A few weeks ago, sophisticated scammers tricked Google into replacing its very top search result for Amazon.com with their own perfectly spoofed ad, which pointed to a Windows tech support scam.
The aim was simple enough: convince the hapless “victim” that their system was under attack by hackers or malware, and that they should call a number listed on the page.
We published that story. But after we posted, we realized the spoofed ad was only one part of the story.
These Windows tech support scams aren’t new — they’ve been around for years — and their motives and reasons vary by scammer.
Many of these scammers struggle nowadays because most people today know not to take suspicious or unsolicited phone calls. So, some scammers have figured out that to gain their trust, the victim has to call them. What better way than a perfectly-spoofed malicious ad from a trusted search engine? The scam begins then, and plays out in a carefully crafted, methodical way, drawing in the victim ever further one step at a time.
We wanted to see how these scammers operate and the tactics they used, so we can offer some advice to potential victims.
There’s a saying in journalism. “Don’t feed the trolls.” In other words, don’t engage with someone you know to be malicious. But we thought this would be a reasonable exception.
And so we went back to call the number on the website to see exactly what they wanted.
The scam seemed simple enough. The scammers wait until victims call them, putting the onus of responsibility on the caller. Then, using as little energy but with as much bluster as possible, they drown the caller in either fake or non-relevant information to raise the sense of urgency on the matter. With the threat of losing their files at the hands of hackers (who don’t exist), the caller is pressured into turning over their credit card or checking account information. If all goes to plan, the scammers get paid and the caller gets peace of mind.
But when things don’t go their way, things can quickly turn nasty.
We were using an isolated Windows 7 virtual machine hooked up to its host’s Mac network connection. We put a few dummy files on the desktop to make it look like it wasn’t a brand new virtual machine we had pulled directly from Microsoft.
Over the course of a few days, we called the number numerous times from several phone numbers using the same script, and talked to different people at various times of the day and night.
The “technician” asked various questions about the computer to gain trust, and walked through how to give him remote control access to the computer.
The technician then pulled up the Windows Action Center to show which security services were enabled and which weren’t. (For what it’s worth, our virtual machine was woefully out-of-date, which didn’t exactly hurt his cause.) Then, he pulled up a command window to display the computer’s local and foreign IP addresses. Again, nothing untoward here, but he claimed it was “hackers” piggybacking the connection for cybercrime, which is nonsense. Then, he pulled up Windows’ Event Viewer, which logs issues relating to the computer’s performance and stability. There will be hundreds if not thousands of entries in here as standard for any ordinary user and is generally no cause for alarm, yet these events were positioned as hackers gaining access to the computer’s files.
This would be utter nonsense to to those in the know, but also convincing enough to those who know no better.
All of these “issues” could be easily fixed in just a few minutes, said the technician. He then explained the services provided by his company — always referring to himself or his company as “Windows certified technicians” — all of which are tailored based on what he “diagnosed.”
Once it came to pay for the “service,” half of the time we gave them fake generated credit card numbers, which led to numerous exchanges with their ever-increasingly frustrated “billing department.” And the other half we outright refused to pay.
They all ended the same way.
Using the remote control tool, the supposed technician opened the SysKey tool, used to encrypt the computer’s local and remote user passwords, and set his own password, which quietly locked the computer.
Had he restarted, it would’ve triggered a password prompt on startup, almost exactly like how ransomware works. “This computer is configured to require a password in order to start up.” Without that password, it would’ve been game over.
But here’s the catch: we have no idea why.
Was it a final act of vandalism acting purely out of malice? Or were we somehow supposed to be forced then into paying up? The former doesn’t solve the scammer’s money problems, and in the case of the latter — we called back numerous times and each number was blocked, and we received no calls back.
To this day, that’s one question left unanswered.
There’s no advice you probably wouldn’t have heard before. These scams are designed to cast the net out wide and see who gets caught in the dragnet — usually someone who knows nothing about computers.
And though government agencies have played their part in shutting down these scams, they persist, even to the point where private citizens have taken on the scammers directly.
But even if you want to take these scammers for a ride, don’t. Don’t pick up the phone. Don’t call an unknown number. And whatever you do, don’t feed the trolls.
Source: SANS ISC SecNewsFeed @ February 22, 2017 at 06:45AM