Support Scams and the Security Industry

For Graham Cluley’s blog, David Bisson summarizes the story of how Symantec ended its agreement with one of its partners after Jérôme Segura reported for Malwarebytes on how the partner was using tech support scam techniques to trick customers into buying Norton Antivirus and a year’s support at prices well in excess of the pricepoint set by Symantec.

You may recall that I also commented here on the story last week, though I focused on slightly different issues.

Among the classic scam ploys used by the scammer Jérôme talked to were the notorious CLSID misrepresentation and the misrepresentation of the legitimate Windows utility csrss.exe (Client/Server Runtime SubSystem). While this is an essential component of modern Windows versions, malware does sometimes use the same filename in the hope of making it harder to detect, and purveyors of support scams sometimes use the Task Manager (as in this case) or another utility such as Tasklist.

In fact, if you run one of these utilities, you’ll find that you have lots of legitimate processes running with names that are sometimes associated with malicious software (for example, lsass.exe and svchost.exe) but the processes are legitimate and often essential. The scammer doesn’t care about this, of course: he just wants to ‘prove’ to you that there are ‘malicious’ processes on your system, so that you’ll let him have remote access to it and charge you accordingly. The value to the scammer of using a filename that is also used by malware is that they can direct you to Google searches that will lead you to alarming references to the ‘csrss.exe virus’ or Trojan. Some of these links are malicious, some are well-meant but misleading, and some are genuinely informative. However, the scammer is not going to encourage you to read anything that is really informative.

I particularly like David’s suggestion that:

If you come across a fake anti-virus alert, collect screenshots, audio, and whatever other data you can document about the messages, and then post those files on the affected anti-virus firm’s forum. Those companies will take no greater pleasure than in shutting down someone exploiting their potential customers.

 While no-one in this business likes to see scammers getting away with anything, it’s particularly satisfying when we’re able to take direct action against those whose actions are responsible for blackening the reputations of  an industry which, by and large, tries harder than most to behave honourably and ethically. Of course, I wouldn’t want to discourage you from reporting scammers to law enforcement, either. No doubt they make good use of the information even if they tend not to talk about it.

It’s worth mentioning that forums aren’t the only way to contact a security company. If you have a support agreement with a vendor, you can certainly talk to its support desk. Most companies have an address to which you can send malicious samples and links. And some of us who write about this stuff get lots of comments to our blogs. That CLSID blog I mentioned above has attracted many hundreds of comments. I can’t reply to them all, but I do read them, and sometimes they provide material for further research and writing. One I really liked recently observed:

“This scammer called today and I played along. When he read my CLSID I googled “CLSID” and found this page. I told him that I had googled it and found that everyone has that CLSID. He told me that my google was broken. Best laugh of the day!”

Fortunately, people aren’t generally as dumb as scammers believe they are. There’s a difference between not knowing much about technology and being stupid. Though in these days of elaborate online scams, it really is smart to go out of your way to learn more about the technology you use than the bare bones of logging in and typing in text.

David Harley


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.