Support Scams: multi-language, fake BSODs, and the Nuclear exploit kit

Here’s another blog by Jérôme Segura well worth a read: The Multi-language Tech Support Scam is Here.

And a couple of articles I added to the tech support scam page at the end of July, but didn’t note in the blog.

A blog by me, Double Dipping: Nuclear exploit, fake BSOD, support scams, refers to two very interesting blogs by Martijn Grooten – Compromised site serves Nuclear exploit kit together with fake BSOD – and Jérôme Segura  – TechSupportScams And The Blue Screen of Death.

David Harley

Pop-up Support Scams and iOS

[My colleague Josep Albors, knowing of my interest in support scams, recently contacted me about the spate of support scam alert messages reported by some users of iOS devices, the idea being to persuade the victim to ring a scammer ‘helpline’ by making them believe that they’re talking to a legitimate helpdesk about a real problem. Here’s a summary of the Spanish-language blog he wrote following our conversation. This article will be added shortly to the tech support scam information resources on this blog.]

Telephone scams that masquerade as support services have been with us for years. In fact, our colleague at ESET, David Harley, is an expert on the subject and has spoken at length on the topic in the blog WeLiveSecurity .

Over the years, criminals have honed their techniques, trying to increase the number of victims drawn into this deception. Today we will discuss one of the most recent cases of support scams, mainly targeting users of iPhone and iPad devices.

ALERT

This time the criminals have changed their approach and are no longer cold-calling their victims passing themselves off as support service staff trying to help victims solve non-existent problems on their computers (at a price, of course). In this instance, they are looking for users to call them after seeing some troubling ‘alerts’ on their devices intended to make them think that something is wrong with their system.

In the last week or two several users (mainly in the US and UK) have reported seeing an alert window in the Safari browser on their iPhones and iPads. Our colleague David Harley addressed this specific issue in his blog about threats to Mac and IOS .

Victims see a screen popup that indicates that the system has crashed because of a third party application and advises them to call a phone number for an immediate solution.

The peculiarity of this popup is that, however much you press the OK button, the message will still appear in your browser, even if you close it and return to open.

Fortunately, it’s possible restart the browser and close the tab before it is loaded (or take a more drastic measure by deleting all browser history) so as to remove this annoying message. The purpose of the scammers is to make victims believe that there really is a problem so that they will make the phone call, whereby the scammers will ask for money in order to solve the non-existent problem.

Here’s the format of a typical message of this type:

[URL of scam site]
Due to a 3rd party application in your phone,
iOS is crashed Contact Support
for Immediate Fix.
[US toll-free number]
[OK]

Other variants claim that clicking OK will send a bug report to Apple and state explicitly that the ‘support line’ number is Apple’s.

DETECTION OF THIS THREAT

It is easy to fall into such traps where the default browser (Safari in this case) does not react to this kind of deception and does not block malicious sites as some other browsers do.

If you try to access a malicious web site with Chrome or Firefox from a desktop computer, you will see a warning that you have been targeted by a phishing attack and access to the malicious web page will be blocked.

Some security solutions will also detect this website as a potential phishing threat if you access it from your browser on a desktop system, or indeed on an Android device.

CONCLUSIONS

David Harley comments:

There are a couple of interesting aspects of this variation on the support scam: one is that it’s a further indication of a trend away from cold-calling and towards luring potential victims into calling the scammer. In the past it’s also been done by seeding social media sites with testimonials, or fake support sites using scraped content and dubious generic advice, as Martijn Grooten and I discussed in a blog some years ago.

There have also been many reports recently of tech support services advertised in the US where calling gets you into a conversation with someone using very similar, misleading sales techniques as those we associate with the classic cold callers from Indian call centres: see, for instance, http://www.welivesecurity.com/2015/06/03/confessions-support-scammer/ Tellingly, one of the ‘confessions’ I quoted there made the point that:

Basically we had “marketers” who would put pop ups on people computers saying that they may be infected with a virus and giving them a number to call.

The advantage of seeding the internet with fake pop-ups is that the technique has the potential to work across almost any platform, depending on how secure the browser technology is. (For instance, similar attacks have been reported on OS X/Safari very recently.)

The third interesting point – though it actually follows on from the second – is that when people call you to describe their problems, you don’t have to invent over-used gambits like the Windows-specific CLSID and Event Viewer tricks to convince them that they have a problem. So again, it’s platform non-specific.

It seems clear that criminals continue to incorporate new techniques to ensnare new victims. As far as telephone scams specific to fake support are concerned, the claims we see are more-or-less complete fiction, but we will watch with interest to see what further innovations they come up with.

Josep Albors

More on iOS support scams

Added to the resource page today:

Here’s a further Mac Virus article in the light of an F-Secure article explaining that pop-up blocking in Safari doesn’t fix the iOS Support Scams issue I added yesterday: A bit more on iOS support scams. I don’t necessarily include links here that are internal to a link that I have added here, but as this issue still seems quite ‘live’ I will this time:

I also notice that there’s a Wikipedia article on support scams here. It’s not exactly comprehensive, but it’s reasonably accurate and even links to a couple of my articles. :)

 

iOS support scams – added to resources page

Added to the PC ‘Tech Support’ Cold-Call Scam Resources page today….

Here’s an extract from another Mac Virus article – iOS Support Scams – on tech support scams, this time targeting iOS users:

A new blog by Graham Cluley for Intego actually has some points in common with my most recent blog here (which also involved pop-ups misused by support scammers, particularly in the context of Safari). However, Graham’s article is about iOS, whereas mine related to questions asked regarding OS X and Safari (citing advice from Thomas Reed that also addressed other browsers).

David Harley

Tech support scam pop-ups on Mac

Just added to the PC ‘Tech Support’ Cold-Call Scam Resources page.

An article for Mac Virus on tech support scam pop-ups targeting Mac users, and pointing to a useful article by Thomas Reed here, as well as a knowledge base article by Apple on dealing with ad-injection software.An article for Mac Virus on tech support scam pop-ups targeting Mac users, and pointing to a useful article by Thomas Reed here, as well as a knowledge base article by Apple on dealing with ad-injection software.

David Harley

Article on two phone scam reports

I’ve added one of my articles for ESET to the scam resources page. It’s not primarily about support scams, but looks at interesting data from reports by the Consumer Sentinel Network Data Book for January-December 2014 and Pindrop Security – The State of Phone Fraud 2014-2015: a Global, Cross-Industry Threat.

I don’t recommend (see my article) that you take the statistics as gospel, but interesting trends and commentary.

David Harley

Professor Klaus Brunnstein

Many people in the security industry have expressed their regret at the passing of Professor Dr Klaus Brunnstein, who died on 20th May 2015, just a few days before his 78th birthday, as I noted in an article for ITSecurity.

I’ve been particularly struck, though, by the fact that so many people were willing to share their thoughts: not only at ESET (where so many people expressed their regret that I felt I had to post the article at a vendor-neutral site so that it wouldn’t look like some kind of twisted PR exercise), but also by the many people who responded to requests for comments before the article was published and even after it was published. I’m only sorry I couldn’t include all the commentary I received.

I think it all indicates just what a legacy Klaus leaves behind him, not just politically, and not just to the security industry (including CARO and EICAR) and to academia (notably the Virus Test Center at the University of Hamburg), but to the entire online world. The article and the links it includes give only barest impression of how immense his contribution was, and just how much he’ll be missed personally. As Andrew Lee observed:

A thoroughly decent man. Sadly missed, he wasn’t able to make it to the CARO conference a couple of weeks ago. I only met him a few times, but it was always memorable.

David Harley
ESET Senior Research Fellow

Nepal earthquake scam: out for a duck…

(But there are plenty more where he came from…)

It was, I suppose, inevitable that the earthquake in Nepal would provide an opportunity for scammers to capitalize on the misery of others. I haven’t been tracking this particular subcategory of scamming nastiness, but a pingback on one of my articles written in 2011 for the AVIEN blog about Japanese earthquake-related scams and hoaxes – actually, a link to some of the many articles relating to those scams – drew my attention to a blog by Christopher Boyd for Malwarebytes on Nepal-related scams.

In that article, the Nepal earthquake scam he highlights is a bizarrely-expressed donations scam message claiming to be from the weirdly named ‘Coalition of Help the Displaced People’:

We write to solicits [sic] your support for the up keep [sic] of the displaced people in the recent earth quack [sic] in our Country Nepal.

He also flags an assortment of Nepal themed scam emails listed at Appriver, and a ‘dubious looking donation website’ covered in detail by Dynamoo.

Appriver’s collection includes:

  • A classic 419 claimed to be from one of the earthquake victims (daughter of a deceased politician – stop me if you’ve heard this story before…)
  • Another giving the impression it’s on behalf of the Salvation Army and World Vision: who’d have guessed that big organizations like those would use Gmail accounts? ;)
  • An exercise in guilt tripping from ‘Himalaya Assistance’ whose real purpose seemed to be to distribute a keylogger.

US-CERT also warns of ‘potential email scams’. As well as generic advice about mistrusting links and attachments and keeping security software up to date, the alert very sensibly advises the use of the Federal Trade Commission’s Charity Checklist. The FTC’s page includes sections on:

There are a number of ways of checking the bona fides of a charity, including Charity Navigator (http://www.charitynavigator.org/) and Charity Watch, formerly the American Institute of Philanthropy (http://www.charitywatch.org).

In the UK, GetSafeOnline also has a guide to protecting yourself from charity scams, including resources for checking the status of UK charities:

I’ll leave the last word to Chris Boyd, since I couldn’t agree more and couldn’t have put it any better:

Scammers riding on the coat-tails of disasters are the lowest of the low, and we need to remain vigilant in the face of their antics – every time they clean out a bank account, they’re denying possible aid to the victims of the quake and creating all new misery elsewhere. That’s quite the achievement…

David Harley 

Alleged US support scam site temporarily shut down

This is one of my articles for IT Security UK about the FTC securing an injunction against Pairsys Inc, which (according to The Register) is is “banned from deceptive telemarketing practices, and may not sell or rent their customer lists to any third party. The injunction requires that their websites and telephone numbers must be shut down and disconnected, and their assets be frozen.”

David Harley
Small Blue-Green World
ESET Senior Research Fellow