View Full Version : Tech Support Scams

2012-10-04, 00:01

FTC halts massive Tech Support Scams
- http://ftc.gov/opa/2012/10/pecon.shtm
10/03/2012 - "The Federal Trade Commission has launched a major international crackdown on tech support scams in which telemarketers masquerade as major computer companies, con consumers into believing that their computers are riddled with viruses, spyware and other malware, and then charge hundreds of dollars to remotely access and “fix” the consumers’ computers. At the request of the FTC, a U.S. District Court Judge has ordered a halt to six alleged tech support scams pending further hearings, and has frozen their assets... The FTC charged that the operations – mostly based in India – target English-speaking consumers in the United States, Canada, Australia, Ireland, New Zealand, and the U.K. According to the FTC, five of the six used telemarketing boiler rooms to call consumers. The sixth lured consumers by placing ads with Google which appeared when consumers searched for their computer company’s tech support telephone number. According to the FTC, after getting the consumers on the phone, the telemarketers allegedly claimed they were affiliated with legitimate companies, including Dell, Microsoft, McAfee, and Norton, and told consumers they had detected malware that posed an imminent threat to their computers. To demonstrate the need for immediate help, the scammers directed consumers to a utility area of their computer and falsely claimed that it demonstrated that the computer was infected. The scammers then offered to rid the computer of malware for fees ranging from $49 to $450. When consumers agreed to pay the fee for fixing the “problems,” the telemarketers directed them to a website to enter a code or download a software program that allowed the scammers remote access to the consumers’ computers. Once the telemarketers took control of the consumers’ computers, they “removed” the non-existent malware and downloaded otherwise free programs... FTC papers filed with the court alleged that the scammers hoped to avoid detection by consumers and law enforcers by using virtual offices that were actually just mail-forwarding facilities, and by using 80 different domain names and 130 different phone numbers. The FTC charged the defendants with violating the FTC Act, which bars unfair and deceptive commercial practices, as well as the Telemarketing Sales Rule and with illegally calling numbers on the Do Not Call Registry. It asked the court to permanently halt the scams and order restitution for consumers..."

- http://news.yahoo.com/ftc-charges-firms-deception-computers-153640209.html
"... The firms named in the suits are Pecon Software Ltd., Pecon Infotech Ltd., Pecon Software UK Ltd., PCCare247 Inc., PCCare247 Solutions Pvt Ltd., Connexxions Infotech Inc., Connexxions IT Services Pvt Ltd., Zeal IT Solutions Pvt Ltd., Lakshmi Infosoul Services Pvt Ltd., Finmaestros LLC, New World Services Inc., MegaBites Solutions LLC, Greybytes Cybertech P. Ltd. and Shine Solutions Private Ltd."

- http://www.theregister.co.uk/2012/10/04/tech_support_scam_crushed/
Oct 4, 2012

- http://www.crtc.gc.ca/eng/com100/2012/r121003.htm
Oct 3, 2012

- http://www.acma.gov.au/WEB/STANDARD/pc=PC_600055
Oct 4, 2012

:fear: :police:

2013-05-25, 14:20

Bogus Tech Support scams settle FTC charges...
- http://www.ftc.gov/opa/2013/05/techsupport.shtm
May 17, 2013 - "Two operators of alleged tech support scams have agreed to settle Federal Trade Commission complaints and give up their ill-gotten gains. Mikael Marczak, doing business as Virtual PC Solutions, and Sanjay Agarwalla were among the subjects of a series of six complaints filed by the FTC last September as part of the Commission’s ongoing efforts to protect consumers from online scams. According to the complaints, the defendants posed as major computer security and manufacturing companies to deceive consumers into believing that their computers were riddled with viruses, spyware and other malware. The complaints alleged that the defendants were -not- actually affiliated with major computer security or manufacturing companies and they had -not- detected viruses, spyware or other security or performance issues on the consumers’ computers. The defendants charged consumers hundreds of dollars to remotely access and “fix” the consumers’ computers... The stipulated final orders against Agarwalla and Marczak and Conquest Audit, prohibit Agarwalla and Marczak from advertising, marketing, promoting, offering for sale or selling any computer security or computer related technical support service and from assisting others in doing so. Marczak and Conquest Audit also are prohibited from marketing or selling debt relief services. In addition, both stipulated final orders impose monetary judgments. The final order against Agarwalla requires him to pay $3,000 – the total amount of funds he received for his role in the alleged scam operation. The final order against Marczak and Conquest Audit includes a $984,721 judgment, which is the total amount of money lost by consumers in the scams..."

:fear::fear: :sad:

2015-10-20, 18:05

Scammers impersonate Apple Techs
- https://blog.malwarebytes.org/fraud-scam/2015/10/tech-support-scammers-impersonate-apple-technicians/
Oct 20, 2015 - "Remote assistance is becoming more and more popular to troubleshoot computer issues without the hassle of bringing the problematic machine to a store. Indeed, from the comfort of your own home you can let a Certified Technician remotely log into your PC and have them fix the issues you are facing. Apple offers a screen sharing service part of its support center that puts you in touch with a remote advisor. The process is secure and requires a unique session key to authenticate into the system that the customer needs to enter at the following URL:
- https://ara.apple.com/GetRemoteAdvisor.action
... we discovered that crooks are abusing this feature and fooling Mac users into trusting them. As we have been documenting it so many times on this blog, there has been an explosion of tech support scams via malvertising and fraudulent affiliates. All systems are targeted, not just Windows PCs and in fact, fraudulent warnings for Mac are getting extremely common:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/Safari_alert.png
These pages are designed to -scare- people into thinking there is something wrong with their computer. Fraudsters will use all sorts of messages, audio warnings and other artifacts in order to social engineer marks into calling for assistance. Typically scammers will have the victim browse to LogMeIn or TeamViewer and have them download the remote software necessary to take remote control. However, and especially in this case that involves Apple consumers, this step may seem unnatural, not part of the whole “Apple experience”. For this reason, the crooks registered a website with a domain name that looks like the real Apple one (ara .apple .com) by calling it ara-apple .com. The site was registered through GoDaddy and resides on IP address*...
* https://www.virustotal.com/en/ip-address/
This domain is used for everything from linking to the remote programs the ‘technician’ will use:
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/programs_download.png
... to processing payments (note how the ‘Secure Payment’ page is using regular, unencrypted HTTP):
> https://blog.malwarebytes.org/wp-content/uploads/2015/10/secure-notsomuch.png
We have contacted both the registrar (GoDaddy) and hosting provider (Liquid Web) so that they can take appropriate actions in shutting down these fraudulent websites. This particular case shows that tech support scammers are resorting to more elaborate ways to social engineer their victims. Perhaps Apple users are even more at risk because they may be less experienced at dealing with these kinds of “errors”. As always, please be particularly suspicious of alarming pop ups or websites that claim your computer may be infected. Remember that Apple would -never- use such methods to have you call them or would -never- call you directly either..."

ara-apple .com: https://www.virustotal.com/en/ip-address/

>> https://www.virustotal.com/en/url/fef804bb599f7a5977d152339b67e660c093a9974d2e2354ecdae213d5814d81/analysis/

:fear: :mad:

2015-12-03, 21:01

Tech support scams redirect to Nuclear EK to spread ransomware
- http://www.symantec.com/connect/app#!/blogs/tech-support-scams-redirect-nuclear-ek-spread-ransomware
01 Dec 2015 - "Tech support scammers have been observed using the Nuclear exploit kit to drop ransomware onto victims’ computers, as well as displaying misleading pop-up windows. The scammers’ messages may distract the user while the malware encrypts files on the computer, potentially allowing the attackers to increase their chances of earning money from the victim...
> http://www.symantec.com/connect/sites/default/files/users/user-2935611/fig1-infographic.png
If a victim falls for the scam and dials the number, professional-sounding call center staff members use the opportunity to install malware or potentially unwanted applications (PUAs) onto the user’s computer. The scammers claim that this software will fix the user’s computer. In other instances, the attackers try to force the victims to pay to have their computer unlocked... We’ve recently seen many instances where attackers serve tech support scams and the Nuclear exploit kit almost simultaneously. We found that the scam’s web pages include an iframe redirecting users to a server hosting the Nuclear exploit kit. The kit has been seen taking advantage of the Adobe -Flash- Player Unspecified Remote Code Execution Vulnerability (CVE-2015-7645), among other security flaws... If the kit succeeds, then it either drops Trojan.Cryptowall (ransomware) or Trojan.Miuref.B (information-stealing Trojan). The combination of the tech support scam displaying pop-up windows and the Nuclear exploit kit installing ransomware in the background makes this attack a serious problem for users. The -fake- warnings distract the user while the more dangerous ransomware searches for and encrypts files... We know that exploit kit attackers actively seek out and compromise many different web servers, injecting iframes into the web pages hosted on them. These -iframes- simply direct browsers to the exploit kit servers. Given the way that exploit kit attackers operate, it is quite possible that the tech support scammers’ own web servers got compromised by a separate group who are using the Nuclear exploit kit. Either possibility can be supported by the fact that an -iframe- has been injected into the tech support scam page. Regardless, this is the first time we’ve seen tech support scams running in tandem with the Nuclear exploit kit to deliver ransomware and if this proves to be an effective combination, we are likely to see more of this in the future.
• Use a comprehensive security solution to help block attacks
• Regularly update software to prevent attackers from exploiting known vulnerabilities
• If impacted by these scams, do not call the number in the pop-up windows
• Perform regular backups of important files
• Do not pay any ransom demands as doing so may encourage the cybercriminals. Additionally, file decryption is -not- guaranteed to work..."

Latest Flash - GET IT here: https://forums.spybot.info/showthread.php?12890-Adobe-updates-advisories&p=467114&viewfull=1#post467114

> http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

> https://www.symantec.com/security_response/writeup.jsp?docid=2015-032402-2413-99

:fear::fear::fear: :mad:

2015-12-29, 23:25

'Safe Browsing' SCAM - Amazon to Rackspace
- https://blog.malwarebytes.org/fraud-scam/2015/12/safebrowsing-scam-from-amazon-to-rackspace/
Dec 29, 2015 - "Tech support scammers are a very unique type of online criminals who traditionally were never as sophisticated as malware authors. For the most part, they really didn’t need to be since even a quickly put together scary webpage with some audio background would suffice to con victims:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/new_banner-829x395.png
While this dirty business was poorly organized in the beginning, in recent years things started to shape up and a strong affiliate model blossomed via malvertising. Thousands of websites with fake warnings rely on scare tactics to drive leads (victims) into shady tech support call centres to extort their money. One of the best and most elusive affiliates to date has been wreaking havoc on Amazon Web Services (AWS) for several months using the Google Safe Browsing template and enjoying the Amazon Elastic Compute Cloud (EC2). The cloud infrastructure was perfect for a whack-a-mole game where thousands of domains and subdomains on quickly -changing- IP addresses leave security researchers frustrated while filing countless abuse reports. This crook was clearly having fun picking various domain names fitting his mood, as well as indulging in various condescending messages on the scam pages...:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/monsters.png
Most of these pages were pushed via -malvertising- and this activity peaked during the fall... He was also switching IP addresses via various Amazon EC2 instances, making the process of blocking each scam page much more difficult:
>> https://blog.malwarebytes.org/wp-content/uploads/2015/12/reports.png
Strangely, we stopped seeing this particular campaign around late November / early December, at least via the traditional delivery mechanisms. At the same time, we started noticing -scam- pages with an eerily familiar look, except they were not hosted on AWS. These ones have been taking root on another-big-cloud-provider, Rackspace via the Akamai Content Delivery Network (CDN):
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/rackspace_tech_support_scam.png
... Another interesting element when looking at the neighbouring websites used by the crooks in the original AWS model was the presence of domain names advertising iPhone sweepstakes and other such scams. This seems to be the case on Rackspace as well... Regardless, this means that the fight against tech support scammers continues on a different battlefield. We have already reported this particular campaign to Rackspace for takedown and will keep tracking it to see where it goes next..."
(More detail at the malwarebytes URL above.)

:fear::fear: :mad:

2016-02-03, 22:18

A weather app with a twist - FRAUD
- https://blog.malwarebytes.org/fraud-scam/2016/02/a-weather-app-with-a-twist/
Feb 3, 2016 - "Recently, a weather app caught our attention by doing something far worse than predicting rain all the time. It installed all the ingredients for a false Blue Screen Of Death (BSOD) with a number to call for assistance. WeatherWizard: As the app is bearing the same name as one comic book “super villain”
> http://www.comicvine.com/weather-wizard/4005-10462/
... this might have been a warning that there was something up with this one. But offered in a bundle you come across the most useless of apps, as we have told our regular readers many times. So why not a weather app. The app itself does not do much more than give you the weather in a certain US zip code. You type in the ZIP code and it will tell you what you are missing:
> https://blog.malwarebytes.org/wp-content/uploads/2016/02/WeatherLaJolla.png
The Tech Support Scam: But what it does in the background is more worthy of the super villain reference. A bat file call sc.bat sets two 'Scheduled Tasks' to work... This seems to indicate they are in it for the long haul as those 'Scheduled Tasks' are set to be executed on every 1st of December after the install date. You don’t see that kind of patience often in this line of business. So you will understand that I just had to trigger them to find out what they do. SysInfo.exe was unresponsive on my system, but amdave64Win.exe*
* https://www.virustotal.com/en/file/e29dcdaef300664d0a3ba928debbdbf5477bd1e90d293acb9d308ea09fca198f/analysis/1454510592/
... certainly did not disappoint as it opened a series of command prompts and did a grand finale ending at this:
> https://blog.malwarebytes.org/wp-content/uploads/2016/02/capture_003_01022016_100018.png
Calling that number will probably result in someone explaining to you how to use Ctrl-Alt-Del to get to Task-manager and start a new process called explorer.exe to regain control over your machine. After charging you a considerable fee no doubt. Although we have seen many examples of scare tactics using BSOD screens... using a seemingly harmless weather app and then wait for a considerable period of time is a bold new tactic we haven’t seen before..."

:fear::fear: :mad: