When advising on the ways to treat suspicious cold calls from individuals impersonating technical support, law enforcement agencies and computer security experts used to recommend users to simply hang up. This tactic, however, doesn’t quite fit into the framework of a recent trend that scammers exercise to rip off gullible people.
As opposed to the previously dominating intimidation methodology, some of the newer frauds focus on making potential victims think the perpetrators are there to help. Impostor tech support agents now seem polite, responsive, highly professional and not too obtrusive. The main idea is to evoke empathy and convince people to call the unscrupulous services themselves.
The Role of Ads and Browser Hijackers
The brainwashing commences with an advert you stumble upon during a web surfing session. It may be an eye-catching popup that says you have critical security or operating system performance issues and encourages you to click on a button to get the problem fixed.
Another likely trick that’s becoming increasingly widespread is adware-supported, where a piece of malicious code hijacks your browser and redirects the web traffic to a deceptive warning page resembling a spooky Blue Screen of Death. These fake error tabs are hard to close or minimize no matter what you click – instead, when you try to do it a malicious script may trigger an interactive video of a cute lady trying to lend you a helping hand. The purported support agent will state that you have popup ads turned on, which sure sounds true-to-life because the attack actually began with a popup. Check one example below:
Then, the woman ‘kindly’ offers help to disable ads on the computer. To this end, she provides a toll-free phone number to dial and speaks with her directly. In the course of such a conversation, predictably enough, the scammer will try to persuade you into paying for an imitation of system maintenance that won’t actually optimize or repair anything.
In general, the only offensive part of this hoax is the browser rerouting event that ends up taking the would-be victims to a page hosting a video like that. The rest of the communication is close to pleasurable and even trustworthy.
Of course, this vector of tech support fraud has got some variables, including the computer issues, alleged detected, and the product or service sold along the way. Aside from the above-mentioned scenario of assistance with disabling ads, the impostors may wrongfully claim you have spyware and other bad viruses on board. To appear persuasive in this regard, the specially crafted scripts on fake warning web pages, may grab some of your system details and display them. These usually include the operating system version, the IP address, the name of your Internet service provider, your geographic location as well as the current date.
Once the targeted person dials the phone number indicated on the counterfeit alert, there goes the main part of the social engineering stratagem. A “help desk” representative on the other end will most likely say you encountered the popup in the first place because it’s a security feature incorporated in the operating system – if it spots something attacking the OS, it allegedly displays the phone number for assistance.
The scammers have got a catch in store for those who hesitate whether or not they should continue this conversation. They may ask the user to open up the Task Manager and take a look at the number of processes currently running – according to their claims, if it’s more than 40 then there may be malicious activity going on behind the scenes. Another trick involves the Windows Event Viewer, a native OS tool that always lists some minor errors even if the system is perfectly healthy. However, the fraudsters will not fail to state that these errors indicate critical stability and malware issues.
By asking users to open the System Configuration interface (MSConfig), the fake agents focus on items under the Services tab whose status is “Stopped,” wrongfully labeling those as corrupted and claiming there is a critical malfunction in place. Windows prefetch files are in the bad guys’ manipulative arsenal, too, as they say, those are all spyware objects.
The product that tech support scammers tell their victims to purchase can be some questionably reputable security software or a remote repair service, possibly with a “lifetime support” subscription. The amount of money they ask for is usually somewhere in the range of $200-350.
Remote Administration Tools
The use of RATs like TeamViewer or LogMeIn Rescue is another common trait with a lot of these scam campaigns. Solutions like that are used by millions around the globe for numerous benign purposes, but cyber crime has come to leverage their functionality maliciously. When deploying the infamous Microsoft support fraud, for instance, fake agents tell users to download TeamViewer and provide sensitive details like the ID and password, allegedly for the sake of troubleshooting. Once the con artists obtain this information, they get full control of the target’s machine.
Before providing technical assistance with fixing inexistent issues, though, the fraudsters remotely open the web browser, navigate to a payment page and tell the victim to submit money using their credit card. With that scope of computer control on their hands, they can do a lot of damage in case the user refuses to pay. For example, it’s not a problem to blatantly obliterate one’s personal files this way or affect the system’s stability overall by deleting critical hardware drivers.
A Decline in Cold Calling
A clear tendency in the evolution of tech support scams over the past months is mostly about a shift toward interactive techniques. The fraudsters have adopted a scheme where they needn’t call potential victims anymore – it’s users who now reach these bogus support centers themselves. All it takes to pull off an attack like that is surreptitiously deposit malware onto one’s system, redirect the web browser to a fake warning site and then add a little bit of social engineering to the mix in order to impose a paid pseudo-fix. A focus on ostensible helpfulness through empathy is another noteworthy novelty of the present-day fraud campaigns.
This article is written by David Balaban. He is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.