PC ‘Tech Support’ Cold-Call Scam Resources

[Added on 11th May 2013]

An article for (ISC)2: http://blog.isc2.org/isc2_blog/2013/05/the-evolution-of-support-scamming.html that references an article by Paul Ducklin - An unholy alliance – Fake Anti-Virus, meet Bogus Support Call! - and summarizes some of the other recent developments.

[Added 8th May 2013]

An article for ESET in which I commented on some recent developments in the support scam landscape, including a pointer to Jerome Segura’s article for the Malwarebytes blog Support Scam Cold-Calling: the Next Generation and another to Jean-Ian Boutin’s article Online PC Support scam: from cold calling to malware.

Support Scam Cold-Calling: the Next Generation

[Added 13th December 2012]

I have a load of content to add here, but I haven’t had time to sort it so far. So I’m afraid all I can do right now is add a couple of links to the ESET blog, where I have blogged on the topic once or twice since the 8th November (and they do point to other recent posts by others working in this area):

And Stephen Cobb blogged a nice collection of informational resources that you might find useful: Free cyber security resources to keep on your radar

[Added 8th November 2012]

A comment from Toronto to one of my blogs tells us that the commenter “Received a call yesterday evening and confirmed that a family member received a similar call during the same timeframe…it appears they are going through the phonebook for contact numbers.  The call came from a blocked long distance number.  A man with an east Indian accent was on the line and from what I could hear he was in a call centre.  Managed to get the “name” of the caller aka “Sam Spancer” but no other contact info.  In an attempt to gain my trust, he claimed to be working for the “Digital Network Server Department of Canada”, a supposed anti-hacking division of the Government of Canada, that my computer was being hacked and my assistance was required to stop the hackers before more damage was commited.”

[Added 6th November 2012]

A recent blog article at ESET is primarily about phishing and other scams related to Windows 8, but also includes some content relevant to this page.

I’m reminded to remind you that SANS is looking for information from people who’ve received support scam calls. They’ve shared a little of that information here.

And the paper by myself, Martijn Grooten, Craig Johnston and Steve Burn that I presented at the CFET Forensics conference in September is now available here: FUD and Blunder: Tracking PC Support Scams.

Also some other articles of mine:

[Added 12th October 2012]

Oops. I’ve fallen behind a bit with this. So here’s a bumper bundle of links:

[Added 11th September 2012]

Added an article including some comments to one of my ESET blogs on support scams: http://avien.net/blog/?p=874. Last week I presented on support scams at the CFET forensics conference in the UK: I’ll post a link here when the paper is up.

[Added 28th August 2012]

Report received via the ESET blog of a scam call using the ASSOC and Event Viewer ploys: scammer used the name Alex Parker, and said his company was Creative Solutions Online: creativesolutionsonline.net.

Whocallsme.com came up with a number 4034563615 used by scammers claiming to represent the same company, or for Windows Internet

Office address given as Clearwater, Fla., and phone numbers in UK, US, Australia

REGISTRANT CONTACT INFO
Sibyl Technology Solution
Rubel Debnath
339, purbasinthi
kolkata
west bengal
700030
IN
Phone: +91.9230062065
Email Address:

[Added 24th August 2012]

Blog here with more details about the way Ammy’s warning about misuse of its service: More about Dorifel as a scammer ploy, and Ammyy warns of misuse of its service

Steve Burn on Ammyy’s warning

And at ESET: Support scams and Quervar/Dorifel

[Added 21st August 2012]

More on globalpchelpline.com from ESET Threatblog reader Allan. In the case he reported, the prospective victim was given the US number on the same site I looked at, 1-800-986-4764. Oddly enough, when I looked at the site again just now, the Canadian page failed to load and the Australian page loaded, but popped up a somewhat intrusive live chat button that doesn’t show on other pages. Currently offline, echoing Righard Zwienenberg’s experience with a similar chat facility in a slightly different – but related – context: Scareware on the Piggy-Back of ACAD/Medre.A

Allan supplies some whois data for the site, registered with GoDaddy:

 Domain Name: GLOBALPCHELPLINE.COM
Created on: 18-Dec-10
Expires on: 18-Dec-13
Last Updated on: 15-Jul-12

As he says, ‘The rest is useless as it pertains to DomainsByProxy.’

Another comment from Michael told us about a scammer claiming to be “David Foster from Online Tech  Ph. 02 2039846662. I dialled the number while  talking to him but of course it is a dead number.” Veronica was called by someone from ‘IPC Support’: I haven’t had time to check these companies out yet, unfortunately.

Steve in the UK was told by a scammer that he knew the CLSID of his motherboard. I haven’t heard that one before. :) And Melissa was referred to the number 302-261-2620 and logmeinrescue.com.

[13th August 2012]

More from SANS on its tech support scam report form: ISC Feature of the Week: Report Fake Tech Support Calls.

Unfortunately, SANS hasn’t chosen to follow up on our offer to exchange information on this type of scam. Still, there are some useful additional resource links in the article:

  • An article by Johannes Ullrich
  • Two podcasts
  • And a relevant Threat Update Webcast

Meanwhile, SC Magazine reports on a couple of somewhat related issues:

Dorifel/Quervar: recent malware used by support scammers to support the con [11th August 2012]

The threat of the Dorifel/Quervar malware, spreading in the Netherlands, is used by telephone scammers to trick local PC users into paying for ‘protection’. Dorifel/Quervar: the support scammer’s secret weapon.

Support Scam Anna-lytics and a very dodgy phone number [9th August 2012]

Another day, another support scammer. Anna claimed to be from Global PC Helpline, and gave me a UK phone number 0800-0148910 which does indeed correspond to the Global PC Helpline page for the UK at http://globalpchelpline.com/uk/. She also told me that my PC was sending out messages about system errors, and tried to pull the CLSID gambit on me.

Much more here: Support Scammer Anna’s CLSID confusion

And reader Paul reports getting a very similar call from this number: 210 301 0307. A little googling found that this number (with a San Antonio, TX area code - maybe Anna’s real name is Rose!)  is associated not only with this scam, but many others, from cruise scams to credit card interest scams.

Misrepresenting System Utility Output [6th August]

Lengthy commentary on some issues raised by Krebs and Jacoby (see below): Misusing VERIFY (and other support scam tricks)

[5th August]

A comprehensive article by Kaspersky’s David Jacoby describing some of the ways in which scammers misuse system utilities to mislead their victims. Interesting to see confirmation of the misuse of Task Manager (as I previously described in Support Scammer Update: Misrepresenting Task Manager), and a gambit I haven’t seen before, i.e. the misuse of VERIFY. I’ll go into detail shortly on the ESET blog, but in the meantime Jacoby’s article has a lot of detail worth checking. Trying to unmask the fake Microsoft support scammers!

[2nd August 2012]

Interesting article by Brian Krebs on what he describes as a Tech Support Phone Scams Surge including some useful info on “a company in India called NIAS E Business Solutions” apparently implicated in a couple of reports that he’s received.

[15th July 2012]

As mentioned here, Martijn Grooten, Craig Johnston, Steve Burn and I have been working on two papers on the topic to be presented at CFET and Virus Bulletin respectively. Links to both papers will be added here once they’ve been presented.

Articles (mostly) from the ESET ThreatBlog that shed additional light on the evolving PC Tech Support Cold-Calling Scam

  1. Support scams: social engineering update looks at some of the other aspects of scam calls that have been reported to us at ESET.
  2. Support Scammer Update: Misrepresenting Task Manager looks at slightly novel twist on the misuse and misrepresentation of legitimate utilities to con victims into believing that there is something wrong with their systems. Other utilities we more commonly see misrepresented in this way include Event Viewer, ASSOC (the CLSID ploy), INF and Prefetch, none of which have much to do with security.
  3. Support Scam Poll looks at an information-gathering exercise by the Internet Storm Center. Unfortunately SANS hasn’t shown much interest in exchanging information with us, but if you have any direct experience of the scam, I’d encourage you to take a look at their survey anyway. The more that people pay attention to the scam, the likelier it is that someone will manage to achieve something. The SANS Ouch! newsletter for July 2012 also looks at this issue: nothing really new here, but probably a reasonable resource for people unaware of the problem.
  4. How to recognize a PC support scam is a fairly lengthy consideration of some of the social engineering devices the scammers use when they call.
  5. Fake Support, And Now Fake Product Support: how a legitimate and ethical AV company outsourced its support to a company accused of perpetrating support scams.
  6. Support Scammers (mis)using INF and PREFETCH: the details of how two legitimate utilities are misused by scammers.
  7. Cybercrime and Punishment An account of the Association of Chief Police Officer’s conference where I talked at some length about this type of scam.
  8. Facebook Likes and cold-call scams: a joint blog about the use of social media and other resources to bolster the tech support scam.

[30th November 2011]

New article on the ESET blog about additional information posted to blogs on this type of scam: Support-Scammer Tricks

[12th November 2011]

I guess you could consider this page a partial answer to a question I posed on the AVIEN blog: Support scams: what can AVIEN do about it? I plan to expand on this in the next few days, but right now it’s essentially an information resource following up and expanding on my blog at ESET on Facebook Likes and Cold-Call Scams, though of course that was just one of many. But it may well include links to material originating here, in due course. First, here’s a white paper on the topic published earlier this year: Hanging on the Telephone: it aggregates some of the information on the topic ESET had built up in the year previously. Later articles for ESET here.

And next, some relevant recent blogs.

30th November 2011: ESET blog about additional information posted to blogs on this type of scam: Support-Scammer Tricks

12th November 2011:

David Harley on how (not) to scam the BBC (expands on the Cellan-Jones story below)

11th November 2011:

10th November 2011

  • New blog by someone claiming to work for one of the scam companies: Exposing Indian Call Center Scam. It’s not clear which company, and some of the information doesn’t jibe with some of my experiences with some of the scammers, but seems an interesting insight anyway. I’ll probably look at it in some detail in due course.
  • The above was actually flagged as a comment to this joint blog talking about some of the deceptive techniques used by PC support sites to enhance their credibility. Facebook Likes and cold-call scams. That one actually includes copious links to other informational pages.

Articles on the topic for SC Magazine’s Cybercrime Corner:

Articles for chainmailcheck.

More soon…

David Harley CITP FBCS CISSP
AVIEN Dogsbody
ESET Senior Research Fellow