This page has now been renamed by dropping the reference to cold-calls, as cold-calling is no longer the only (or, arguably, the most effective) means of implementing tech support scams.
[20th February 2016]
My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain.
[6th January 2016]
Article for this site: Support Scammers hit Mac users with DoS attacks. Jérôme Segura (for Malwarebytes) examines another DoS attack somewhere on the thin borderline between ransomware and tech support scams.
[15th December 2016]
Pointer blog on this site: to interesting analysis from Pieter Arntz for Malwarebytes of the VinCE screen locker, intended to persuade the victim into calling the ‘helpline’ number the malware displays. An example of malware that illustrates an almost imperceptible distinction between a tech support scam and true ransomware.
This AVIEN article also added to Tech Support Scams and Ransomware.
[3rd November 2016]
Thomas Webber brought to my attention his support scam resource page here: Tech Support Scam: More than Just Fake Calls from Microsoft. I’ve only skimmed it, but seems to provide useful information and advice.
[24th November 2016]
Entertainment rather than novel information – in fact, it’s an old-school cold call scam – but worth a minute or two of your time: Dr Solly Yanks a Support Scammer’s Chain
Every so often I get requests for help from people with a computer problem that may or may not be malware-related.
When I have to refuse help, which is more often than I’d like, I try to refer the people concerned to a more appropriate person or forum, and to suggest they do what they can to ensure that the advice is from a reputable and competent source. I’m more cautious about recommending specific resources, even well-known commercial organizations, unless I’m in a position to confirm their competence and bona fides.
Sadly, this reluctance has been reinforced by accusations against Office Depot, which is alleged to have tricked customers into paying for unnecessary repairs to their systems.
I’m not sure it’s that simple, though. As I discuss at some length in an article for ITSecurity UK: Support Scams and Diagnostic Services
[12th November 2016]
There have been suspicions before that TalkTalk customers have been targeted by tech support scammers who know more about their intended victims (and their issues with TalkTalk) than they should. I’ve alluded to them in some articles on this site.
I don’t, of course, know the facts behind those suspicions, but I note that Graham Cluley has encountered another curious incident – I won’t say coincidence…
[7th November 2016]
Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.
[28th October 2016]
Posted here and to Geek Peninsula II: Support Scam that Threatens to Delete Hard Drive
Siddhesh Chandrayan, for Symantec, reports on a particularly vicious example of social engineering designed to scare a victim into ringing a fake support line: Tech support scams increasing in complexity – Tech support scammers have begun using code obfuscation to avoid detection. (Commentary by David Bisson, writing for Graham Cluley’s blog: Scare tactics! Tech support scam claims your hard drive will be deleted – Scammers tries to frighten you into phoning them up.)
The pop-up fake alert claims that the victim’s system is infected with ‘Exploit.SWF.bd’ and that the hard drive will be deleted if he or her tries to ‘close this page’. It displays a fake ‘hard drive delete timer’ complete with audio effect.
The obfuscated script also includes code to ascertain whether the system is running Windows, ‘MacOS’, UNIX or Linux, so that the alert can be tailored accordingly.
[24th October 2016]
What Hicurdismos actually does is generate a fake Blue Screen of Death (BSoD) including a ‘helpline number’: so yes, it’s essentially a malware-aided tech support scam. (Added 27th October: additional commentary by David Bisson)
[19th October 2016]
Malwarebytes CEO Marcin Kleczynski is heavily quoted by Steve Melendez in an article suggesting an ever-increasing correlation between tech support scams using malware and unequivocal ransomware: Tech Support Scams Are Getting More Sophisticated
[18th October 2016]
Interesting statistics regarding the relative proportions of tech support scam victims in various parts of the world:
- Microsoft: Youngsters more likely to be scam victims than pensioners, study reveals
- Sophos: Tech support scammers preying on young Americans, study finds
[30th August 2016]
Commentary from Help Net Security: Google Chrome users targeted by tech support scammers
[8th August 2016]
As described in an article on this site: Ransomlock.AT: ransomware meets support scams
Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.
Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.
Today’s second look at a link between tech support scams and ransomware is a bit more tenuous. In fact, it deals with a support scammer who was caught unaware by ransomware, thanks to some quick thinking by a security researcher.
[26th July 2016]
Another of my colleagues at ESET brought to my attention an article in Computer World – Feds shut down tech support scammers, freeze assets – with more commentary about the Federal Trade Commissions instituting of legal action against ‘scammers, who bilk consumers out of an estimated $1.5 billion annually with bogus tales of infected Windows PCs and Apple Macs, high-pressure sales tactics, and grossly overpriced services and software.’
I may have further commentary on that in due course, but right now I’m a little busy. 🙂
[15th July 2016]
Press release from the Federal Trade Commission: Lead Generator Defendants in Tech-Support Scam Agree to Settlement With FTC and the State of Florida – Order Requires the Defendants to Pay $258,000 (HT to Stephen Cobb for drawing my attention to it.)
[4th July 2016]
As reported by Softpedia – One Crook [is] Running over 120 Tech Support Scam Domains on GoDaddy … and it seems there is no one to stop him from registering new domains and setting up new websites – it seems that MalwareHunterTeam is discomfited that it’s so easy to set up scam sites. Well, yes, but that’s hardly an issue that’s restricted to support scams, or even to scams in general. It doesn’t take much effort for criminals to set up web sites.
Commentary by David Bisson for Graham Cluley’s blog,
27th June 2016
Graham Cluley: SCAM VICTIM SUES TALKTALK
[23rd June 2016]
Article by me on Tech support scammers impersonating ISPs
[20th June 2016]
Article by me on this site: Beating the ‘Microsoft scam’ Actually, more a case of why it’s not so easy to beat the scam by education, responding to an article in SC Magazine.
[5th June 2016]
Another FBI alert, this time summarizing an increase in reports of tech support scams. While law-enforcement alerts are often behind the curve, there are several points well worth noting here:
- The addition of two approaches to initial contact that have been particularly noticeable recently:
- Via BSOD/locked screen
- Addition of an audio message urging the victim to report the issue to a fake support line
- An uptick in the variation where the scammer offers a ‘refund’ on ‘services’ previously paid for. This isn’t the technique much favoured by 419 scammers where the scammer takes advantage of the time it can take for a cheque to clear. Instead, the scammer persuades the victim to give the scammer remote access to the victim’s account as well as to his or her PC.
[2nd June 2016]
James Rodewald has put up an interesting article for ESET on a DNS hijacker. It’s actually the way it conceals its activity that’s of most interest: however, this will also interest followers of this blog:
Typically a computer user affected by DNS Unlocker will see advertisements with a note at the bottom saying, “Ads by DNSUnlocker” … or something similar and multiple different variations of “support scam” pop-ups …
Here’s another instance where ransomware and tech support scams overlap. Jérôme Segura, for Malwarebytes, describes how scammers have moved on from ‘bogus browser locks and fake AV alerts‘ to real screen lockers. In particular, he describes an example of malware shared by @TheWack0lian that passes itself off as a Windows update. However, during the ‘update’ it effectively locks the computer, ostensibly due to an ‘invalid licence key’, forcing the victim to call a ‘support line’.
The article – Tech Support Scammers Get Serious With Screen Lockers – includes a keyboard combination that might disable the locker, and some hardcoded ‘key’ values that might also work. However, it’s likely that there are already variants out there that use different ‘keys’, and if there aren’t, there almost certainly will be.
Commentary by David Bisson for Graham Cluley’s blog is also worth reading: New tech support scams mimic ransomware, lock users’ computers –Beware if you’re asked to pay $250 for a product key to unlock your PC.
[19th May 2016]
HT to Stephen Cobb, my colleague at ESET.
[12th May 2016]
Malwarebytes gets the jump on a group apparently responsible for impersonating legitimate security companies. Well, that’s pretty standard for tech support scammers, but in this case Malwarebytes is talking about ‘a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number.’
And not only Malwarebytes. The article includes some screenshots of fake sites impersonating Microsoft, AVG, Kaspersky, ESET and so on.
Here’s the Malwarebytes article: The hunt for tech support scammers. Commentary by SC Magazine: Scammers impersonate legit cyber-security companies
[12th April 2016] Extract from blog article here: UK threat prevalence – Symantec
John Leyden for The Register has summarized Symantec’s latest Internet Security Threat Report, and focuses on UK-specific figures threat prevalence: Spear phishers target gullible Brits more than anyone else – survey; Ransomware, 0days, malware, scams… all are up, says Symantec.
Of particular relevance to this site are the statistics for crypto ransomware attacks (up by 35% in the UK) and for tech support scams (7m attacks in 2015). Since this is described as a survey, I guess the figures are extrapolated from the surveyed population’s responses rather than from a more neutral source, but I can’t say for sure.
[Added 2nd April 2016]
Palo Alto describes how a Unit 42 analyst dealt with a traditional cold-call support scammer. Nothing earth-shatteringly unusual as far the scamming methodology is concerned, but useful analysis nonetheless.
Robert Falcone and Simon Conant: Don’t Be an April Fool: Inside a Common Phone Scam
[Added 24th March 2016]
Jérôme Segura has blogged for Malwarebytes about a somewhat innovative tech support scam campaign: Scammers Impersonate ISPs in New Tech Support Campaign.
The scam is pushed by malvertising which
‘detects which Internet Service Provider (ISP) you are using (based on your IP address) and displays a legitimate looking page that urges you to call for immediate assistance.’
[Added 23rd February 2016]
If support scammers are using Dell customer data, as seems to be the case, Dell could certainly be more proactive in warning its customers, despite its own concerns about being seen as vulnerable to external or internal data leakage. But at least they’re now trying to gather info on the issue. See my article here: Support Scammers Targeting Dell Customers
… not everyone who is [a Dell customer] has the technical grasp that Krebs’s correspondents seem to have. So perhaps it’s time Dell at least made more effort to notify people using its products (and especially its support services) that scammers may have such data, and that possession of such data shouldn’t be taken as some sort of validation of the bona fides of a cold-caller.
[Added 17th February 2016]
My latest article for ESET’s WeLiveSecurity blog expands on an article that originally appeared in a lengthy article on support scams for ITSecurity UK, and subsequently in an article for the ESET Threat Radar Report for December 2015.
Support scams: What do I do now? covers some of the options for people who’ve allowed a support scammer to access their PC and, on discovering that they’ve been duped, have asked about the implications of that mistake and what they need to do next.
[Added 8th February 2016]
For the Register, Kat Hall revisits the allegations that the security of TalkTalk customers was compromised by data leaked to support scammers. In the BBC’s Moneybox programme it was claimed that ‘criminals appear to have accessed the details of TalkTalk engineer home visits and have gone on to use this information to trick customers’.
It’s not altogether clear that there is a direct link, but Hall points out that:
‘At the end of January, TalkTalk said it was considering cutting ties with its Indian call centre provider after three employees at the site were arrested for allegedly scamming customers.’
[Added 29th January 2016]
A slightly opaque story about TalkTalk and arrests at the Indian call centre it’s been using to lighten its support load.
- My commentary: Wipro Wipeout? Call Centres and Scams
- David Bisson for Graham Cluley’s blog: TalkTalk phone scams: arrests made at Indian call center
- Shaun Nichols for The Register: Indian call centre workers accused of harvesting data
- Geoff White for Channel 4 (UK)
[Added 25th January 2016]
For Graham Cluley’s blog, David Bisson summarizes the story of how Symantec ended its agreement with one of its partners after Jérôme Segura reported for Malwarebytes on how the partner was using tech support scam techniques to trick customers into buying Norton Antivirus and a year’s support at prices well in excess of the pricepoint set by Symantec.
Extensive commentary from me – Support Scams and the Security Industry – includes thoughts on specific scam ploys mentioned by Segura, and on reporting scammers to the industry.
[Added 22nd January 2016]
Jérôme Segura for Malwarebytes reports a case where the scammer is claimed to be ‘an official member of the Symantec Partner Program’. My commentary on this site is quite lengthy, and makes what I think is an important point about not being lured into contacting a scammer by popup alerts or by random ‘support links’ flagged by a search engine. While legitimate companies may be unaware of unethical practice by a partner occasionally, this is far less common than links associated with support sites whose adept use of SEO is not matched by expertise, integrity or ethics in the field of tech support.
[Added 21st December 2015]
iYogi tech support – sued by State of Washington – blog article on this site, commenting on Washington State’s legal action against iYogi, to whom a legitimate AV vendor used to outsource its support.
[Added 16th December 2015]
For Malwarebytes, Jérôme Segura reports on another incident where a support scam is combined with other malicious action – Comcast Customers Targeted In Elaborate Malvertising Attack. In this case, malvertising planted on Comcast’s Xfinity search page leads to an attempt to install malware via the Nuclear exploit kit. Malwarebytes weren’t able to collect the malware payload on this occasion, but think it likely to be Cryptowall or another type of ransomware. Subsequently, another site purporting to be the Xfinity portal may serve a fake alert along the lines of:
Comcast’s security plugin has detected some suspicious activity from your IP address. Some Spyware may have caused a security breach at your network location. Call Toll Free 1-866-319-7176 for technical assistance
Also reported by Help Net Security.
Adding to both the Tech Support Scam and Ransomware resource pages
[Added 4th December 2015]
Department of bizarre coincidences: yesterday I published a ransomware information page on this site, on approximately the same lines as this tech support page. Today an article by Zeljka Zorz for Help Net Security – A double whammy of tech support scam and ransomware hits US, UK users – directed me to this Symantec article by Deepak Singh: Tech support scams redirect to Nuclear EK to spread ransomware – Tech support scammers may have bolstered their arsenal by using the Nuclear exploit kit to drop ransomware onto victims’ computers.
This isn’t the first time I’ve heard of scammers who try to lure potential victims to a site from which the Nuclear exploit kit is being served as well as the support scam. Martijn Grooten wrote in some detail about such a case – Compromised site serves Nuclear exploit kit together with fake BSOD – for Virus Bulletin, back in July 2015. In this instance, though, if the exploit kit is successful in finding an exploitable vulnerability on the victim’s system, it will drop either the ugly Cryptowall ransomware or a data-stealing Trojan.
This may not be an instance of support scammers deliberately making use of an exploit kit with the intention of maximizing profit through ransomware or information stealing. But as Singh observes ‘…if this proves to be an effective combination, we are likely to see more of this in the future.’
[Added 26th November 2015]
Tech Support Scams: a Beginner’s Guide – a blog for IT Security UK. I thought maybe it was time we reconsidered what we tell end users what they need to know about support scams, as the scammers change their approach from cold-calling to pop-up fake alerts.
[Added 16th November 2015]
The FTC’s latest initiative in the war against support scams targets the use of fake system/browser/security software alerts.
Article by Shaun Nichols for the Register: FTC fells four tech-support operations in scammer crackdown
Comments by me on this site: Support Scams: FTC Targets Fake Alerts
[Added 12th November 2015]
It occurred to me, reading an article by my ESET colleague Jean-Ian Boutin – Operation Buhtrap, the trap for Russian accountants – that the Buhtrap Operation’s hijacking of Ammyy Admin might have direct consequences for some support scam victims, hence this blog: Buhtrap and Ammyy.
[Added 6th November 2015]
An interesting article by Talos with video and audio of a scammer in action, and details of this particular scamming group. Reverse Social Engineering Tech Support Scammers, by Jaime Filson and Dave Liebenberg.
And my own commentary for ITSecurity UK: Support Scams: Talos Takes Note
Plus an article from September 30th that I’ve seen before but don’t seem to have mentioned anywhere: David Finn for Microsoft – Microsoft hosts renowned ID theft expert to kick off expanded AARP partnership to stop tech scams. The expert in question was non other than Frank Abagnale, who led a discussion at the Redmond campus on the subject. The discussion and a subsequent workshop have been and gone, but the article includes some interesting content in its own right. For instance:
“Since May 2014, Microsoft has received over 175,000 customer complaints regarding fraudulent tech support scams. This year alone, an estimated 3.3 million people in the United States will pay more than $1.5 billion to scammers.”
[Added 21st October]
Article by me for ITsecurity on Support Scams: Splashes in the Phish Pool. Apple users targeted by a pop-up ‘alert’ may be directed to a site impersonating Apple’s own tech support site.
References a Malwarebytes article Tech Support Scammers Impersonate Apple Technicians by Jérôme Segura , also referenced by Ars Technica in an article by Dan Goodin: Support scams that plagued Windows users for years now target Mac customers [Added 22nd October: this article for The Register by John Leyden also refers: Support scammers target Mac fanbois]
[Added 16th October]
[Added 15th October 2015]
Support scammer phone info shared by several people on Twitter today: Support scammer phone numbers
[Added 8th October 2015]
Another article from me for ESET, on the way support scams are gradually moving away from simple-minded cold-calling to fake-AV-like pop-ups, intended to trick victims into making the initial telephone contact. The scams are aimed not only at Windows users but at users of OS X and iOS, Android, and even (rather ineptly) Linux. How many Linux users believe their system uses an NT Kernel? (And no, Wine doesn’t either: it implements the App Binary Interface in userspace, not in a kernel module.)
I also expanded on the theme of cross-platform scanning for Mac Virus.
[Added 14th September 2015]
[Added 11th September 2015]
[Added 2nd September 2015]
Blog by me for ESET on recent trends: Support scams, malware and mindgames without frontiers
[Added 18th August 2015]
Another blog by Jérôme Segura well worth a read: The Multi-language Tech Support Scam is Here
[Added 31st July 2015]
A new blog by me, Double Dipping: Nuclear exploit, fake BSOD, support scams, refers to two very interesting blogs by Martijn Grooten – Compromised site serves Nuclear exploit kit together with fake BSOD – and Jérôme Segura – TechSupportScams And The Blue Screen of Death.
[Added 28th July 2015]
Here’s a translation/summary of that blog by Josep Albors about iOS support scams.
[Added 21st July 2015]
I was quoted in Josep Albors’ blog for Ontinet regarding the iOS support scams. Sorry, it’s in Spanish, but I’ll come back to it in a little while in English.
[Added 17th July 2015]
Here’s a further Mac Virus article in the light of an F-Secure article explaining that pop-up blocking in Safari doesn’t fix the iOS Support Scams issue I added yesterday: A bit more on iOS support scams. I don’t necessarily include links here that are internal to a link that I have added here, but as this issue still seems quite ‘live’ I will this time:
I also notice that there’s a Wikipedia article on support scams here. It’s not exactly comprehensive, but it’s reasonably accurate and even links to a couple of my articles. 🙂
[Added 16th July 2015]
Here’s an extract from another Mac Virus article – iOS Support Scams – on tech support scams, this time targeting iOS users:
A new blog by Graham Cluley for Intego actually has some points in common with my most recent blog here (which also involved pop-ups misused by support scammers, particularly in the context of Safari). However, Graham’s article is about iOS, whereas mine related to questions asked regarding OS X and Safari (citing advice from Thomas Reed that also addressed other browsers).
[Added 14th July 2015]
An article for Mac Virus on tech support scam pop-ups targeting Mac users, and pointing to a useful article by Thomas Reed here, as well as a knowledge base article by Apple on dealing with ad-injection software.
[Added 26th June 2015]
An article for ESET. Not primarily about support scams, but interesting data from reports by the Consumer Sentinel Network Data Book for January-December 2014 and Pindrop Security – The State of Phone Fraud 2014-2015: a Global, Cross-Industry Threat.
I don’t recommend (see my article) that you take the statistics as gospel, but interesting trends and commentary.
[Added 4th May 2015]
I don’t know how many people are still watching this page, but I haven’t updated it in a few months, so here are two things from the WeLiveSecurity page that I should have added:
[Added 26th October]
Alleged US support scam site temporarily shut down: one of my articles for IT Security UK about the FTC securing an injunction against Pairsys Inc, which (according to The Register) is is “banned from deceptive telemarketing practices, and may not sell or rent their customer lists to any third party. The injunction requires that their websites and telephone numbers must be shut down and disconnected, and their assets be frozen.”
Tech support for telemarketers has a somewhat tenuous link to support scams, but might amuse you anyway.
[Added 18th October]
I was contacted on another blog by ‘Steve’ at Emsisoft about a blog he put up recounting an encounter with a support scammer who cold-called Bleeping Computer. There isn’t an awful lot in the account that’s really new: the Event Viewer gambit, remote access with TeamViewer, misrepresentation of Task Manager, the claim that the ‘victim’s’ anti-malware is ‘incompatible and useless’, even the misrepresentation of the ‘tree’ command, with the crude interpolation of ‘virus alerts’ typed in by the scammer. However, the detailed transcription of the conversation is interesting, and there are a few details that are probably worth discussion in another article. Watch this space.
[Added 26th September, 2014]
Jérôme Segura talks about his paper Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam, which he just presented at Virus Bulletin 2014, on the Malwarebytes blog: Tech Support Scams exposed at VB2014. The blog includes a link to a PDF version of the slide deck.
[Added 22nd September, 2014]
Support scam paper at Virus Bulletin 2014 considers the paper to be presented by Jérôme Segura at this year’s Virus Bulletin, as well as Martijn Grooten’s preview on the Virus Bulletin blog.
[Added 12th September, 2014]
Biting the Biter: considers the proposed use of a flaw in Ammyy Admin 3.5 as a means of attacking a machine used by a support scammer.
[Added 14th August 2014]
[Added 25th July 2014]
A video on How to avoid tech support scams from ESET (no, nothing to do with me).
[Added 3rd July 2014]
Another article for Graham Cluley’s blog about a site used to direct support scam victims to remote access software: Support scammers – at your service!
[Added 21st June 2014]
My article for Graham Cluley’s blog: Tech support scams and the wisdom of Solomon
Plus the six blogs referenced in that article “where Dr Solly messes with the heads of assorted grades of support scammer”:
- Technical support scam
- Technical support scam, part two
- Technical support scam part 3
- Technical support scam part 4
- Technical support scam part 5
- Technical support scam part 6
[Added 29th May, 2014]
Some of us remember with affection Dr Solomon’s Antivirus Toolkit. Alan Solomon hasn’t been very active in the AV scene in recent years, but recently he had quite a lot of fun with a support scammer: Technical support scam
[Added 22nd May, 2014]
Yet another Harley support scam article for ESET’s WeLiveSecurity blog: Support Scam Using (MS-)DOS* Attack
The never-ending Windows support scam often misrepresents obsolete MS-DOS utilities. But three simple rules will bypass most of that social engineering.
[Added 21st May, 2014]
- Rob Waugh writes for ESET’s We Live Security page on Technology giants join forces to battle tech support phone scams
- Another view of the same topic from Facecrooks: Facebook Teams Up with Google, Twitter and Others to Take Down Tech Support Scammers
- An Ars Technica article – Inside the US government’s war on tech support scammers – describes how an FTC (Federal Trade Commission) investigator gathered evidence that helped towards getting a temporary restraining order against an offending company
- Here’s a comprehensive list of misused utilities published by Malwarebytes that I may have mentioned before
- And Blaze’s Security Blog offers A word on phone scammers (actually, several words…)
[Added 2nd March 2014]
An article by me for ESET that I should have posted here ages ago: Scams: Tech Support, Accident Insurance, PPI, Oh My My.
And I just realized that I didn’t actually post a link to an excellent post by Martijn Grooten that’s briefly referenced in the same blog: Tech support scammers won’t give up.
[Added 29th January 2014]
[Added 23rd January 2014]
An interesting article by Jérôme Segura for the Malwarebytes blog: Tech support scammers target smartphone and tablet users. With particular reference to scammers advertising support for Android.
You might also find this thread, flagged by my good friend Steve Burn, also of Malwarebytes, of interest: https://www.mywot.com/en/forum/42800-microsoftsupporter-com.
[Added 9th January 2014]
[Added 22nd December 2013]
An article by Andy O’Donnell on Beware of the ‘Ammyy’ Security Patch Phone Scam: A new twist on an old scam. Rather a narrow AMMYY- and US-centric view of how tech support scams work, but has some suggestions that may be useful to all those people who ask what to do when they’ve allowed a support scammer access to their PC. HT to Patrick Nolan.
I also forgot to add a recent article by Rob Waugh for ESET: Reverse charges: How one man turned the tables on PC phone scammers. My own blog Scamming the Scammers also refers.
[Added 22nd November 2013]
Another blog by me for ESET on how support scammers sometimes convince you that they’re providing product support on behalf of the vendor.
- By social engineering in the course of a cold-call.
- By seeding the web with sites and using SEO to promote them that support their claims to provide AV tech support, though they’re unlikely to claim there that they’re directly affiliated with individual companies.
I had a lot of helpful discussion with ESET’s support team that inspired the article. And I regard this kind of fraud as an insult to the sterling work that real AV tech support teams do.
[Added 5th November 2013]
Blog by me for ESET. Update on some new gambits and reports by other researchers.
[Added 20th June 2013]
An article by me for ESET: Support Scams: we don’t really write all the viruses…
Which includes commentary on and references to this article by Eddy Willems: A curious phone call – when a help desk scammer offers you a job
[Added on 11th May 2013]
An article for (ISC)2: http://blog.isc2.org/isc2_blog/2013/05/the-evolution-of-support-scamming.html that references an article by Paul Ducklin – An unholy alliance – Fake Anti-Virus, meet Bogus Support Call! – and summarizes some of the other recent developments.
[Added 8th May 2013]
An article for ESET in which I commented on some recent developments in the support scam landscape, including a pointer to Jerome Segura’s article for the Malwarebytes blog Support Scam Cold-Calling: the Next Generation and another to Jean-Ian Boutin’s article Online PC Support scam: from cold calling to malware.
Support Scam Cold-Calling: the Next Generation
[Added 13th December 2012]
I have a load of content to add here, but I haven’t had time to sort it so far. So I’m afraid all I can do right now is add a couple of links to the ESET blog, where I have blogged on the topic once or twice since the 8th November (and they do point to other recent posts by others working in this area):
And Stephen Cobb blogged a nice collection of informational resources that you might find useful: Free cyber security resources to keep on your radar
[Added 8th November 2012]
A comment from Toronto to one of my blogs tells us that the commenter “Received a call yesterday evening and confirmed that a family member received a similar call during the same timeframe…it appears they are going through the phonebook for contact numbers. The call came from a blocked long distance number. A man with an east Indian accent was on the line and from what I could hear he was in a call centre. Managed to get the “name” of the caller aka “Sam Spancer” but no other contact info. In an attempt to gain my trust, he claimed to be working for the “Digital Network Server Department of Canada”, a supposed anti-hacking division of the Government of Canada, that my computer was being hacked and my assistance was required to stop the hackers before more damage was commited.”
[Added 6th November 2012]
A recent blog article at ESET is primarily about phishing and other scams related to Windows 8, but also includes some content relevant to this page.
And the paper by myself, Martijn Grooten, Craig Johnston and Steve Burn that I presented at the CFET Forensics conference in September is now available here: FUD and Blunder: Tracking PC Support Scams.
Also some other articles of mine:
[Added 12th October 2012]
Oops. I’ve fallen behind a bit with this. So here’s a bumper bundle of links:
- My PC has 32,539 errors: how telephone support scams really work [conference paper] By David Harley, Martijn Grooten, Steven Burn and Craig Johnston: Presented at the Virus Bulletin 2012 conference in September, this is a comprehensive consideration of the ongoing evolution of the PC telephone support scam. First published in the Virus Bulletin 2012 Conference Proceedings and available on the ESET site by kind permission of Virus Bulletin.
- My PC has 32,539 errors: how telephone support scams really work [presentation] By David Harley, Steven Burn, Martijn Grooten, and Craig Johnston: this is the slide deck to go with the paper presented at Virus Bulletin 2012 looking at the ongoing evolution of the PC tech support scam, subsequently made available on the Virus Bulletin site.
- Blog by Stephen Cobb on the FTC initiative: FTC cracks down on tech support scams and feds nail fake AV perps
[Added 11th September 2012]
Added an article including some comments to one of my ESET blogs on support scams: http://avien.net/blog/?p=874. Last week I presented on support scams at the CFET forensics conference in the UK: I’ll post a link here when the paper is up.
[Added 28th August 2012]
Report received via the ESET blog of a scam call using the ASSOC and Event Viewer ploys: scammer used the name Alex Parker, and said his company was Creative Solutions Online: creativesolutionsonline.net.
Whocallsme.com came up with a number 4034563615 used by scammers claiming to represent the same company, or for Windows Internet
Office address given as Clearwater, Fla., and phone numbers in UK, US, Australia
REGISTRANT CONTACT INFO
Sibyl Technology Solution
[Added 24th August 2012]
Blog here with more details about the way Ammy’s warning about misuse of its service: More about Dorifel as a scammer ploy, and Ammyy warns of misuse of its service
Steve Burn on Ammyy’s warning
And at ESET: Support scams and Quervar/Dorifel
[Added 21st August 2012]
More on globalpchelpline.com from ESET Threatblog reader Allan. In the case he reported, the prospective victim was given the US number on the same site I looked at, 1-800-986-4764. Oddly enough, when I looked at the site again just now, the Canadian page failed to load and the Australian page loaded, but popped up a somewhat intrusive live chat button that doesn’t show on other pages. Currently offline, echoing Righard Zwienenberg’s experience with a similar chat facility in a slightly different – but related – context: Scareware on the Piggy-Back of ACAD/Medre.A
Allan supplies some whois data for the site, registered with GoDaddy:
Domain Name: GLOBALPCHELPLINE.COM
Created on: 18-Dec-10
Expires on: 18-Dec-13
Last Updated on: 15-Jul-12
As he says, ‘The rest is useless as it pertains to DomainsByProxy.’
Another comment from Michael told us about a scammer claiming to be “David Foster from Online Tech Ph. 02 2039846662. I dialled the number while talking to him but of course it is a dead number.” Veronica was called by someone from ‘IPC Support’: I haven’t had time to check these companies out yet, unfortunately.
Steve in the UK was told by a scammer that he knew the CLSID of his motherboard. I haven’t heard that one before. 🙂 And Melissa was referred to the number 302-261-2620 and logmeinrescue.com.
[13th August 2012]
More from SANS on its tech support scam report form: ISC Feature of the Week: Report Fake Tech Support Calls.
Unfortunately, SANS hasn’t chosen to follow up on our offer to exchange information on this type of scam. Still, there are some useful additional resource links in the article:
Meanwhile, SC Magazine reports on a couple of somewhat related issues:
- While it’s not about fake support cold-calling, the SC Webcast Cleaning malware infections becomes a weekly job, as reality of helpdesk enquiries exposed does suggest that the sheer number of malware incidents reported to genuine helpdesks is an indicator of the continuing potential of this scam for illicit profit.
- LogMeIn provides a legitimate service frequently misused by support scammers. The news that LogMeIn adds anti-virus monitoring and management for remote worker control may be welcome for legitimate corporate users, but also suggests possibilities for future scams. I may come back to that.
Dorifel/Quervar: recent malware used by support scammers to support the con [11th August 2012]
The threat of the Dorifel/Quervar malware, spreading in the Netherlands, is used by telephone scammers to trick local PC users into paying for ‘protection’. Dorifel/Quervar: the support scammer’s secret weapon.
Support Scam Anna-lytics and a very dodgy phone number [9th August 2012]
Another day, another support scammer. Anna claimed to be from Global PC Helpline, and gave me a UK phone number 0800-0148910 which does indeed correspond to the Global PC Helpline page for the UK at http://globalpchelpline.com/uk/. She also told me that my PC was sending out messages about system errors, and tried to pull the CLSID gambit on me.
Much more here: Support Scammer Anna’s CLSID confusion
And reader Paul reports getting a very similar call from this number: 210 301 0307. A little googling found that this number (with a San Antonio, TX area code – maybe Anna’s real name is Rose!) is associated not only with this scam, but many others, from cruise scams to credit card interest scams.
Misrepresenting System Utility Output [6th August]
Lengthy commentary on some issues raised by Krebs and Jacoby (see below): Misusing VERIFY (and other support scam tricks)
A comprehensive article by Kaspersky’s David Jacoby describing some of the ways in which scammers misuse system utilities to mislead their victims. Interesting to see confirmation of the misuse of Task Manager (as I previously described in Support Scammer Update: Misrepresenting Task Manager), and a gambit I haven’t seen before, i.e. the misuse of VERIFY. I’ll go into detail shortly on the ESET blog, but in the meantime Jacoby’s article has a lot of detail worth checking. Trying to unmask the fake Microsoft support scammers!
[2nd August 2012]
Interesting article by Brian Krebs on what he describes as a Tech Support Phone Scams Surge including some useful info on “a company in India called NIAS E Business Solutions” apparently implicated in a couple of reports that he’s received.
[15th July 2012]
As mentioned here, Martijn Grooten, Craig Johnston, Steve Burn and I have been working on two papers on the topic to be presented at CFET and Virus Bulletin respectively. Links to both papers will be added here once they’ve been presented.
Articles (mostly) from the ESET ThreatBlog that shed additional light on the evolving PC Tech Support Cold-Calling Scam
- Support Scammer Update: Misrepresenting Task Manager looks at slightly novel twist on the misuse and misrepresentation of legitimate utilities to con victims into believing that there is something wrong with their systems. Other utilities we more commonly see misrepresented in this way include Event Viewer, ASSOC (the CLSID ploy), INF and Prefetch, none of which have much to do with security.
- Support Scam Poll looks at an information-gathering exercise by the Internet Storm Center. Unfortunately SANS hasn’t shown much interest in exchanging information with us, but if you have any direct experience of the scam, I’d encourage you to take a look at their survey anyway. The more that people pay attention to the scam, the likelier it is that someone will manage to achieve something. The SANS Ouch! newsletter for July 2012 also looks at this issue: nothing really new here, but probably a reasonable resource for people unaware of the problem.
How to recognize a PC support scam is a fairly lengthy consideration of some of the social engineering devices the scammers use when they call.
- Fake Support, And Now Fake Product Support: how a legitimate and ethical AV company outsourced its support to a company accused of perpetrating support scams.
- Support Scammers (mis)using INF and PREFETCH: the details of how two legitimate utilities are misused by scammers.
- Cybercrime and Punishment An account of the Association of Chief Police Officer’s conference where I talked at some length about this type of scam.
Facebook Likes and cold-call scams: a joint blog about the use of social media and other resources to bolster the tech support scam.
[30th November 2011]
New article on the ESET blog about additional information posted to blogs on this type of scam: Support-Scammer Tricks
[12th November 2011]
I guess you could consider this page a partial answer to a question I posed on the AVIEN blog: Support scams: what can AVIEN do about it? I plan to expand on this in the next few days, but right now it’s essentially an information resource following up and expanding on my blog at ESET on Facebook Likes and Cold-Call Scams, though of course that was just one of many. But it may well include links to material originating here, in due course. First, here’s a white paper on the topic published earlier this year: Hanging on the Telephone: it aggregates some of the information on the topic ESET had built up in the year previously. Later articles for ESET here.
And next, some relevant recent blogs.
30th November 2011: ESET blog about additional information posted to blogs on this type of scam: Support-Scammer Tricks
12th November 2011:
David Harley on how (not) to scam the BBC (expands on the Cellan-Jones story below)
11th November 2011:
- Rory Cellan-Jones on how to spot a virus scam
- Martijn Grooten on our earlier joint research with Steve Burn
- David Harley’s blog from July on the CLSID trick for conning the victim into thinking the scammer really has information specific to his PC
10th November 2011
- New blog by someone claiming to work for one of the scam companies: Exposing Indian Call Center Scam. It’s not clear which company, and some of the information doesn’t jibe with some of my experiences with some of the scammers, but seems an interesting insight anyway. I’ll probably look at it in some detail in due course.
- The above was actually flagged as a comment to this joint blog talking about some of the deceptive techniques used by PC support sites to enhance their credibility. Facebook Likes and cold-call scams. That one actually includes copious links to other informational pages.
Articles on the topic for SC Magazine’s Cybercrime Corner:
- Cold-calling scams and rehearsals for retirement*
- Support scams: Can we help you with those?
- Cold call scams: Life in the old dog
- Supporters club
David Harley CITP FBCS CISSP
ESET Senior Research Fellow