Tag Archives: Jerome Segura

Support Scammers hit Mac users with DoS attacks

 examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.

Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.

David Harley


Tech support scammers impersonating ISPs

 adds to our knowledge of current support scam tricks by describing how Scammers Impersonate ISPs in New Tech Support Campaign. Scammers have, in fact, impersonated ISPs before, though not as often as they’ve pretended to be Microsoft (or working on behalf of Microsoft), and not as often as I expected when I wrote about this possibility back in 2010.

The difference here is that they’re not simply ringing up and saying ‘I’m from your ISP’ or even ‘I’m from Verizon’ (which rings a slight alarm bell if you know your service provider is a completely different company). They’re using a nifty little wrinkle to determine the victim’s ISP from his or her IP address. I remember with some regret the days when a support scammer couldn’t even lie convincingly about knowing your IP address, but the scams have been based on increasingly sophisticated tricks, and on a barrage of pop-ups aimed at getting you to ring them rather than vice versa. Clearly, such a pop-up message is more effective if it’s actually customized to correspond to a potential victim’s real ISP, and may even take the form of a customized audio message.

Once they do get you on the phone, though, it seems they still lean heavily on old favourite ploys, for example the INF ploy noted in the Malwarebytes article. Here’s a description of how it works from another of my articles.

INF and PREFETCH are legitimate system utilities: The “Prefetch” command shows the contents of C:WindowsPrefetch, containing files used in loading programs. The “INF” command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system. So how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something “prefetch hidden virus” or “inf trojan malware”. When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type “inf elvish fantasy” or “prefetch me a gin and tonic” and you’d get exactly the same directory listing, showing legitimate files.

 And, of course, I still see innumerable reports of scammers using the tired old CLSID  gambit. Evidently these things still work. Perhaps they’re more convincing when they come from a ‘support desk’ that you’ve been misdirected into ringing, rather than from a random cold-caller, but they’re still the same old drivel.

David Harley

Fake Support, Real Screen Locker Malware

Here’s another instance where ransomware and tech support scams overlap. Jérôme Segura, for Malwarebytes, describes how scammers have moved on from ‘bogus browser locks and fake AV alerts‘ to real screen lockers. In particular, he describes an example of malware shared by @TheWack0lian that passes itself off as a Windows update. However, during the ‘update’ it effectively locks the computer, ostensibly due to an ‘invalid licence key’, forcing the victim to call a ‘support line’.

The article – Tech Support Scammers Get Serious With Screen Lockers – includes a keyboard combination that might disable the locker, and some hardcoded ‘key’ values that might also work. However, it’s likely that there are already variants out there that use different ‘keys’, and if there aren’t, there almost certainly will be.

Commentary by David Bisson for Graham Cluley’s blog is also worth reading: New tech support scams mimic ransomware, lock users’ computers –Beware if you’re asked to pay $250 for a product key to unlock your PC.

David Harley

Tech Support Scam that Spoofs ISPs

Jérôme Segura has blogged for Malwarebytes about a somewhat innovative tech support scam campaign: Scammers Impersonate ISPs in New Tech Support Campaign.

The scam is pushed by malvertising which

‘detects which Internet Service Provider (ISP) you are using (based on your IP address) and displays a legitimate looking page that urges you to call for immediate assistance.’

Added to the tech support scam resource page.

David Harley

Pre-KeRanger Mac Ransomware

While working on an internal project at ESET, I came across an article I wrote for Information Security Magazine back in 2013: Mac Ransomware Deviating from the (java)script.

With the recent kerfuffle about KeRanger, it’s interesting to recall one of its (rare) precursors on the OS X platform. In this case, there wasn’t actually a malicious executable as such, and the whole system wasn’t really locked, even though a pop-up told the victim that his or her browser was locked and that ‘ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.’ However, the pop-up did make it very difficult to quit Safari, which was probably scarier than it sounds for the victims.

The story was based on an article by Jérôme Segura for Malwarebytes. Irritatingly, there doesn’t seem to be a link in my article, but this looks like Jérôme‘s article: FBI Ransomware Now Targeting Apple’s Mac OS X Users

The present article was also published on Mac Virus.

David Harley

Support Scams and the Security Industry

For Graham Cluley’s blog, David Bisson summarizes the story of how Symantec ended its agreement with one of its partners after Jérôme Segura reported for Malwarebytes on how the partner was using tech support scam techniques to trick customers into buying Norton Antivirus and a year’s support at prices well in excess of the pricepoint set by Symantec.

You may recall that I also commented here on the story last week, though I focused on slightly different issues.

Among the classic scam ploys used by the scammer Jérôme talked to were the notorious CLSID misrepresentation and the misrepresentation of the legitimate Windows utility csrss.exe (Client/Server Runtime SubSystem). While this is an essential component of modern Windows versions, malware does sometimes use the same filename in the hope of making it harder to detect, and purveyors of support scams sometimes use the Task Manager (as in this case) or another utility such as Tasklist.

In fact, if you run one of these utilities, you’ll find that you have lots of legitimate processes running with names that are sometimes associated with malicious software (for example, lsass.exe and svchost.exe) but the processes are legitimate and often essential. The scammer doesn’t care about this, of course: he just wants to ‘prove’ to you that there are ‘malicious’ processes on your system, so that you’ll let him have remote access to it and charge you accordingly. The value to the scammer of using a filename that is also used by malware is that they can direct you to Google searches that will lead you to alarming references to the ‘csrss.exe virus’ or Trojan. Some of these links are malicious, some are well-meant but misleading, and some are genuinely informative. However, the scammer is not going to encourage you to read anything that is really informative.

I particularly like David’s suggestion that:

If you come across a fake anti-virus alert, collect screenshots, audio, and whatever other data you can document about the messages, and then post those files on the affected anti-virus firm’s forum. Those companies will take no greater pleasure than in shutting down someone exploiting their potential customers.

 While no-one in this business likes to see scammers getting away with anything, it’s particularly satisfying when we’re able to take direct action against those whose actions are responsible for blackening the reputations of  an industry which, by and large, tries harder than most to behave honourably and ethically. Of course, I wouldn’t want to discourage you from reporting scammers to law enforcement, either. No doubt they make good use of the information even if they tend not to talk about it.

It’s worth mentioning that forums aren’t the only way to contact a security company. If you have a support agreement with a vendor, you can certainly talk to its support desk. Most companies have an address to which you can send malicious samples and links. And some of us who write about this stuff get lots of comments to our blogs. That CLSID blog I mentioned above has attracted many hundreds of comments. I can’t reply to them all, but I do read them, and sometimes they provide material for further research and writing. One I really liked recently observed:

“This scammer called today and I played along. When he read my CLSID I googled “CLSID” and found this page. I told him that I had googled it and found that everyone has that CLSID. He told me that my google was broken. Best laugh of the day!”

Fortunately, people aren’t generally as dumb as scammers believe they are. There’s a difference between not knowing much about technology and being stupid. Though in these days of elaborate online scams, it really is smart to go out of your way to learn more about the technology you use than the bare bones of logging in and typing in text.

David Harley

The Lure of the Support Scam

We’re all too familiar with tech support scammers claiming to represent Microsoft or other impressive names like Cisco or Apple. And sometimes we find them claiming to represent security companies in some way.

To cite some instances mentioned in a paper presented at Virus Bulletin in 2012 by myself, Martijn Grooten (Virus Bulletin), Steve Burn (Malwarebyes) and Craig Johnston (an independent researcher and former colleague at ESET):

  • We know of a number of instances where fake or cracked security software has been sold to victims by scammers claiming to represent legitimate security vendors in some way.
  • A scammer who talked to Craig claimed that his company was installing legitimate copies of a commercial product called Registry Mechanic. We were unable to verify that claim, but we do know for sure that it’s common for scammers to install free (or free versions of) various utilities as part of their service. (Which is, of course, not free.)
  • Microsoft terminated its relationship with Gold partner Comantra because of all the complaints about Comantra’s practices.

We also cited the case of iYogi – recently accused by the state of Washington of engaging in support scam practices – which to which Avast! was actually outsourcing the provision of legitimate support to users of Avast!’s free products, until similar allegations were made about iYogi.

A common current ploy is to lure victims into calling a helpline passing itself off as being hosted by a legitimate security-oriented company, by using some kind of popup fake alert. For obvious reasons, companies like Symantec and McAfee are frequently targeted for this kind of attack. However, Jérôme Segura for Malwarebytes reports a case where the scammer is claimed to be ‘an official member of the Symantec Partner Program’.  Segura explains:

We immediately reported all of our evidence to Symantec who took this case very seriously and confirmed that this company was indeed a member of the program. Symantec also let us know that they were going to take immediate action to resolve this issue.

Reassuringly, he also reports that the alleged scam site was subsequently taken down.

The article also indicates that the Malwarebytes brand has also been misused by scammers charging ridiculous prices for its product.

There are clear advantages to a support scammer in cosying up to a legitimate, ethical company, and scammers are apparently not averse to ‘inflicting brand and reputation damage’ on their partners.

However, I suspect that there are still plenty of scammers claiming to support products with which they have no genuine connection. Or interest, come to that, except as a means of promoting their own dubious products and services. It’s amazing how eager many ‘support lines’ are to point out the (usually mythical) limitations of the product they claim to support, in order to promote their own service or product.

If you follow this blog, you are almost certainly aware of the sort of popup alert I’m referring to above. But that’s not the only lure used by support scammers. A little time spent with your favourite search engine using terms like ‘[your chosen security product] + tech support’ is likely to turn up lots of links to sites that have no connection to the product or vendor, but claim to offer tech support for it.

I can only recommend that if you think you have a problem with your security product of choice, that you make your first port of call a web site that you know is maintained by the company that makes the software. After all, if it’s a product that you actually paid for, the chances are that you can get (at least some) support from the vendor without extra cost. This is unlikely to be the case with a free product – one of the reasons I’m lukewarm about recommending free security software, though a genuine free security product is better than no security at all. Nevertheless, a responsible vendor will always offer some indication of somewhere where you can get support, even if it means upgrading to a for-fee version. And while there are instances of a vendor being unaware of the unethical behaviour of one of its partners, these are very much the exception rather than the rule. It’s much more common for a scammer to claim a non-existent relationship with the vendor.

However, if you trust your support to a helpline you found via a search engine, there’s a good chance that you’ll stumble upon a company that knows more about SEO (search engine optimization) than it does about reliable support. Or ethics, or honesty.

It’s not that there aren’t honest support sites out there: the difficulty is in identifying which are honest, and which are scammers. A security vendor might not always know when it’s partnered with a scammer, but it does know which companies are genuine partners.

David Harley

Another support scam and ransomware double whammy?

For Malwarebytes, Jérôme Segura reports on another incident where a support scam is combined with other malicious action – Comcast Customers Targeted In Elaborate Malvertising Attack. In this case, malvertising planted on Comcast’s Xfinity search page leads to an attempt to install malware via the Nuclear exploit kit. Malwarebytes weren’t able to collect the malware payload on this occasion, but think it likely to be Cryptowall or another type of ransomware. Subsequently, another site purporting to be the Xfinity portal may serve a fake alert along the lines of:

Comcast’s security plugin has detected some suspicious activity from your IP address.  Some Spyware may have caused a security breach at your network location.  Call Toll Free 1-866-319-7176 for technical assistance

Also reported by Help Net Security.

Adding to both the Tech Support Scam and Ransomware resource pages

David Harley

Support Scams: FTC Targets Fake Alerts

Here’s an interesting article from The Register – FTC fells four tech-support operations in scammer crackdown – by Shaun Nichols, about the FTC’s latest move in the war against support scams.

It won’t come as news to regular readers of this blog and my other articles at ESET and elsewhere (or some excellent articles by Jérôme Segura et al for Malwarebytes, come to that) that it ‘Turns out Microsoft and Apple don’t use pop-up ads for tech support‘.

It’s certainly a Good Thing, though, that the FTC (the US Federal Trade Commission) has turned its attention to ‘four companies and four individuals in its legal complaint (PDF) alleging violations of both the FTC Act and the US Telemarketing Act’.

The violations cited here are in the form of fake system alerts, fake browser alerts, or fake security software alerts of the type I’ve addressed here (and even at Mac Virus – e.g. Pop-ups and Support Scams), that advise the victim of a ‘problem’ with their device and direct them to a ‘helpline’ that purports to represent one of the major operating systems, not only for old-school computers (Windows, OS X, Linux) but for mobile devices such as smartphones.

A preliminary injunction ordered by The United States District Court for the Eastern district of Pennsylvania names eight defendants, and prohibits them from fraudulent marketing and billing, and effectively freezes their assets while the FTC’s complaint is investigated.

What impact the FTC’s actions will have on the international support scam industry is hard to say, but any impact has to be better than none.

David Harley