Tag Archives: Martijn Grooten

Tech Support Scams meet Ransomware

Department of bizarre coincidences: yesterday I published a ransomware information page on this site, on approximately the same lines as the tech support information page. Today an article by Zeljka Zorz for Help Net Security – A double whammy of tech support scam and ransomware hits US, UK users – directed me to this Symantec article by Deepak Singh: Tech support scams redirect to Nuclear EK to spread ransomware – Tech support scammers may have bolstered their arsenal by using the Nuclear exploit kit to drop ransomware onto victims’ computers. Which seems to belong on both pages.

This isn’t the first time I’ve heard of scammers who try to lure potential victims to a site from which the Nuclear exploit kit is being served as well as the support scam.  Martijn Grooten wrote in some detail about such a case – Compromised site serves Nuclear exploit kit together with fake BSOD – for Virus Bulletin, back in July 2015. In this instance, though, if the exploit kit is successful in finding an exploitable vulnerability on the victim’s system, it will drop either the ugly Cryptowall ransomware or a data-stealing Trojan.

Perhaps this is not an instance of support scammers deliberately making use of an exploit kit with the intention of maximizing profit through ransomware or information stealing. But as Singh observes ‘…if this proves to be an effective combination, we are likely to see more of this in the future.’ And we’ve already seen a similarity in the way that non-encrypting ransomware and some support scams both make use of fake alerts and BSODs as a lure. While there may still be some inept but well-meaning support scam operators out there, there are many more who – inept or otherwise – are perfectly happy to trash a victim’s system. If they can use encrypting ransomware to monetize that ruthlessness, it would be naive to believe they won’t take that route instead.

David Harley

Tech Support Scams Latest

I’ve just added a link on the resource page to another article from Malwarebytes on support scams using a fake Blue Screen of Death, this time by Chris Boyd: Avoid this BSoD Tech Support Scam. Also some comment by John Leyden for The Register.

I also noticed today a comment to one of my ESET articles of some possible interest to support scam watchers. Actually, I think I approved the comment some time ago, but never got around to flagging it elsewhere.

I know these are scams, and I work in IT, but I had only heard these stories from my mom about them calling her. I wondered if this was a scam targeting older people, since I had never been called. Now they have started calling. 

While these scammers certainly seem more than happy to defraud older people, probably because they expect them to be less conversant with technology and therefore likelier to fall for the pitch, I doubt if the cold calls are, in general, actually targeting my generation. (I’m happy to note that – in the UK, at any rate – my generation is less gullible than you might think.)

The first time they call, about 3 weeks ago, the guy tells me my computer is infected. When I asked which computer he says my windows computer. I tell him I have, which computer is the problem. He tells my I am lying, that I don’t have 7 windows computers. He them hangs up on me for wasting his time. 

Today they called again. I played along, though I did say I had multiple computers, this guy said they were all likely infected. I asked him to verify the IP of the infected machine and he tells me he can’t but he can verify the CL SID. He rattles of the CLSID listed here and asks me to run the assoc command.

So far, so typical of many of the hundreds of reports I’ve seen.

By this time I already have this site open.

(The comment is one of nearly 500 attached to this article: Support desk scams: CLSID not unique.)

I string him along for a little bit when I finally tell him, politely, that I know this is BS. At first he denies it, then he actually acknowledges it, acknowledges that he is in Calcutta. Tells me a little about his family, and that he is in school. Tells me that work is hard to find, and asks if it’s as hard here as it is there. He tells me that the scam jobs make 14,000 a year, but the legit ones that he can find only make 7,500 a year. At the end of the call, he thanked me for not yelling and screaming profanities at him. Overall I was on the phone for 40 minutes and 20 of that was after I told him I knew.
Weirdest call ever. 

Well, it’s not quite the first time that a conversation somewhat like this has taken place. My friend and former colleague Craig Johnston recounted a similar encounter in Virus Bulletin back in 2011, which he also talked about in our joint presentation at Virus Bulletin with Steve Burn and Martijn Grooten. The guy Craig talked to was a little more self-deluded: as Craig said, ‘While the caller admitted that the methods used to convince the ‘customer’ were dodgy, he was keen to assure me that the product being sold was legitimate and that it would benefit the customer.’

In this case, the scammer didn’t try to offer such self-justification, but may give us some insight into the economics of scam versus legitimate call-centre jobs (though we believe that some call-centres use both scam and legit approaches to support). I’ve talked before about scammer motivation, but it does at least seem that not all support scammers are bullies and worse (like the unspeakable monsters who try to block their victim’s access to their own systems if they allow the scammer access and then decide not to purchase his ‘services’) and may even have the grace to be less than proud of the way they make their living.

David Harley
ESET Senior Research Fellow

 

Support Scams: multi-language, fake BSODs, and the Nuclear exploit kit

Here’s another blog by Jérôme Segura well worth a read: The Multi-language Tech Support Scam is Here.

And a couple of articles I added to the tech support scam page at the end of July, but didn’t note in the blog.

A blog by me, Double Dipping: Nuclear exploit, fake BSOD, support scams, refers to two very interesting blogs by Martijn Grooten – Compromised site serves Nuclear exploit kit together with fake BSOD – and Jérôme Segura  – TechSupportScams And The Blue Screen of Death.

David Harley

Support scam paper at Virus Bulletin 2014

If you keep an eye on the support scam resources page on this site, you’ll have noticed that Malwarebytes’ Jérôme Segura has written quite a few pieces on the topic (more than I have recently), demonstrating that the game is still afoot, even if the rules have changed.

At Virus Bulletin, later this week, Jérôme presents his paper ‘Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam‘: it’s scheduled for 16.00 on Thursday 26th. I’m sure it will be well worth hearing, and I’m only sorry I can’t be there to hear it. (Though I do have a paper being presented there by my co-authors Aleksandr Matrosov and Eugene Rodionov:

You may also recall that back in 2012 I wrote a paper with Martijn Grooten of Virus Bulletin, Steve Burn of Malwarebytes, and independent researcher Craig Johnston (a former colleague at ESET): My PC has 32,539 errors: how telephone support scams really work. (The same team also wrote a related paper for CFET: FUD and Blunder: Tracking PC Support Scams. As part of the run-up to Virus Bulletin 2014, Martijn gives a preview on the Virus Bulletin blog of what to expect from the presentation: VB2014 preview: Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam.

David Harley
ESET Senior Research Fellow

Support scams update

Just added to the tech support scam page here: a link to a lengthy blog I recently put up on the ESET site.

Here’s a direct link to that blog article: Tech Support Scam Update: Still Flourishing, Still Evolving.

It includes some information on gambits gleaned from people who’ve commented on ESET articles on the topic, from blogs by Martijn Grooten and Jerome Segura, and from some conversations I had at this year’s Virus Bulletin conference a few weeks ago. The misuse of ping for convincing Mac users they have a problem is particularly interesting, though they’ll need to find another approach now. (All is explained in the article.)

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Support scammers & repeat business

For Virus Bulletin, Martijn Grooten recounts in Phone support scammers attempt repeat business how – a year after the encounter with ‘Clinton’ that he talked about in our joint presentation (with Craig Johnston and Steve Burn) at the 2012 Virus Bulletin Conference in Dallas (My PC has 32,539 errors: how telephone support scams really work) – the scammers came back for a second bite of the cherry.

He summarizes:

Phone support scammers have found a new way to make easy money: by calling back people whom they have previously tricked into paying for their services, and tricking the same innocent users into paying for a ‘renewal’ of the service.

While I got a certain amount of amusement from the continuing ineptitude of the scammer he talked to this time, it’s not so amusing for victims of the scam, as Martijn points out:

While it is easy to laugh at the scammers’ lack of professionalism, they have taken advantage of many victims in the past: people who have become worried after hearing the many stories about malware infections, or people for whom the call just ‘made sense’.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

‘Tech Support’ Scam Resources Page updated

I haven’t updated the scam resources page on the AVIEN blog site since November 2011. Mea Culpa. However, that doesn’t mean I haven’t been beavering aways at raising awareness of this scam among readers of my blog, the security industry, and (not least) law enforcement. So I’ve finally got around to updating the page.

Firstly, I’ve changed the name to something more unwieldy (less wieldy?), but a bit more explicit as to exactly what it’s about.

Secondly, I’ve added quite a few links to resources. Depressingly, most of them are my own blogs – I can’t believe how hard it is to get people to take notice of this scam! – but I shouldn’t forget to mention my friends and colleagues Steve Burn (MalwareBytes), Craig Johnston (independent researcher) and Martijn Grooten (Virus Bulletin), with whose help I’ve put together a couple of somewhat massive papers to be presented at CFET and Virus Bulletin later this year.

David Harley CITP FBCS CISSP
AVIEN & Small Blue-Green World Dogsbody
ESET Senior Research Fellow

Support scams: what can AVIEN do about it?

In the wake of a blog I posted today at ESET, on my perennial warhorse of support scams and cold-calling, I’ve been talking to Martijn Grooten of Virus Bulletin and Steve Burn, both of whom contributed to that article. While we and other people in the industry hack away from time to time at this unpleasant but undramatic variety of fraud, the telephonic equivalent of fake AV, it doesn’t seem to have much impact on the hydra-headed scammer networks of Kolkata and New Delhi. How, we wondered, can we make more headway?

It would be nice to think that people who read those occasional articles from security bloggers get some educational value out of them, that’s a tiny number compared to the potentially exploitable Facebook users, for example, who might be tricked into endorsing a scammer’s FB page. In fact, it’s even worse than that, in that readers of security blogs are generally aware enough not to fall so easily for scams: many people comment on my ESET blogs on the topic, but most of them aren’t themselves victims.

While there’s occasionally a little more movement when the media like the Guardian, or the Register, or SC Magazine picks up the theme (as they all have), they’ll only do that now and again, and only when there’s a particularly dramatic or emotional story to hang it on.

Law enforcement doesn’t seem to be making much of an impact either. And that’s understandable: like the 419 gangs, the scammers are a volatile and scattered target, individual victims tend to lose fairly small sums even compared to some of the big 419 scores, and that lessens the interest from law enforcement in general, even assuming that cooperation betweenthe countries targeted by the scammers (US, UK, Australia, New Zealand, and to a lesser extent parts of Europe and limited regions in the Far East) and the regions of India that seem to be spawning this type of activity. Agencies might, I suspect, be more interested if the security people who work with them directly on other issues such as botnets and phishing were themselves more interested. But while there are quite a few security-oriented individuals who’d like to see more action, I’m not sure how much of a concentrated effort we can get out of the security industry, because the PR value doesn’t really translate directly into product sales.

Again like 419 scams, people are interested in reporting incidents close to home, but as the Met’s own fraudalert page suggests (http://www.met.police.uk/fraudalert/reporting_fraud.htm) there’s no clear single mechanism and precious little feedback. I’m wondering whether it might be worth trying to establish a central information resource and building on that in some or all these directions, with an initial focus on education. If so, perhaps AVIEN would be a suitable venue, since it has a lot of people with security expertise but is essentially vendor neutral, even though many AV companies still participate, or at least subscribe to our mailing lists.

I’d kind of like to put more of a focused effort into fighting this, but it isn’t something I can do all by myself. What do the AVIEN members out there think?

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow