Sponsored Links
-->

Saturday, October 6, 2018

Look Out For Technical Support Warning Popup Scam - PC Doctors Inc ...
src: pcdoctorsinc.com

A technical support scam refers to a class of telephone fraud activities, in which a scammer claims to offer a legitimate technical support service, often via cold calls to unsuspecting users. Such cold calls are mostly targeted at Microsoft Windows users, with the caller often claiming to represent a Microsoft technical support department.

In English-speaking countries such as the United States, Canada, United Kingdom, Ireland, Australia and New Zealand, such cold call scams have occurred as early as 2008 and primarily originate from call centers in India.

The scammer will typically attempt to get the victim to allow remote access to their computer. After remote access is gained, the scammer relies on confidence tricks typically involving utilities built into Windows and other software in order to gain the victim's trust to pay for the supposed "support" services, when the scammer actually steals the victim's credit card account information, or to persuade the victim to login to Internet banking--lying that a secure server is connected and that they cannot see the details--to receive a promised refund.


Video Technical support scam



Operation

Technical support scams typically rely on social engineering. Scammers use a variety of confidence tricks to get the victim to install remote desktop software, with which they take control of the victim's computer, and then use various Windows components and utilities (such as the Event Viewer), third-party utilities (such as rogue security software), and other tasks to make the victim believe that the computer has issues that need to be fixed, before proceeding for the victim to pay for "support".

Initiation

Technical support scams can begin in a variety of different ways. It most commonly begins with a cold call, usually claiming to be associated with a legitimate-sounding third-party, with a name like "Microsoft" or "Windows Technical Support", or via advertising on popular search engines such as Bing or Google, cybersquatting and/or spamming keywords related to commercial products and services that an unsuspecting user may search for (such as "Microsoft live chat", "Facebook support", or "Outlook login help"), and leading to web pages containing a number to be called. Some scams have been initiated via pop-up ads on infected websites instructing the potential victim to call a number. These pop-ups often resemble error messages such as the Blue Screen of Death.

Remote access

The scammer instructs the victim to download and install a remote access program, such as TeamViewer, LogMeIn, GoToAssist, ConnectWise Control (known also as ScreenConnect), etc., and provide them with the details required to remote-control their computer using that program.

Confidence tricks

After gaining access, the scammer attempts to convince the victim that their computer is suffering from problems that must be repaired. A number of common methods are used during many technical support scams--most of which involve misrepresenting the content and output of various Windows tools and system directories as evidence of malicious activity, such as viruses and other malware. Normally the elderly and the vulnerable will be targeted for technical support scams, or for people who aren't familiar with computers.

  • The scammer may direct users to Windows' Event Viewer, which displays a log of various events for use by system administrators and expert users to troubleshoot problems. Although many of the log entries are relatively harmless notifications, the scammer may fraudulently claim that log entries labelled as warnings and errors are evidence of malware activity or that the computer is becoming corrupted, and that the errors must be "fixed".
  • The scammer may present system folders that contain unusually named files, such as Windows' Prefetch and Temp folders, and claim that the files are evidence of malware on the system. Furthermore, the scammer may open some of these files (especially files in Prefetch folder) in Notepad, which shows up as "gibberish" characters known as Mojibake. The scammer claims that malware has "corrupted" these files. In reality, most of the files in Prefetch are binary files (which can not be displayed properly using Notepad) which speed up certain operations.
  • The scammer may misuse Command Prompt tools to generate suspicious-looking output, for instance, the tree or dir /s command, which displays a listing of files and directories. The scammer may claim the innocuous program to be a malware scanner, and manually enter text purporting to be an error message (such as "security breach ... trojans found") after the conclusion of the output, or into a blank notepad document.
  • The scammer may misrepresent values and keys stored in the Windows Registry as being malicious, such as innocuous keys whose values are listed as not being set.
  • The "Send To" function on Windows is associated with a globally unique identifier. The output of the command assoc, which lists all file associations on the system, displays this association with the line ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}; this GUID is the same on all versions of Windows. The scammer may claim that this is a unique ID used to identify the user's computer, or claim that the "CLSID" listed is actually a "Computer Licence Security ID" that must be renewed.
  • The scammer may also claim that the system's "problems" are a result of "expired" warranties on its hardware or software, for example, Windows Product Keys and coax the victim into paying for a "renewal".
  • The scammer may run the obscure Syskey utility and configure a startup password known only to them, thereby locking the victim out of their own system after the computer is rebooted.
  • The scammer may have a keylogger installed on their computer and may successfully change the users account password and/or create a PIN number if the victims computer runs on Windows 10 because Windows 10 computers no longer have the Syskey utility, therefore locking the victim out of their computer as soon as it reboots.
  • The scammer may delete Windows critical files and folders such as System32, making the computer unusable until the operating system has been reinstalled.
  • The scammer may block the user from viewing their screen, pretend that this is the result of malware, and use the time to search the user's files for sensitive information or attempt to break into the user's accounts with stolen or stored credentials.
  • The scammer may run the Netstat command in a terminal/command window, which shows the victim's foreign IP address. The scammer then tells the victim that these addresses belong to hackers that have intruded the computer.

Objectives

These tricks are meant to target victims who may be unfamiliar with the actual uses of these tools, such as inexperienced users and senior citizens--especially when the scam is initiated by a cold call. They then coax the victim into paying for their services or software which they claim is designed to "repair" their computer, which actually is malware that infects it or software that causes other damage. The scammers in turn, gain access to the victim's credit card information, which can be used to make additional fraudulent charges. Afterwards, the scammer may also claim that the victim is eligible for a refund, and request the user's bank account information--which is instead used to steal more money from the victim, rather than providing the promised refund. Alternatively, a scammer may attempt to request payment using gift cards for online platforms such as Amazon.com, Google Play, and iTunes Store.

In an investigation conducted by Symantec employee Orla Cox, it was revealed that after Cox paid for the fee for the scammer to remove the nonexistent "malware" infections, the scammers would then merely clear the log in the Event Viewer and disable Windows' event logging feature. This merely means that errors would no longer appear in the Event Viewer, i.e. had malware actually existed on Cox's computer, it would remain intact.


Maps Technical support scam



Unethical and fake "support" companies

The great majority of the complaints and discussion about companies that cold-call and offer "technical support" report them as being not merely incompetent or ineffective, but actively dishonest, doggedly trying to convince the victim of non-existent problems by trickery, and when possible damaging a computer they gain access to. Computer support companies advertise on search engines like Google and Bing, but some are heavily criticised, sometimes for practices similar to the cold callers. One example is the India-based company iYogi, which has been reported by InfoWorld to use scare tactics and install undesirable software. In December 2015, the state of Washington sued iYogi's US operations for scamming consumers and making false claims in order to scare the users into buying their diagnostic software. iYogi, which was required to respond formally by the end of March 2016, said before its response that the lawsuit filed was without merit. In September 2011, Microsoft dropped Comantra, a Gold Partner, from their Microsoft Partner Network because of accusations of being involved in cold-call technical support scams.

In December 2014, Microsoft filed a lawsuit against a California-based company operating such scams for "misusing Microsoft's name and trademarks" and "creating security issues for victims by gaining access to their computers and installing malicious software, including a password grabber that could provide access to personal and financial information." In an effort to protect consumers, Microsoft-owned advertising network Bing Ads (which services ad sales on Bing and Yahoo! Search engines) amended its terms of service in May 2016 to prohibit the advertising of third-party technical support services or ads claiming to "provide a service that can only be provided by the actual owner of the products or service advertised". Google Search followed suit in August 2018, but going further by banning any advertising related to technical support, regardless of source, citing that it had become too difficult to differentiate legitimate providers from scams.

In November 2017, a scam company called Myphonesupport initiated a petition seeking the Identities of the John Does under the New York court against services, which scam baiters used to disrupt their scamming business. The case has since been disposed.


Look Out For Technical Support Warning Popup Scam - PC Doctors Inc ...
src: pcdoctorsinc.com


Scam baiting

Tech support scammers are regularly targeted by scam baiting both on and offline, with individuals seeking to cause inconvenience to the scammers by wasting their time, and by disabling the scammer's computer systems by deploying RATs, distributed denial of service attacks and destructive computer viruses. Scam baiters may also attempt to lure scammers into exposing their unethical practices by leaving dummy files or malware disguised as confidential information such as credit/debit card information and passwords on a virtual machine for the scammer to attempt to steal, only to infect themselves, and utilise software to repeatedly auto dial a scam call centre, effectively paralysing operations for varying periods of time.


itechhelps.com Fake Microsoft Tech Support Scam Call 7/20/2015 ...
src: i.ytimg.com


See also

  • Cybercrime in India
  • List of confidence tricks
  • Telemarketing fraud
  • Virus hoax
  • Rogue antivirus

Malware-Traffic-Analysis.net - 2017-05-30 - EITest campaign ...
src: www.malware-traffic-analysis.net


References


Remove the Windows Defender Alert Tech Support Scam Popup
src: www.bleepstatic.com


External links

  • Official Microsoft support page on technical support scams
  • Official Symantec support page on technical support scams
  • Example of a scam with narration and screen recording on YouTube
  • Investigation with recordings by a security research group
  • Dial One for Scam: A Large-Scale Analysis of Technical Support Scams

Source of article : Wikipedia