Jérôme Segura adds to our knowledge of current support scam tricks by describing how Scammers Impersonate ISPs in New Tech Support Campaign. Scammers have, in fact, impersonated ISPs before, though not as often as they’ve pretended to be Microsoft (or working on behalf of Microsoft), and not as often as I expected when I wrote about this possibility back in 2010.
The difference here is that they’re not simply ringing up and saying ‘I’m from your ISP’ or even ‘I’m from Verizon’ (which rings a slight alarm bell if you know your service provider is a completely different company). They’re using a nifty little wrinkle to determine the victim’s ISP from his or her IP address. I remember with some regret the days when a support scammer couldn’t even lie convincingly about knowing your IP address, but the scams have been based on increasingly sophisticated tricks, and on a barrage of pop-ups aimed at getting you to ring them rather than vice versa. Clearly, such a pop-up message is more effective if it’s actually customized to correspond to a potential victim’s real ISP, and may even take the form of a customized audio message.
Once they do get you on the phone, though, it seems they still lean heavily on old favourite ploys, for example the INF ploy noted in the Malwarebytes article. Here’s a description of how it works from another of my articles.
INF and PREFETCH are legitimate system utilities: The “Prefetch” command shows the contents of C:WindowsPrefetch, containing files used in loading programs. The “INF” command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system. So how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something “prefetch hidden virus” or “inf trojan malware”. When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type “inf elvish fantasy” or “prefetch me a gin and tonic” and you’d get exactly the same directory listing, showing legitimate files.
And, of course, I still see innumerable reports of scammers using the tired old CLSID gambit. Evidently these things still work. Perhaps they’re more convincing when they come from a ‘support desk’ that you’ve been misdirected into ringing, rather than from a random cold-caller, but they’re still the same old drivel.