Category Archives: support scams

Malwarebytes on Browlock encoding

Posted on the Malwarebytes blog over a week ago, but I’ve been out of office. Still, this is definitely worth reading.

Jérôme Segura for Malwarebytes: Browlock flies under the radar with complete obfuscation – “Browlocks are the main driving force behind tech support scams, using a combination of malvertising and clever browser locker tricks to fool users.  [….] Recently we’ve seen the “evil cursor” that prevents you from closing the fake alert, and the fake virus download that insinuates your computer is already infected. This time, we look at how browser locker pages use encoding to bypass signature-based detection.”

David Harley

Advertisements

22nd October AVIEN updates

Updates to Anti-Social Media 

Wired: How a suspicious Facebook page is pushing pro-Brexit ads to millions – “The UK’s fake news inquiry says the website Mainstream has spent around £257,000 on pushing a pro-Brexit advertising campaign on Facebook in the last 10 months. The problem? Nobody knows who runs the page or where the money comes from”

And I somehow didn’t get round to posting this nearly a year ago, but it’s still worth reading. The Verge: Former Facebook exec says social media is ripping apart society – ‘No civil discourse, no cooperation; misinformation, mistruth….He went on to describe an incident in India where hoax messages about kidnappings shared on WhatsApp led to the lynching of seven innocent people.’

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Pierluigi Paganini: Researchers found that one of the most popular Internet of Things real-time operating system, FreeRTOS, is affected by serious vulnerabilities.

Refers to this blog by Zimperium: FreeRTOS TCP/IP Stack Vulnerabilities Put A Wide Range of Devices at Risk of Compromise: From Smart Homes to Critical Infrastructure Systems

Updates to Tech support scams resource page

Lawrence Abrams for Bleeping Computer: McAfee Tech Support Scam Harvesting Credit Card Information. A scam that has its cake and attempts to eat it. Several times.

“Essentially, these scammers are not only earning commissions on affiliate sales, but also stealing your credit card and personal information. This information can then be used to charge other purchases or perform identity theft using your credentials.”

David Harley

Additions to the AVIEN Support Scams resource page

[11th October 2018]

The recent (rescinded) Windows 10 upgrade – if you’ll pardon the expression – does seem to have attracted a load of scams as well as creating problems itself with profile corruption and deleted files and folders. Scams I’ve seen mentioned include ransomware masquerading as the upgrade installer [Microsoft doesn’t distribute upgrades – or links to upgrades – through email!], and tech support scammers offering ‘help’ with the upgrade (via phone calls or pop-ups). Here’s an example of the latter: Remove “Windows 10 Pro Update Failed” Fake Alerts (Microsoft Scam)

[10th October 2018]

A comment on one of my ESET blog articles on old-school tech support scams pointed out that “A similar variation is still going round starting with the assertion that your broadband speed is below par and he was working on behalf of my ISP. When we got as far as typing “assoc” in the command window I looked for proof of identification (which I should have asked for at the start!). As tempers flared I hung up the line.”

David Harley

Tech support scam update

Updates to Tech support scams resource page

Jérôme Segura reports (20th September 2018) for Malwarebytes on Mass WordPress compromises redirect to tech support scams. There have been high volumes of hijackings of sites using the WordPress content management system, especially sites using outdated plugins. Prominent among the client-side payloads observed by Malwarebytes are redirections to tech support scams. Segura notes that:

“That .TK URL pattern is well known and has been documented in detail as part of a large Traffic Distribution System (TDS) responsible for massive redirections to browlock pages. Note the custom mouse cursor (the “Evil cursor”), which we reported on recently, has yet to be patched.”

David Harley

Tech support scams: curse of the Evil Cursor, and Technet ads removed

Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”

Summary/commentary from Zeljka Zorz for Help Net: Tech support scammers leverage “evil cursor” technique to “lock” Chrome


John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”

David Harley

Ransomware and support scam updates

 

Updates to Specific Ransomware Families and Types

The Register: Please forgive me, I can’t stop robbing you: SamSam ransomware earns handlers $5.9m – “Sophos has been investigating the SamSam campaign since its emergence. A study (PDF) based on this research – released on Tuesday – summarises its findings about the attacker’s tools, techniques and protocols.” For ZDnet, Danny Palmer tells us that This destructive ransomware has made crooks $6m by encrypting data and backups – “Attackers behind destructive SamSam ransomware show no signs of giving up – and they’re now taking $300,000 a month in ransom from victims.”

Bleeping Computer: BitPaymer Ransomware Infection Forces Alaskan Town to Use Typewriters for a Week – “In a PDF report published yesterday, Wyatt finally identified the “virus” as the BitPaymer ransomware. This ransomware strain was first spotted in July 2017, and it first made news headlines in August 2017 when it hit a string of Scottish hospitals.”

Updates to Tech support scams resource page

Sean Gallagher for ArsTechnica: Click on this iOS phishing scam and you’ll be connected to “Apple Care” – “This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.”

Commentary from Sophos: Porn-warning security scam hooks you up to “Apple Care”

Tech support scams article for ESET

Update to Tech support scams resource page

Article by me for ESET: Tech support scams and the call of the void

“Christopher Burgess for Security Boulevard on what happens When Scammers Fill the Tech Support Void … says: “I still haven’t figured out why those companies that provide tech support tend to hide the connectivity to these saviors of their brand in the weeds of the website, but they do, and we search—and sometimes we strike gold.”

However, I don’t think the reluctance of companies to draw attention to their support services is too much of a mystery…”

There may be persuasive reasons why providers are reluctant to engage directly with their customers, but the consequences may be grim for both provider and customer.

David Harley

Resource updates 20th March 2018

[Update to Ransomware Resources page, also posted to Chain Mail Check]

If I had a separate category for ‘miscellaneous extortion’ this might belong there. Included here because it isn’t just a hoax, but one that centres on extortion, though it looks as if the point is to embarrass/harass the apparent sender of the extortion email (the Michigan company VELT)  rather than actually make a direct profit from extortion. The company’s CEO told the BBC that the attacker was probably a Minecraft player who had been banned from using the Veltpvp server, by way of revenge.

[Updates to Cryptocurrency/Crypto-mining News and Resources]

[Update to Tech support scams resource page]

Sophos: Fake Amazon ad ranks top on Google search results. “Yep, not for the first time, Google’s been snookered into serving a scam tech support ad posing as an Amazon ad.”

[MacVirus news]

(1) Commenting on Symantec’s warning of a new Fakebank Android variant, Graham Cluley reports: This Android malware redirects calls you make to your bank to go to scammers instead – “MALWARE HELPS SCAMMERS TRICK YOU INTO THINKING YOU’RE SPEAKING TO YOUR BANK.”

The Fakebank malware is only targeting South Korea, right now, but Graham rightly suggests that the same gambit is likely to be re-used elsewhere.

(2) Apple has dealt a major blow to users of supercookies with a security improvement in Safari.

David Harley

Tech support scammers learn to ‘lock’ Chrome

For Malwarebytes, Jérôme Segura continues to fight the good fight against support scammers by warning us that ‘Tech support scammers find new way to jam Google Chrome‘. (If you saw this when it first appeared, note that it has been updated since.) By abusing an API, the scammers manage to freeze the browser in the hope that users will be panicked into calling the fake ‘helpline’ advertised on the pop-up or pop-under that accompanies the freeze.

However, he observes:

Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker. As a last resort, the Windows Task Manager will allow you to forcefully quit the offending browser processes.

David Harley

Coercive Messaging

It’s not all about tech support scams, but Microsoft’s announcement about beefing up detection of ‘coercive messaging’ in Windows Defender is certainly related to some approaches used by tech support scammers, such as the use of malware that directs victims to a scam-friendly ‘helpline’.

Coercive messaging? As indicated in Microsoft’s evaluation criteria for malware and unwanted software,  that would be messages that ‘display alarming or coercive messages or misleading content to pressure you into paying for additional services or performing superfluous actions.’ That includes exaggerating or misrepresenting system errors and issues, claiming to have a unique fix, and using the well-worn scamming technique of rushing the victim into responding in a limited time-frame.

Certainly that’s all characteristic of the way that fake tech support is monetized, but it’s also characteristic of the lower-profiled but persistent issue of useless ‘system optimizers’.

Microsoft’s article actually strongly resembles some of the hot potatoes topics addressed by the Clean Software Alliance, which describes itself as ‘a self-regulatory organization for software distribution and monetization’. Unsurprisingly, since Microsoft had a great deal to do with the launching of the initiative. Anyway, it covers a great many issues that are well worth considering. I don’t think Microsoft and Windows Defender will be able to fix all these problems all on its/their own, but any movement in this direction is a Good Thing.

Shorter article focused more on coercive messaging from Barak Shein, of the Windows Defender Security Research Team: Protecting customers from being intimidated into making an unnecessary purchase.

Commentary by Shaun Nichols for The Register: Windows Defender will strap pushy scareware to its ass-kicker machine – Doomed: Junkware claiming it can rid PCs of viruses, clean up the Registry, etc

On behalf of the security industry, which provides a large chunk of my income, maybe I should stress that not all programs that claim to rid PCs of viruses are junkware. 🙂 But perhaps it’s worth remembering that the difference between legitimate and less legitimate marketing is sometimes paper-thin. And talking about papers, here’s one on that very topic. 🙂 However, since that ESET paper for an EICAR conference goes back to 2011, maybe I should consider revisiting the topic.

David Harley