[11th October 2018]
The recent (rescinded) Windows 10 upgrade – if you’ll pardon the expression – does seem to have attracted a load of scams as well as creating problems itself with profile corruption and deleted files and folders. Scams I’ve seen mentioned include ransomware masquerading as the upgrade installer [Microsoft doesn’t distribute upgrades – or links to upgrades – through email!], and tech support scammers offering ‘help’ with the upgrade (via phone calls or pop-ups). Here’s an example of the latter: Remove “Windows 10 Pro Update Failed” Fake Alerts (Microsoft Scam)
[10th October 2018]
A comment on one of my ESET blog articles on old-school tech support scams pointed out that “A similar variation is still going round starting with the assertion that your broadband speed is below par and he was working on behalf of my ISP. When we got as far as typing “assoc” in the command window I looked for proof of identification (which I should have asked for at the start!). As tempers flared I hung up the line.”
Jérôme Segura adds to our knowledge of current support scam tricks by describing how Scammers Impersonate ISPs in New Tech Support Campaign. Scammers have, in fact, impersonated ISPs before, though not as often as they’ve pretended to be Microsoft (or working on behalf of Microsoft), and not as often as I expected when I wrote about this possibility back in 2010.
The difference here is that they’re not simply ringing up and saying ‘I’m from your ISP’ or even ‘I’m from Verizon’ (which rings a slight alarm bell if you know your service provider is a completely different company). They’re using a nifty little wrinkle to determine the victim’s ISP from his or her IP address. I remember with some regret the days when a support scammer couldn’t even lie convincingly about knowing your IP address, but the scams have been based on increasingly sophisticated tricks, and on a barrage of pop-ups aimed at getting you to ring them rather than vice versa. Clearly, such a pop-up message is more effective if it’s actually customized to correspond to a potential victim’s real ISP, and may even take the form of a customized audio message.
Once they do get you on the phone, though, it seems they still lean heavily on old favourite ploys, for example the INF ploy noted in the Malwarebytes article. Here’s a description of how it works from another of my articles.
INF and PREFETCH are legitimate system utilities: The “Prefetch” command shows the contents of C:WindowsPrefetch, containing files used in loading programs. The “INF” command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system. So how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something “prefetch hidden virus” or “inf trojan malware”. When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type “inf elvish fantasy” or “prefetch me a gin and tonic” and you’d get exactly the same directory listing, showing legitimate files.
And, of course, I still see innumerable reports of scammers using the tired old CLSID gambit. Evidently these things still work. Perhaps they’re more convincing when they come from a ‘support desk’ that you’ve been misdirected into ringing, rather than from a random cold-caller, but they’re still the same old drivel.