Category Archives: support scams

Ransomware and support scam updates

 

Updates to Specific Ransomware Families and Types

The Register: Please forgive me, I can’t stop robbing you: SamSam ransomware earns handlers $5.9m – “Sophos has been investigating the SamSam campaign since its emergence. A study (PDF) based on this research – released on Tuesday – summarises its findings about the attacker’s tools, techniques and protocols.” For ZDnet, Danny Palmer tells us that This destructive ransomware has made crooks $6m by encrypting data and backups – “Attackers behind destructive SamSam ransomware show no signs of giving up – and they’re now taking $300,000 a month in ransom from victims.”

Bleeping Computer: BitPaymer Ransomware Infection Forces Alaskan Town to Use Typewriters for a Week – “In a PDF report published yesterday, Wyatt finally identified the “virus” as the BitPaymer ransomware. This ransomware strain was first spotted in July 2017, and it first made news headlines in August 2017 when it hit a string of Scottish hospitals.”

Updates to Tech support scams resource page

Sean Gallagher for ArsTechnica: Click on this iOS phishing scam and you’ll be connected to “Apple Care” – “This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.”

Commentary from Sophos: Porn-warning security scam hooks you up to “Apple Care”

Advertisements

Tech support scams article for ESET

Update to Tech support scams resource page

Article by me for ESET: Tech support scams and the call of the void

“Christopher Burgess for Security Boulevard on what happens When Scammers Fill the Tech Support Void … says: “I still haven’t figured out why those companies that provide tech support tend to hide the connectivity to these saviors of their brand in the weeds of the website, but they do, and we search—and sometimes we strike gold.”

However, I don’t think the reluctance of companies to draw attention to their support services is too much of a mystery…”

There may be persuasive reasons why providers are reluctant to engage directly with their customers, but the consequences may be grim for both provider and customer.

David Harley

Resource updates 20th March 2018

[Update to Ransomware Resources page, also posted to Chain Mail Check]

If I had a separate category for ‘miscellaneous extortion’ this might belong there. Included here because it isn’t just a hoax, but one that centres on extortion, though it looks as if the point is to embarrass/harass the apparent sender of the extortion email (the Michigan company VELT)  rather than actually make a direct profit from extortion. The company’s CEO told the BBC that the attacker was probably a Minecraft player who had been banned from using the Veltpvp server, by way of revenge.

[Updates to Cryptocurrency/Crypto-mining News and Resources]

[Update to Tech support scams resource page]

Sophos: Fake Amazon ad ranks top on Google search results. “Yep, not for the first time, Google’s been snookered into serving a scam tech support ad posing as an Amazon ad.”

[MacVirus news]

(1) Commenting on Symantec’s warning of a new Fakebank Android variant, Graham Cluley reports: This Android malware redirects calls you make to your bank to go to scammers instead – “MALWARE HELPS SCAMMERS TRICK YOU INTO THINKING YOU’RE SPEAKING TO YOUR BANK.”

The Fakebank malware is only targeting South Korea, right now, but Graham rightly suggests that the same gambit is likely to be re-used elsewhere.

(2) Apple has dealt a major blow to users of supercookies with a security improvement in Safari.

David Harley

Tech support scammers learn to ‘lock’ Chrome

For Malwarebytes, Jérôme Segura continues to fight the good fight against support scammers by warning us that ‘Tech support scammers find new way to jam Google Chrome‘. (If you saw this when it first appeared, note that it has been updated since.) By abusing an API, the scammers manage to freeze the browser in the hope that users will be panicked into calling the fake ‘helpline’ advertised on the pop-up or pop-under that accompanies the freeze.

However, he observes:

Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker. As a last resort, the Windows Task Manager will allow you to forcefully quit the offending browser processes.

David Harley

Coercive Messaging

It’s not all about tech support scams, but Microsoft’s announcement about beefing up detection of ‘coercive messaging’ in Windows Defender is certainly related to some approaches used by tech support scammers, such as the use of malware that directs victims to a scam-friendly ‘helpline’.

Coercive messaging? As indicated in Microsoft’s evaluation criteria for malware and unwanted software,  that would be messages that ‘display alarming or coercive messages or misleading content to pressure you into paying for additional services or performing superfluous actions.’ That includes exaggerating or misrepresenting system errors and issues, claiming to have a unique fix, and using the well-worn scamming technique of rushing the victim into responding in a limited time-frame.

Certainly that’s all characteristic of the way that fake tech support is monetized, but it’s also characteristic of the lower-profiled but persistent issue of useless ‘system optimizers’.

Microsoft’s article actually strongly resembles some of the hot potatoes topics addressed by the Clean Software Alliance, which describes itself as ‘a self-regulatory organization for software distribution and monetization’. Unsurprisingly, since Microsoft had a great deal to do with the launching of the initiative. Anyway, it covers a great many issues that are well worth considering. I don’t think Microsoft and Windows Defender will be able to fix all these problems all on its/their own, but any movement in this direction is a Good Thing.

Shorter article focused more on coercive messaging from Barak Shein, of the Windows Defender Security Research Team: Protecting customers from being intimidated into making an unnecessary purchase.

Commentary by Shaun Nichols for The Register: Windows Defender will strap pushy scareware to its ass-kicker machine – Doomed: Junkware claiming it can rid PCs of viruses, clean up the Registry, etc

On behalf of the security industry, which provides a large chunk of my income, maybe I should stress that not all programs that claim to rid PCs of viruses are junkware. 🙂 But perhaps it’s worth remembering that the difference between legitimate and less legitimate marketing is sometimes paper-thin. And talking about papers, here’s one on that very topic. 🙂 However, since that ESET paper for an EICAR conference goes back to 2011, maybe I should consider revisiting the topic.

David Harley

Kevin Townsend: some actions against tech support scammers

Kevin Townsend, for Security Week, reports on action against tech support scammers in the US and UK.

Tech Support Scammers Fined in US, Jailed in UK

Kevin says:

Ohio Attorney General Mike DeWine and the Federal Trade Commission (FTC) announced Monday that operators of a nationwide computer repair scam have been banned from the tech support business as part of settlements with the FTC and Ohio.

Includes some commentary from me.

David Harley

Scammers and jobhunters

Article for ESET by me: Scammers and jobhunters. Sparked by an article in the Guardian on The scammers gaming India’s overcrowded job market  by Snighda Poonam. Hat tip to Steve Burn for calling my attention to it.

TL:DR – low-grade scammers may be scam victims too, and the depressed job market in India makes it inevitable that sometimes people will take any job they can get. But understanding that doesn’t mean we shouldn’t protect ourselves.

David Harley

‘AdultSwine’ – Android malware with a dirty mind

The Register: ‘Mummy, what’s felching?’ Tot gets smut served by Android app – Google’s Play Store fails again

Actually, I didn’t know about felching, either, and I wish I hadn’t looked it up.

Based on Checkpoint’s blog article Malware Displaying Porn Ads Discovered in Game Apps on Google Play. Checkpoint says that this is a triple-threat attack: it may display ads that are often (very) pornographic, engineer users into installing fake security apps, and/or induce them to register with premium services.

David Harley

Tech support scams: alive, kicking, and audio talking trash

Paul Ducklin for Sophos: Watch out – fake support scams are alive and well this Christmas

The first part of the article is a recap of old-school tech support scam cold-calling, but the rest describes what happened when someone clicked on ‘one of those “you’ll never believe what happened next” stories’. The resulting ‘alert’ included an automatic voice-over. While the voice-over (which you can hear on the page above) is full of laughable transcription errors and false information, it could certainly scare someone not particularly tech-literate into falling for the scam.

David Harley

Tech Support Scams: leveraging Spotify for Google and Bing SEO

Lawrence Abrams for Bleeping Computer: Tech Support Scammers Invade Spotify Forums to Rank in Search Engines

Extract: “Over the past few months, Tech Support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google & Bing search results. They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google.”

David Harley