Category Archives: support scams

Should TalkTalk block TeamViewer?

It’s hardly a secret that TalkTalk has had problems with tech support scams. Or at any rate its customers have, leading to suspicions that some of the scammers “… know more about their intended victims (and their issues with TalkTalk) than they should.” I don’t suppose for a moment that TalkTalk is actively cooperating with known scammers, of course, but it was widely reported last year that three call-centre workers at Wipro, to which TalkTalk outsourced some support services in 2011, had been arrested on suspicion of – according to the BBC – selling TalkTalk customer data.

The BBC’s recent report also asserts that TalkTalk customers are targeted by “an industrial-scale fraud network in India”. Commentary from Sophos hints that the issue is ‘related not to TalkTalk but to one of its subcontractors’.

TalkTalk has set up a site in cooperation with Get Safe Online called Beat The Scammers, which it describes as “an education and awareness campaign … designed to help you protect yourself from the growing threat of scams”. The site does seem to offer some reasonable advice and offer a certain amount of insight into how these particular scammers appear to be operating, though it seems focused on old-school cold-calling rather than on pop-ups directing victims to ‘helplines’. Still, most of the old tricks are still used by ‘next-generation’ scammers.  And in fact, I quite like the idea of ‘The Nevers’, a short list of things that a TalkTalk representative ‘will never do’. For instance:

  • Ask for a customer’s full password (apparently they may ask for two digits)
  • Ask for bank details to process a refund (details the company should already have)
  • Ask the customer to send money through services like MoneyGram or Western Union (two services very commonly used by scammers)

However, the company has also upset some of its customers, according to Kat Hall (writing for The Register), by blocking TeamViewer, a remote access/desktop management tool – TalkTalk blocks TeamViewer – Wants to protect customers from phishing and scamming.

It’s perfectly true that TeamViewer, like AMMYY and several similar tools/sites, is widely used by support scammers. But it’s a legitimate service also widely used for entirely legitimate desktop management purposes. A blanket ban on its use is rather like an anti-malware application deciding to make it impossible for a customer to run ‘Possibly Unwanted’ or ‘Possibly Unsafe’ applications. We don’t do that – well, most of us don’t – because although it might make some customers safer, some people would be seriously inconvenienced by it. Apart from the fact that those people would have to take their business elsewhere, it hardly seems appropriate for a security company to deny its customers access  to legitimate services. There is a classic tripod model of security, said to consist of Confidentiality, Integrity, and Availability. Take away availability, and what you have is no longer security.

David Harley

Technet: Elementary, my dear scammer

An article for Microsoft’s Technet describes a somewhat innovative tech support scam. It uses a script associated with the JS/Techbrolo family, known for its habit of generating fake alerts involving dialogue loops and audio messages. So far so average. But in this case, the pop-up isn’t a dialogue loop, but a website element of the scam page. If the victim clicks anywhere on the ‘dialogue box’ or anywhere else on the page, he or she is presented with what looks like a full-screen browser page open at something looking very much like a Microsoft support URL: however, it’s actually just another website element.

Microsoft: Breaking down a notably sophisticated tech support scam M.O.

HT to David Bisson, whose Tripwire blog drew this to my attention: Tech Support Scam Uses Website Elements to Spoof Microsoft Support Page

Tech Support Scams in Spain

My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain.

David Harley

Jolly Roger scuppers scammers

I’m not very good at engaging with tech support scammers directly on the phone. Back in the heyday of coldcalling scammers, I would try to string them along for a while just to see if they had any new wrinkles and gambits I ought to know about. But to be honest, I tended to get too angry, too quickly, and often blew it by telling them exactly what I thought of them. Or, in one or two cases, by dissolving into uncontrollable laughter at some of their more outrageous claims. But for me, it hasn’t really been about entertainment.

Certainly we’ve learned a lot over the years from people who’ve pretended to let a scammer onto their precious systems, but in reality have simply enticed him onto a disposable virtual machine and simply refreshed the image when they’d had their fun.  My only reservation is that if you let a scammer within a hundred miles of accessing your system remotely, you’d better be sure you know what you’re doing.

There are, of course, people who are at least in part driven by the desire for amusement and to waste a scammer’s time and energy. And while I think this is more a matter of diversion than of having a real impact on the problem, I certainly don’t object in principle to eating into a scammer’s profit margins.

David Bisson describes for Tripwire an interesting way to waste a scammer’s time : One Researcher’s Plan to Broadside Known Windows Tech Support Scammers. He says:

Jolly Roger Telephone Company … specializes in creating bots that blend artificial intelligence and pre-recorded phrases together all for the sake of “talking” with inbound telemarketer scammers. In most cases, the bots waste several minutes of the scammers’ time before the fraudsters catch on and disconnect.

Jolly Roger itself says:

…now there is a way to fight back.  The Jolly Roger Telephone Co. provides a friendly, agreeable, patient robot that talks to these rude telemarketers for you. It is happy to chat, and will typically keep an unwary salesperson engaged for several minutes.

I’m certainly not saying you should use its services, and I’m not even sure I’ll add it to the resources page here. But you might at least get some amusement by wandering around its site for a few minutes. Personally, I’d rather make a few scammers walk the plank.

David Harley

Support Scammers hit Mac users with DoS attacks

 examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.

Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.

David Harley

 

Malwarebytes makes VinCEmeat of screen locker

Interesting analysis from Pieter Arntz for Malwarebytes of the VinCE screen locker, intended to persuade the victim into calling the ‘helpline’ number the malware displays. An example of malware that illustrates an almost imperceptible distinction between a tech support scam and true ransomware.

A closer look at a tech support screen locker

This AVIEN article also added to Tech Support Scams and Ransomware, to Specific Ransomware Families and Types,  and to PC ‘Tech Support’  Scam Resources. The latter has now been renamed by dropping the reference to cold-calls, as cold-calling is no longer the only (or, arguably, the most effective) means of implementing tech support scams.

David Harley

Support Scams and Diagnostic Services

Every so often I get requests for help from people with a computer problem that may or may not be malware-related.

When I have to refuse help, which is more often than I’d like, I try to refer the people concerned to a more appropriate person or forum, and to suggest they do what they can to ensure that the advice is from a reputable and competent source. I’m more cautious about recommending specific resources, even well-known commercial organizations, unless I’m in a position to confirm their competence and bona fides.

Sadly, this reluctance has been reinforced by accusations against Office Depot, which is alleged to have tricked customers into paying for unnecessary repairs to their systems.

I’m not sure it’s that simple, though. As I discuss at some length in an article for ITSecurity UK: Support Scams and Diagnostic Services

David Harley

 

Dr Solly Yanks a Support Scammer’s Chain

Dr Alan Solomon, one of the pioneers of the anti-virus/anti-malware industry (though not one of its biggest fans these days) describes a game of ‘upstairs downstairs’ played with a hapless scammer who made the terrible mistake of ringing him to tell about his malware ‘problem’.

Another tech support scam

It might not tell you anything you didn’t already know about the classic cold-call scam, but it’s very likely to afford you a minute or two of entertainment.

David Harley

Support scammer targeting TalkTalk customer (again)

There have been suspicions before that TalkTalk customers have been targeted by tech support scammers who know more about their intended victims (and their issues with TalkTalk) than they should. I’ve alluded to them in some articles on this site.

I don’t, of course, know the facts behind those suspicions, but I note that Graham Cluley has encountered another curious incident – I won’t say coincidence…

Brand new TalkTalk customer is targeted by phone scammer – A problem at TalkTalk? Say it ain’t so.

David Harley

HTML5 bug misused by support scammers

An article by Jérôme Segura for Malwarebytes – Tech support scammers abuse bug in HTML5 to freeze computers – describes the use of a variation on the Tech Support ploy of using Javascript loops to simulate a persistent pop-up ‘alert’. In this case, the attack makes use of a bug that abuses the history.pushState() method introduced with HTML5. According to Segura, ‘the computer that visited this site is essentially stuck with the CPU and memory maxed out while the page is not responding’, though it may be possible to kill the browser process with Task Manager.

Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.

David Harley