Tech Support Scams: a Beginner’s Guide – a blog for IT Security UK. I thought maybe it was time we reconsidered what we tell end users what they need to know about support scams, as the scammers change their approach from cold-calling to pop-up fake alerts.
Added to the resources page here.
Here’s an interesting article from The Register – FTC fells four tech-support operations in scammer crackdown – by Shaun Nichols, about the FTC’s latest move in the war against support scams.
It won’t come as news to regular readers of this blog and my other articles at ESET and elsewhere (or some excellent articles by Jérôme Segura et al for Malwarebytes, come to that) that it ‘Turns out Microsoft and Apple don’t use pop-up ads for tech support‘.
It’s certainly a Good Thing, though, that the FTC (the US Federal Trade Commission) has turned its attention to ‘four companies and four individuals in its legal complaint (PDF) alleging violations of both the FTC Act and the US Telemarketing Act’.
The violations cited here are in the form of fake system alerts, fake browser alerts, or fake security software alerts of the type I’ve addressed here (and even at Mac Virus – e.g. Pop-ups and Support Scams), that advise the victim of a ‘problem’ with their device and direct them to a ‘helpline’ that purports to represent one of the major operating systems, not only for old-school computers (Windows, OS X, Linux) but for mobile devices such as smartphones.
A preliminary injunction ordered by The United States District Court for the Eastern district of Pennsylvania names eight defendants, and prohibits them from fraudulent marketing and billing, and effectively freezes their assets while the FTC’s complaint is investigated.
What impact the FTC’s actions will have on the international support scam industry is hard to say, but any impact has to be better than none.
It’s common for tech support scams to be referred to as ‘the AMMYY scam’ or ‘the TechViewer scam’: not because these remote access utilities/services are not legitimate (they are), but because they are commonly misused by tech support scammers to access their victims’ systems. (Which is why some security products flag it as ‘potentially unwanted’ or potentially unsafe’.)They do this for two main reasons:
- To fabricate ‘proof’ that the system is compromised by malware or otherwise at risk, so that the victim will pay for ‘assistance’ from the scammer.
- To make changes to the victim’s system (or, sometimes, to pretend to make changes) that are meant to prove that the scammer is providing a chargeable service. Sometimes the scammer will add useful utilities, but in that case they’re usually applications that the victim could get for free elsewhere. Sometimes the additions are less useful, and might even be harmful.
In addition, the scammer will sometimes make changes to the system that are downright malicious: in particular, if the victim gives him access to his system but is reluctant to proceed with allowing the changes or making payment, the scammer will often deprive (or try to deprive) the victim of the ability to use the system at all.
The Buhtrap operation described in a blog by my ESET colleague Jean-Ian Boutin isn’t directly connected with tech support scams, as far as I know, but it did involve the misuse of the Ammyy Admin utility. People who downloaded the free version from the Ammyy site while it was compromised would, in Jean-Ian’s words have been served…
…a bundle containing not only the legitimate Remote Desktop Software Ammyy Admin, but also an NSIS (Nullsoft Scriptable Installation Software) installer ultimately intended to install the tools used by the Buhtrap gang to spy on and control their victims’ computers.
It’s not clear how the site came to be compromised – Ammyy’s designers apparently never responded to ESET’s warnings – but it’s now clean: however, the malicious installation bundle was being served for about a week. Jean-Ian comments:
If you downloaded and installed Ammyy Admin recently, your computer might be compromised by one of the malware described above. Since we do not know exactly when the attack started nor if the site is still compromised, we recommend that you take precautionary measures and use or install a security product to scan and protect your computer.
Obviously, this could include tech support scam victims directed to that specific page, as if they hadn’t been victimized enough already. 🙁
The following links have been added to the tech support scam resources page:
“Since May 2014, Microsoft has received over 175,000 customer complaints regarding fraudulent tech support scams. This year alone, an estimated 3.3 million people in the United States will pay more than $1.5 billion to scammers.”