Tech Support Scams and Ransomware

Some forms of ransomware don’t necessarily (directly) involve encryption, but are nevertheless intended to block the victim’s access to their device or data, or at least to persuade the victim that access is blocked. Sometimes, the blocking is easily bypassed. Sometimes it isn’t there at all, but involves a fake pop-up along the same lines as those used by some tech support scammers. We don’t normally include tech support scams in the ransomware category, but both types of attack involve getting money from victims for fixing (sometimes) issues that were caused or fabricated by the criminal. Sometimes, however, tech support scams and ransomware are more or less directly related.

[20th February 2017]

My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain. Not primarily about ransomware, but does include a little info.

[15th December 2016]

For this site: Malwarebytes makes VinCEmeat of screen locker

Pointer to interesting analysis from Pieter Arntz for Malwarebytes of the VinCE screen locker, intended to persuade the victim into calling the ‘helpline’ number the malware displays. An example of malware that illustrates an almost imperceptible distinction between a tech support scam and true ransomware, which is why it’s included here.

A closer look at a tech support screen locker

[20th May 2016]

Fake Support, Real Screen Locker Malware

Here’s another instance where ransomware and tech support scams overlap. Jérôme Segura, for Malwarebytes, describes how scammers have moved on from ‘bogus browser locks and fake AV alerts‘ to real screen lockers. In particular, he describes an example of malware shared by @TheWack0lian that passes itself off as a Windows update. However, during the ‘update’ it effectively locks the computer, ostensibly due to an ‘invalid licence key’, forcing the victim to call a ‘support line’.

The article – Tech Support Scammers Get Serious With Screen Lockers – includes a keyboard combination that might disable the locker, and some hardcoded ‘key’ values that might also work. However, it’s likely that there are already variants out there that use different ‘keys’, and if there aren’t, there almost certainly will be.

Commentary by David Bisson for Graham Cluley’s blog is also worth reading: New tech support scams mimic ransomware, lock users’ computers –Beware if you’re asked to pay $250 for a product key to unlock your PC.

[4th December 2015]

Department of bizarre coincidences: yesterday I published this ransomware information page, on approximately the same lines as the tech support information page. Today an article by Zeljka Zorz for Help Net Security – A double whammy of tech support scam and ransomware hits US, UK users – directed me to this Symantec article by Deepak Singh: Tech support scams redirect to Nuclear EK to spread ransomware – Tech support scammers may have bolstered their arsenal by using the Nuclear exploit kit to drop ransomware onto victims’ computers. Which seems to belong on both pages.

This isn’t the first time I’ve heard of scammers who try to lure potential victims to a site from which the Nuclear exploit kit is being served as well as the support scam.  Martijn Grooten wrote in some detail about such a case – Compromised site serves Nuclear exploit kit together with fake BSOD – for Virus Bulletin, back in July 2015. In this instance, though, if the exploit kit is successful in finding an exploitable vulnerability on the victim’s system, it will drop either the ugly Cryptowall ransomware or a data-stealing Trojan.

Perhaps this is not an instance of support scammers deliberately making use of an exploit kit with the intention of maximizing profit through ransomware or information stealing. But as Singh observes ‘…if this proves to be an effective combination, we are likely to see more of this in the future.’

Added 16th December 2015.

For Malwarebytes, Jérôme Segura reports on another incident where a support scam is combined with other malicious action – Comcast Customers Targeted In Elaborate Malvertising Attack. In this case, malvertising planted on Comcast’s Xfinity search page leads to an attempt to install malware via the Nuclear exploit kit. Malwarebytes weren’t able to collect the malware payload on this occasion, but think it likely to be Cryptowall or another type of ransomware. Subsequently, another site purporting to be the Xfinity portal may serve a fake alert along the lines of:

Comcast’s security plugin has detected some suspicious activity from your IP address.  Some Spyware may have caused a security breach at your network location.  Call Toll Free 1-866-319-7176 for technical assistance

Also reported by Help Net Security.

David Harley