My latest article for ESET’s WeLiveSecurity blog expands on an article that originally appeared in a lengthy article on support scams for ITSecurity UK, and subsequently in an article for the ESET Threat Radar Report for December 2015.
Support scams: What do I do now? covers some of the options for people who’ve allowed a support scammer to access their PC and, on discovering that they’ve been duped, have asked about the implications of that mistake and what they need to do next.
By social engineering in the course of a cold-call.
By seeding the web with sites and using SEO to promote them that support their claims to provide AV tech support, though they’re unlikely to claim there that they’re directly affiliated with individual companies.
I had a lot of helpful discussion with ESET’s support team that inspired the article. And I regard this kind of fraud as an insult to the sterling work that real AV tech support teams do.
Added a link to the AVIEN support-scam resources page: to be precise, an article for ESET in which I commented on some recent developments in the support scam landscape, including a pointer to Jerome Segura’s article for the Malwarebytes blog: Support Scam Cold-Calling: the Next Generation.
Well, not new resources, unfortunately. Just a couple of blogs I haven’t got around previously to flagging here: PC ‘Tech Support’ Cold-Call Scam Resources. I have lots of other material to add, but no time to edit it down to be readable at the moment, unfortunately.
Still you might find the additions (and the resources elsewhere that they point to) of some use and interest.
David Harley CITP FBCS CISSP ESET Senior Research Fellow
Here are some recent (unedited) comments to one of my ESET articles on support scamming.
The latest comments to How to recognize a PC support scam include three particularly interesting comments. The first includes a couple of phone numbers that might be worth investigating. The second indicates an oddity as regards the scammer’s caller ID, and the third (by my colleague Aryeh Goretsky, who has experience in the telephone industry) explains its significance:
We recieved several phone calls today from this same identity, he proclaims himself to be from the national computer security. I felt scam from the beginning but I wanted to know his ploy, he had already tried to extract info from my teenage son(15) but very computer savey(too many gaming hackers for friends). The caller called w/o giving name but caller id showed (4-905-512-3123) however when told he was being traced, he gave a number (510-314-4990)(person not available). They try to convince you that any caution or failed service history notices are dangerous hackers. Don’t delete but talk w/ their tech reps and they will tell you what to do. My oppinion, bad idea. My neighbor is w/ cyber crimes for our city, I’ll ask his help and have my compuiter checked out by a local reputable source
I got several calls from this weird NODID caller ID wich isn’t what my phone usually displays when I get an anonymous caller id. And today I was home and answered to this guy who sounds like he is from india, telling me he works for PC support and that my computer is sending them online error reports. It seemed obvious it was a scam so I told him to stop calling me because I am not interested in whatever he had to offer. He then asked if I thought it was a sale call, I replied that I think it’s a scam. And he hung up immediately. I looked up pc support on the internet and found this page. They do still try to fish with this scam. My phone number is in east coast Canada
Hello Jonathan, I wonder if your Caller ID might have displayed “NO DID”? D.I.D. is an abbreviation for “direct inbound (or inward) dialing” and is a term used in telecommunications to refer to phone line assigned to a specific device. In this case, I have to wonder if the scammer who called was had hacked into some company’s VoIP phone system to steal phone service for their calls, and this was displayed as a result of that action.
Report received via the ESET blog of a scam call using the ASSOC and Event Viewer ploys: scammer used the name Alex Parker, and said his company was Creative Solutions Online: creativesolutionsonline.net.
Whocallsme.com came up with a number 4034563615 used by scammers claiming to represent the same company, or for Windows Internet
Office address given as Clearwater, Fla., and phone numbers in UK, US, Australia
REGISTRANT CONTACT INFO
Sibyl Technology Solution
I haven’t updated the scam resources page on the AVIEN blog site since November 2011. Mea Culpa. However, that doesn’t mean I haven’t been beavering aways at raising awareness of this scam among readers of my blog, the security industry, and (not least) law enforcement. So I’ve finally got around to updating the page.
Firstly, I’ve changed the name to something more unwieldy (less wieldy?), but a bit more explicit as to exactly what it’s about.
Secondly, I’ve added quite a few links to resources. Depressingly, most of them are my own blogs – I can’t believe how hard it is to get people to take notice of this scam! – but I shouldn’t forget to mention my friends and colleagues Steve Burn (MalwareBytes), Craig Johnston (independent researcher) and Martijn Grooten (Virus Bulletin), with whose help I’ve put together a couple of somewhat massive papers to be presented at CFET and Virus Bulletin later this year.
David Harley CITP FBCS CISSP AVIEN & Small Blue-Green World Dogsbody ESET Senior Research Fellow