Bogus Tech Support scams settle FTC charges...
FYI...
Bogus Tech Support scams settle FTC charges...
- http://www.ftc.gov/opa/2013/05/techsupport.shtm
May 17, 2013 - "Two operators of alleged tech support scams have agreed to settle Federal Trade Commission complaints and give up their ill-gotten gains. Mikael Marczak, doing business as Virtual PC Solutions, and Sanjay Agarwalla were among the subjects of a series of six complaints filed by the FTC last September as part of the Commission’s ongoing efforts to protect consumers from online scams. According to the complaints, the defendants posed as major computer security and manufacturing companies to deceive consumers into believing that their computers were riddled with viruses, spyware and other malware. The complaints alleged that the defendants were -not- actually affiliated with major computer security or manufacturing companies and they had -not- detected viruses, spyware or other security or performance issues on the consumers’ computers. The defendants charged consumers hundreds of dollars to remotely access and “fix” the consumers’ computers... The stipulated final orders against Agarwalla and Marczak and Conquest Audit, prohibit Agarwalla and Marczak from advertising, marketing, promoting, offering for sale or selling any computer security or computer related technical support service and from assisting others in doing so. Marczak and Conquest Audit also are prohibited from marketing or selling debt relief services. In addition, both stipulated final orders impose monetary judgments. The final order against Agarwalla requires him to pay $3,000 – the total amount of funds he received for his role in the alleged scam operation. The final order against Marczak and Conquest Audit includes a $984,721 judgment, which is the total amount of money lost by consumers in the scams..."
:fear::fear: :sad:
Scammers impersonate Apple Techs
FYI...
Scammers impersonate Apple Techs
- https://blog.malwarebytes.org/fraud-...e-technicians/
Oct 20, 2015 - "Remote assistance is becoming more and more popular to troubleshoot computer issues without the hassle of bringing the problematic machine to a store. Indeed, from the comfort of your own home you can let a Certified Technician remotely log into your PC and have them fix the issues you are facing. Apple offers a screen sharing service part of its support center that puts you in touch with a remote advisor. The process is secure and requires a unique session key to authenticate into the system that the customer needs to enter at the following URL:
- https://ara.apple.com/GetRemoteAdvisor.action
... we discovered that crooks are abusing this feature and fooling Mac users into trusting them. As we have been documenting it so many times on this blog, there has been an explosion of tech support scams via malvertising and fraudulent affiliates. All systems are targeted, not just Windows PCs and in fact, fraudulent warnings for Mac are getting extremely common:
> https://blog.malwarebytes.org/wp-con...fari_alert.png
These pages are designed to -scare- people into thinking there is something wrong with their computer. Fraudsters will use all sorts of messages, audio warnings and other artifacts in order to social engineer marks into calling for assistance. Typically scammers will have the victim browse to LogMeIn or TeamViewer and have them download the remote software necessary to take remote control. However, and especially in this case that involves Apple consumers, this step may seem unnatural, not part of the whole “Apple experience”. For this reason, the crooks registered a website with a domain name that looks like the real Apple one (ara .apple .com) by calling it ara-apple .com. The site was registered through GoDaddy and resides on IP address 184.168.221.63*...
* https://www.virustotal.com/en/ip-add...3/information/
This domain is used for everything from linking to the remote programs the ‘technician’ will use:
> https://blog.malwarebytes.org/wp-con...s_download.png
... to processing payments (note how the ‘Secure Payment’ page is using regular, unencrypted HTTP):
> https://blog.malwarebytes.org/wp-con...-notsomuch.png
We have contacted both the registrar (GoDaddy) and hosting provider (Liquid Web) so that they can take appropriate actions in shutting down these fraudulent websites. This particular case shows that tech support scammers are resorting to more elaborate ways to social engineer their victims. Perhaps Apple users are even more at risk because they may be less experienced at dealing with these kinds of “errors”. As always, please be particularly suspicious of alarming pop ups or websites that claim your computer may be infected. Remember that Apple would -never- use such methods to have you call them or would -never- call you directly either..."
ara-apple .com: 72.52.150.218: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/fe...4d81/analysis/
:fear: :mad:
Tech support scams redirect to Nuclear EK to spread ransomware
FYI...
Tech support scams redirect to Nuclear EK to spread ransomware
- http://www.symantec.com/connect/app#...ead-ransomware
01 Dec 2015 - "Tech support scammers have been observed using the Nuclear exploit kit to drop ransomware onto victims’ computers, as well as displaying misleading pop-up windows. The scammers’ messages may distract the user while the malware encrypts files on the computer, potentially allowing the attackers to increase their chances of earning money from the victim...
> http://www.symantec.com/connect/site...nfographic.png
If a victim falls for the scam and dials the number, professional-sounding call center staff members use the opportunity to install malware or potentially unwanted applications (PUAs) onto the user’s computer. The scammers claim that this software will fix the user’s computer. In other instances, the attackers try to force the victims to pay to have their computer unlocked... We’ve recently seen many instances where attackers serve tech support scams and the Nuclear exploit kit almost simultaneously. We found that the scam’s web pages include an iframe redirecting users to a server hosting the Nuclear exploit kit. The kit has been seen taking advantage of the Adobe -Flash- Player Unspecified Remote Code Execution Vulnerability (CVE-2015-7645), among other security flaws... If the kit succeeds, then it either drops Trojan.Cryptowall (ransomware) or Trojan.Miuref.B (information-stealing Trojan). The combination of the tech support scam displaying pop-up windows and the Nuclear exploit kit installing ransomware in the background makes this attack a serious problem for users. The -fake- warnings distract the user while the more dangerous ransomware searches for and encrypts files... We know that exploit kit attackers actively seek out and compromise many different web servers, injecting iframes into the web pages hosted on them. These -iframes- simply direct browsers to the exploit kit servers. Given the way that exploit kit attackers operate, it is quite possible that the tech support scammers’ own web servers got compromised by a separate group who are using the Nuclear exploit kit. Either possibility can be supported by the fact that an -iframe- has been injected into the tech support scam page. Regardless, this is the first time we’ve seen tech support scams running in tandem with the Nuclear exploit kit to deliver ransomware and if this proves to be an effective combination, we are likely to see more of this in the future.
Mitigation:
• Use a comprehensive security solution to help block attacks
• Regularly update software to prevent attackers from exploiting known vulnerabilities
• If impacted by these scams, do not call the number in the pop-up windows
• Perform regular backups of important files
• Do not pay any ransom demands as doing so may encourage the cybercriminals. Additionally, file decryption is -not- guaranteed to work..."
Latest Flash 19.0.0.245 - GET IT here: https://forums.spybot.info/showthrea...l=1#post467114
> http://www.symantec.com/security_res...061923-2824-99
> https://www.symantec.com/security_re...032402-2413-99
:fear::fear::fear: :mad:
A weather app with a twist - FRAUD
FYI...
A weather app with a twist - FRAUD
- https://blog.malwarebytes.org/fraud-...-with-a-twist/
Feb 3, 2016 - "Recently, a weather app caught our attention by doing something far worse than predicting rain all the time. It installed all the ingredients for a false Blue Screen Of Death (BSOD) with a number to call for assistance. WeatherWizard: As the app is bearing the same name as one comic book “super villain”
> http://www.comicvine.com/weather-wizard/4005-10462/
... this might have been a warning that there was something up with this one. But offered in a bundle you come across the most useless of apps, as we have told our regular readers many times. So why not a weather app. The app itself does not do much more than give you the weather in a certain US zip code. You type in the ZIP code and it will tell you what you are missing:
> https://blog.malwarebytes.org/wp-con...herLaJolla.png
The Tech Support Scam: But what it does in the background is more worthy of the super villain reference. A bat file call sc.bat sets two 'Scheduled Tasks' to work... This seems to indicate they are in it for the long haul as those 'Scheduled Tasks' are set to be executed on every 1st of December after the install date. You don’t see that kind of patience often in this line of business. So you will understand that I just had to trigger them to find out what they do. SysInfo.exe was unresponsive on my system, but amdave64Win.exe*
* https://www.virustotal.com/en/file/e...is/1454510592/
... certainly did not disappoint as it opened a series of command prompts and did a grand finale ending at this:
> https://blog.malwarebytes.org/wp-con...016_100018.png
Calling that number will probably result in someone explaining to you how to use Ctrl-Alt-Del to get to Task-manager and start a new process called explorer.exe to regain control over your machine. After charging you a considerable fee no doubt. Although we have seen many examples of scare tactics using BSOD screens... using a seemingly harmless weather app and then wait for a considerable period of time is a bold new tactic we haven’t seen before..."
:fear::fear: :mad: