’t say coincidence…

Brand new TalkTalk customer is targeted by phone scammer – A problem at TalkTalk? Say it ain’t so.

David Harley

HTML5 bug misused by support scammers

An article by Jérôme Segura for Malwarebytes – Tech support scammers abuse bug in HTML5 to freeze computers – describes the use of a variation on the Tech Support ploy of using Javascript loops to simulate a persistent pop-up ‘alert’. In this case, the attack makes use of a bug that abuses the history.pushState() method introduced with HTML5. According to Segura, ‘the computer that visited this site is essentially stuck with the CPU and memory maxed out while the page is not responding’, though it may be possible to kill the browser process with Task Manager.

Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.

David Harley

To pay the ransom doesn’t always pay off

Further to the discussion as to whether people or organizations should pay up when hit by ransomware…

  • The hardline security maven view is usually that they shouldn’t because it encourages the proliferation of ransomware attacks.
  • A softer view (more or less mine) is that you can’t blame people – especially individuals – for not sacrificing their treasured photos, documents etc for a principle. But we hear of organizations assuming that it’s cheaper to pay the ransom than it is to protect data properly. If so, not only are they adding to the problem, but they’re making an unsafe assumption. That is, that paying the ransom will get their data back.

Sometimes, we’re told that ransomware operators will ‘return’ the data because not to do so may damage their ‘business model.’ And there’s something in that. However, the operators don’t always return the data. Sometimes they just can’t, through some technical issue or incompetence. Sometimes they just don’t bother.

Judging from a survey report from Kaspersky, it seems the number of times that payment doesn’t result in the release of the data may be higher than we think. The report states that:

17% of people online have faced a ransomware threat, with 6% becoming infected as a result. One– in–five users that pay a ransom don’t get their files back

David Harley

 

Support Scam Threatens to Delete Hard Drive

Siddhesh Chandrayan, for Symantec, reports on a particularly vicious example of social engineering designed to scare a victim into ringing a fake support line:

Tech support scams increasing in complexity – Tech support scammers have begun using code obfuscation to avoid detection.

The pop-up fake alert claims that the victim’s system is infected with ‘Exploit.SWF.bd’ and that the hard drive will be deleted if he or her tries to ‘close this page’. It displays a fake ‘hard drive delete timer’ complete with audio effect.

Don’t panic! In principle, Javascript like this isn’t able to do any such thing: that’s a security feature of the language. (There are, of course, other ways of accessing and changing the contents of a client-side disk, but there’s no suggestion that any of those mechanisms are at play here.)

The obfuscated script also includes code to ascertain whether the system is running Windows, ‘MacOS’, UNIX or Linux, so that the alert can be tailored accordingly.

Commentary by David Bisson, writing for Graham Cluley’s blog: Scare tactics! Tech support scam claims your hard drive will be deleted – Scammers tries to frighten you into phoning them up.

David Harley

Support Scams: the supply chain

Support scammers tend to be seen by people with a reasonable understanding of technology as being pretty low-grade, as scammers go.

‘Support desk’ scammers are sometimes subjected to humiliating telephone exchanges by people who take an understandable pleasure in wasting their time by pretending to be even dumber victims. They capitalize on the fact that scammers at this level are often easily confused if the victim doesn’t follow the script, and don’t have the technical knowledge to respond appropriately to reverse social engineering. Yet some of the tricks they deploy to convince victims that their systems are compromised so that they seek help from a fake helpline have become surprisingly sophisticated. As have the scammer organizations themselves.

For Malwarebytes, William Tsing offers an explanation as to how support scammers ‘can be sophisticated enough to set up infrastructure handling and network tracking, SEO cloaking, and payment processing.’ His suggestion is that behind the scam companies is a ‘criminal underclass’ offering prefabricated scam packages ‘that only require a credit card and ill intent to set up.’ And since most cybercrime works on a similar model, that comes as no surprise. In his article, he dissects a specific example of a Scam in a Box: Scamming as a service – seriously.

David Harley

Security Essentials or Support Scam?

Microsoft describes a malicious program that masquerades as an installer for Microsoft’s own Security Essentials program. What Hicurdismos actually does is generate a fake Blue Screen of Death (BSoD) including a ‘helpline number’: so yes, it’s essentially a malware-aided tech support scam. It is spread by drive-by-download, and takes a number of steps to make itself look like a serious system issue, such as hiding the mouse cursor and disabling Task Manager.

Security Essentials is still available from Microsoft’s own support site for Windows version 7 and below. Windows 8.x and 10 users should note that it can’t be used on their systems,. However, they don’t need it since the version of Windows Defender that comes with 8.x and 10 has equivalent functionality (unlike the version on earlier Windows versions). However, apart from the pointer to the ‘helpline’, the fake BSoD closely resembles an error message that may be seen in those versions. Would that convince 8.x and 10 users that they also need the fake Essentials? Microsoft seems to think so.

Fortunately, it’s widely detected.

SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

SHA256: 7dcbd6a63cb9f56063d2e8c5b17b3870bb2cbaeaafff98ce205d742cce38ba96

VirusTotal report: at 24th October 2016, 42 out of 56 vendors were shown as detecting it.

Commentary from The Register: Microsoft: Watch out millennials for evil Security Essentials

David Harley

Interest rates down, bitcoin stockpiles up

The Guardian and the International Business Times offer a sidebar to the ‘Do/should businesses/organizations pay up?’ discussion, by revealing that financial institutions are amassing bitcoin in case of extortion. However, both articles are focused on DDoS attacks and related extortion demands rather than ransomware. The IBT article doesn’t really go into the question of whether paying up is a Good Thing, except to quote Dr. Simon Moores: ‘”The police will concede that they don’t have the resources available to deal with this because of the significant growth in the number of attacks.” The article in the Guardian (from which the IBT seems to have drawn most of its content) does explore that issue in more depth, but doesn’t discuss ransomware at all.

However, IBT does quote Marcin Kleczynski of Malwarebytes as saying a couple of months ago that he knew of UK banks that have substantial quantities of bitcoin ready to deploy in the event of a ransomware attack. Well, that’s going to discourage the bad guys, isn’t it? 🙁

International Business Times: UK banks allegedly stockpiling Bitcoin to pay off cybercrime extortion threats – Police ‘don’t have the resources’ to combat cyber extortion attempts, expert claims.

David Harley

APWG statistics

According to the Anti-Phishing Working Group’s report for the second quarter of 2016, phishing attacks (as measured by the number of phish sites) reached an all-time high in that period (61% higher than the previous recorded high in 2015 Q4). It also cites PandaLabs as reporting detection of 18 million ransomware programs over that period, amounting to more than 200,000 per day.

Phishing Activity Trends Report 2nd Quarter 2016

David Harley