Tech support scams persist with increasingly crafty techniques

[Brink]

Millions of users continue to encounter technical support scams. Data from Windows Defender SmartScreen (which is used by both Microsoft Edge and Internet Explorer to block malicious sites) and Windows Defender Antivirus show that some three million users are subjected to these threats every month.

In addition to being rampant, technical support scams continue to evolve, employing more and more complex social engineering tactics that can increase panic and create a false sense of legitimacy or urgency in an effort to get more victims.

Given the sheer volume of tech support scams and the pace at which they evolve, here at Microsoft we take a holistic approach to this problem. We monitor the threat landscape for patterns and variations in threat behavior. Using intelligence from sensors, we employ machine learning models to deliver cloud-based protection against the latest tech support scams, whether they take the form of web pages with malicious scripts or Trojans that run on computers.

In 2016, the threat of support scam was most felt in the United States, which saw 58% of encounters. United Kingdom, Canada, and Australia follow, with 13%, 11%, and 8% of encounters, respectively. Notably, significant encounters were also registered in France and Spain, where we saw localized technical support scam attacks.

Figure 1. Top counties that saw the most number of tech support scam encounters in 2016

(Note: This blog post is the third in the 2016 threat landscape review series. It follows the review of exploit kits and ransomware. The series looks at how major areas in the threat landscape transformed over the past year.)

The evolution of technical support scam malware

Technical support scams are built on the deception that your computer is somehow broken, and you need to contact technical support to fix it. You may then be asked to pay for support. In some cases, the tech support agent may ask you to install other software or malware disguised as support tools on your computer, bringing in more threats that can cause even more damage.

You may come across these threats while browsing dubious websites, most notably those that host illegal copies of media and software, crack applications, or malware. Links or ads on these sites may lead you to tech support scam websites, which display pages that are designed to look like error messages and serve pop-up messages indicating fictitious errors. Some tech support scam threats take the form of executable programs like other malware.

Although tech support scams have been around for many years, in 2016 we saw the threat evolve by integrating more scare tactics. At the beginning of the year, the landscape was dominated by threat families with simple techniques and social engineering lures. However, more evolved threat families have since taken over.

Figure 2. Top support scam families based on encounters in 2016

FakeCall and FakeBSOD: The early types that used one pop-up window and simple messages

Tech support scams are known for their use of pop-up windows to advance their pretense. While most of the scams today abuse pop-up windows to the point of locking the browser, the earlier types relied on just pop-up windows and effective social engineering lures.

FakeCall is a family of malicious scripts hosted in tech support scam sites. It may use messages about virus infection or suspicious activities on your computer. The first sign you have been led to a FakeCall tech support scam site is a pop-up message that tries to create an impression that it’s a system pop-up and usually describes a fake problem and contains instruction to contact fake technical support.

Figure 3. A sample pop-up message from FakeCall

If you click OK, the website loads a page giving more details about the supposed problem, and more instructions to call the technical support number. It may spoof security products and list malware that have purportedly been found on your computer. The goal is to convince you to call the support number.

Figure 4. Sample FakeCall support scam website, which asks potential victims to call 855–400–3930

On the other hand, FakeBSOD is a very similar threat but instead pretends to be a system error, like Blue Screen of Death (BSOD), where it got its name.

Figure 5. Sample FakeBSOD site that pretends to look like system errors, such as BSOD, and asks to call 1–844–330–7888

FakeBSOD sites usually force the browser to go on full-screen mode to simulate the BSOD experience. Just like FakeCall, it also has a pop-up message detailing the fake problem and a number to call fake technical support.

Both FakeCall and FakeBSOD heavily rely on social engineering lures to get you to take action, and don’t have much in terms of technical complexity. Simply closing the browser will work in most cases.

TechBrolo: Support scam malware on steroids

TechBrolo takes on characteristics of both FakeCall and FakeBSOD, but integrates technical enhancements that not only makes the pretense more believable but can also adversely affect your overall computing experience.

For instance, TechBrolo employs the dialogue loop technique. When you visit the TechBrolo site, you get a pop-up message that won’t go away, no matter how many times you click OK. This method effectively locks your browser; you must manually terminate the process via Task Manager in order to close your browser.

Figure 6. Sample TechBrolo site with dialogue loop and fake support number 1–866–219–0211

Most variants of TechBrolo also play an audio describing the problem, adding a sense of urgency. For example, one recent variant mimics Windows Defender Antivirus, and when the website loads, it plays an audio with the following message:

“Critical alert from Microsoft. Your computer has alerted us that it is infected with a virus and spyware. This virus is sending your credit card details, Facebook login, and personal emails to hackers remotely. Please call us immediately at the toll-free number listed, so that our support engineers can walk you through the removal process over the phone. If you close this page before calling us, we will be forced to disable your computer to prevent further damage to our network. Error #268D3.” It is important to note that Windows Defender Antivirus does not act this way.

Figure 7. Sample TechBrolo site that spoofs Windows Defender Antivirus, plays an audio message, and uses fake support number 07–5405–9588

Recently, we also spotted a TechBrolo variant that uses website elements to spoof the Microsoft support site and fake the pop-up dialogue box. It does this by loading a page that looks like a browser and then going to full screen. If you are not too paying attention, you might think Microsoft is giving you a warning. Microsoft does not deliver warning messages like this via the browser.

Figure 8. One TechBrolo site uses website elements to achieve a browser in a browser effect and asks target victims to call 1–844–313–7003

Non-English support scam websites

Consistent with our findings that some of the countries most affected by tech support scam are non-English speaking countries (see Figure 1), we have seen some localized tech support scam malware.

These sites employ a combination of the techniques discussed in this blog, only presented in non-English websites, images, or pop-up messages.

Figure 9. French tech support scam website that uses fake support number 01–86–26–42–66

Figure 10. Spanish tech support scam website that uses fake support number 900–839–260

Figure 11. German tech support scam website that uses fake support number 0–800–183–8114

Figure 12. Japanese tech support scam website that uses fake support number 03–4578–9419

Cusax, Hicurdismos, and Monitnev: Support scam Trojans

Apart from scripts hosted on websites, we have also seen tech support scam malware in the form of executable files. They may be installed on your computer by other malware or downloaded from drive-by sites.
These malware have the same goal as their script counterparts: to get you to call the technical support number. However, the difference is that their malicious behaviors are not limited to the browser.

For instance, Cusax is a tech support scam malware that makes system changes, including registry modifications that ensure it runs every time your computer starts. It then forces a reboot, further reinforcing the scam that there is a problem with your computer.

As soon as your computer boots, it opens a window that asks for your Windows activation key as well as the technical support number.

Figure 13. Cusax uses the lure that you need to enter your activation key and asks to call the number 1–877–256–3313

Hicurdismos, on the other hand, displays an image that looks like the BSOD. However, this fake BSOD screen has instructions to call a technical support number, something that the real error doesn’t have.

In order to further its pretense, Hicurdismos hides the mouse cursor, disables Task Manager, and makes sure the fake BSOD image occupies the entire screen and is always on top of other windows.

Figure 14. The fake BSOD screen displayed by Hicurdismos contains the number 1–800–418–4202

More recently, Monitnev was discovered to monitor event logs. It then displays fake error notifications every time an application crashes. This can appear more convincing because the pop-up messages are timed with legitimate computing behavior.

Cusax, Hicurdismos, Monitnev and other tech support scam malware can be more complex than scripts. Because they make system changes, they can inflict more damage and can be trickier to remove. However, we’re seeing significantly fewer of these types of tech support scam threats because they are more difficult to distribute than their script counterparts. Despite that, they pose threats that you need protection from.

Protection against tech support scams

Tech support scams take different forms and are known to take on more characteristics over time. Get the protection against the latest tech support scams by upgrading to Windows 10. The Windows 10 Creators Update brings in additional security features and will start rolling out on April 11, 2017. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigation from Microsoft.

A majority of these threats, like TechBrolo, FakeCall, and FakeBSOD, are scripts hosted on websites where you are led to by malicious ads on dubious sites. To avoid tech support scam websites, use Microsoft Edge. Enable Windows Defender SmartScreen (also used by Internet Explorer) to block known malicious websites, such as tech support scam websites.

Figure 15. Microsoft Smart Screen blocks techs support scam websites

In addition, Microsoft Edge provides a way to close dialogue loops, which are used by support scam sites to keep on delivering pop-ups even after you close them. At the bottom of pop-up dialogue messages, you have an option to tick the checkbox Don’t let this page create more messages, which will stop the recurring messages.

Figure 16. Dialogue loop protection for Microsoft Edge

Enable Windows Defender Antivirus to remove tech support scam Trojans, such as Cusax and Hicurdismos. Windows Defender AV uses cloud-based protection, which helps make sure you are protected from the latest threats.

Tech support scams employ varying social engineering techniques to get you to call the support hotline. Do not call the number in pop-up messages. Microsoft’s error and warning messages never include a phone number.

Some scammers can also contact you directly and claim to be from Microsoft. Remember, Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you. Reach out directly to one of our technical support experts at the Microsoft Answer Desk.

For more help, read our page on avoiding technical support scams.

Jonathan San Jose, Alden Pornasdoro, Francis Tan Seng

Microsoft Malware Protection Center

Source: Tech support scams persist with increasingly crafty techniques Microsoft Malware Protection Center Blog

 

[Lady Fitzgerald]

I would just "love" to meet one of those scammers!

 

[Barman58]

The last ones to call John z3r010 with one of these are I think still receiving psychological counselling after John had finished with them

 

[Brink]

:roflmao:

 

[Lady Fitzgerald]

If I'm not sleeping or watching TV or something else I don't want interrupted, I'll also play with the lowlifes for a bit. One time one called claiming to be MS and that my computer needed work. I asked when did MS start repairing MACs (I don't have anything from Apple). It actually took a couple minutes before the bozo understood I was telling him I had a MAC, not a Windows machine.

Another time, some ejit called and said my computer was wonky. I said, "Which one?". He asked if I had more than one and I said I had 40 and I was the IT tech for some fictitious police department. For some strange reason, he immediately hung up.

Mostly, I strongly suggest the caller relocate to somewhere notorious for its exceptionally warm climate.

 

[samuria]

Just issued bythe Police UK new scam

[FONT=Arial, Helvetica, sans-serif]Subject: Law Abiding Citizen Alert[/FONT] [FONT=Arial, Helvetica, sans-serif] [FONT=Arial, Helvetica, sans-serif]This is a message sent via Neighbourhood Watch. This information has been sent on behalf of Action Fraud (National Fraud Intelligence Bureau)[/FONT](Please do not reply or forward this email directly; please use the Reply, Share buttons at the bottom of this message)[FONT=Arial, Helvetica, sans-serif]Message sent by[/FONT][FONT=Arial, Helvetica, sans-serif]Action Fraud (Action Fraud, Administrator, National)[/FONT]
Fraudsters are sending out a high volume of phishing emails to personal and business email addresses, pretending to come from various email addresses, which have been compromised.

The subject line contains the recipient’s name, and the main body of text is as below:

“Hi, [name]!

I am disturbing you for a very serious reason. Although we are not familiar, but I have significant amount of individual info concerning you. The thing is that, most likely mistakenly, the data of your account has been emailed to me.

For instance, your address is:

[real home address]

I am a law-abiding citizen, so I decided to personal data may have been hacked. I attached the file – [surname].dot that I received, that you could explore what info has become obtainable for scammers. File password is – 2811

Best Wishes,”

The emails include an attachment – a ‘.dot’ file usually titled with the recipient’s name.

This attachment is thought to contain the Banking Trojan Ursniff/Gozi, hidden within an image in the document. The Ursniff Banking Trojan attempts to obtain sensitive data from victims, such as banking credentials and passwords. The data is subsequently used by criminals for monetary gain.

Protect Yourself:
Having up-to-date virus protection is essential; however it will not always prevent your device(s) from becoming infected.

Please consider the following actions:

• Don’t click on links or open any attachments you receive in unsolicited emails or SMS messages: Remember that fraudsters can ‘spoof’ an email address to make it look like one used by someone you trust. If you are unsure, check the email header to identify the true source of communication (you can find out how by searching the internet for relevant advice for your email provider).
• Do not enable macros in downloads; enabling macros will allow Trojan/malware to be installed onto your device.
• Always install software updates as soon as they become available. Whether you are updating the operating system or an application, the update will often include fixes for critical security vulnerabilities.
• Create regular backups of your important files to an external hard drive, memory stick or online storage provider. It is important that the device you back up to is not connected to your computer as any malware infection could spread to that as well.
• If you think your bank details have been compromised, you should contact your bank immediately.

If you have been affected by this or any other fraud, report it to Action Fraud by calling 0300 123 2040, or visit www.actionfraud.police.uk. [/FONT]

 

[ThrashZone]

Hi,
Might be a new record quote here

 

[Melchior]

Scammers are the lowest for of computer SCUM ... >_<