News

12:13 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Windows Support Call Scams: 7 Facts

Security researcher turns the tables on a caller peddling fake fixes for malware supposedly infecting his Windows PC.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Have you ever picked up the phone to hear the following: "I'm calling from Microsoft. We've had a report from your Internet service provider of serious virus problems from your computer"? Of course the caller offers to help, offering a free scan, which invariably leads to warnings over mass malware infections, and the offer of paid technical support to assist.

Security professionals know to steer clear of such scams. Since they persist, scammers are apparently tricking sufficient numbers of consumers into forking over their cash--$250 or more, in some cases--to fix the virus infections identified by the caller's in-house technicians. Windows phone scams--targeting PC owners--appear to have begun in earnest in 2008, and been on the rise ever since, according to the Guardian. Meanwhile, their popularity is fueled by "the availability of cheap phone calls and labor in countries like India," according to Which?, a U.K. consumer rights group.

To fight back, many people try to tie up the cold callers on the phone for as long as possible, or even provide them with fake credit card numbers. But after receiving repeat calls, one malware researcher decided to see what exactly the scammers were doing by granting them access to his virtual test machines, which he used to record their activities. "The goal was to find out who they were and exactly what the scam was. Luckily I was able to get hold of information such as their internal IP addresses, the PayPal accounts used to wire money, and the numbers they are calling from," said Kaspersky Lab security researcher David Jacoby in a blog post.

[ Don't risk legal troubles to fight cybercrime. See Strike Back At Hackers? Get A Lawyer. ]

Here are seven facts he learned about the scams.

1. Caller Claims To Be With Microsoft
Microsoft support scams are a type of social engineering attack, which succeeds not through attackers' technical sophistication, but rather by tricking people via smooth talking and playing on their fears. In Jacoby's case, he said the caller pretended to be from a department--non-existent, by the way--at Microsoft that was following up indications that his computer was either broken or had been infected by malware.

2. Windows Errors Easy To Find
To make the case that his PC showed signs of malware infection, Jacoby said the woman who called him instructed him to open the Windows Event Manager, so that he could see numerous error messages which she said indicated that his system had been compromised. "The event viewer does show error messages, but not directly related to an infection," said Jacoby. "Almost all computers have errors in the log files, especially if the computer has not been re-installed lately and is running a lot of programs."

3. Windows Processes Used For Sleight Of Hand
Jacoby said the scammer then instructed him to execute a DOS command to reveal the system's unique ID and allow her to verify that it was referencing the correct--infected--system. The caller then read out the license ID, and asked Jacoby if it matched the ID he was seeing on his screen. It did, but that was because the DOS command he'd run revealed the ID for a file extension that ships on all Windows PCs. The caller then instructed him to run the "verify" DOS command to see if his Windows license could be verified, and said that an "off" setting--which Jacoby saw--would indicate that the license couldn't be verified. But in reality, this setting is only used to "enable/disable operating system verification that data has been written to disc correctly," he said, and has nothing to do with the Windows license.

4. Scammers Wield Drama
But after the second DOS command returned an "off" response, Jacoby said the caller began "screaming 'oh my god!' in my ear, she was super upset that my license was not verified; according to her this meant that no security patches could be installed." After recommending that Jacoby allow her technician to directly access his PC, he agreed. "I was running everything in an empty virtual machine," he said, and found that the organization offering to repair his PC was using free--and on its own, legitimate--remote-administration software known as AMMYY.

5. Remote Access Scans Trigger Falsehoods
While he was still on the phone with the caller, Jacoby watched as the remote access tool administrator--on his PC screen--opened an old certificate, which said that it dated from 2011. At this point, the woman who had called him claimed that his PC hadn't been updated since 2011, and told him that he needed "to install security software which will protect me against viruses, malware, Trojans, hackers, and other things." He agreed, and watched as an application ("G2AX_customer_downloader_win32_x86") was installed and run on his PC, which indicated that he had "successfully updated the software license for lifetime."

6. Social Engineering Tricks The Scammers
After the supposed fix, and with the caller still on the line, Jacoby was given a PayPal account into which he was supposed to pay $250. When the fake credit card data that he supplied to the caller didn't work, he asked the caller to browse to a website where his friend, he said, had left credit card data in plain text. After the caller browsed there, he captured her IP address, disconnected the call, and reviewed which phone numbers the caller had used. "After collecting all the information, I have now contacted all the appropriate people, such as the security team at PayPal [and] various law enforcement agencies with the hope that we can stop these people," said Jacoby.

7. Scammers Avoid Attack Software
To recap, the Microsoft Windows malware phone scam succeeds in part because it's a social engineering attack: Callers tell Windows owners to input a few commands into their PC, then "interpret" the results to highlight how the system is infected with malware. Furthermore, the remote-access tool used by scammers typically doesn't trip any security alarm bells, because such tools can be used for benign purposes, such as actual customer support. "The software that they were using was not malicious in any way, which means that no security software can detect these types of scams," he said.

Jacoby, of course, had a test machine at the ready, which was devoid of any sensitive information. The average business users or consumers, however, typically have some type of sensitive data stored on their PC. In other words: don't try this type of security research at home. "If you ever get a call 'from Microsoft' stating that there are some indications that your computer is broken or infected--please hang up," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
noddaidh
50%
50%
noddaidh,
User Rank: Apprentice
10/29/2012 | 11:47:58 AM
re: Microsoft Windows Support Call Scams: 7 Facts
Have just received one of these phone calls (here in NW England) Having never heard of this scam, I was obviously a little surprised that Windows Technical Support would take the trouble to contact me directly by phone! However I decided to go along with it out of curiosity if nothing else. All went well until the Indian caller asked me to carry out an exe operation.
When I refused and asked him to email me and prove his ID, he became quite stroppy,and eventually passed me onto his supervisor, who explained that an email woul be sent AFTER.
Insisting on an email FIRST, he eventually replied OK, what isyour email address. At which point I hung up!

But at least I wasted 30 minutes of their time!
MeekieOwl
50%
50%
MeekieOwl,
User Rank: Apprentice
10/24/2012 | 8:27:36 PM
re: Microsoft Windows Support Call Scams: 7 Facts
I just received a call from someone who said he was from Windows Tech Support. He had an accent that sounded East Indian & said I had a virus or bot on my computer, among other things. He mentioned that he'd been notified by my provider. I said I had a good security system, but would check and call him back. I asked for his number. He gave me 315-636-4280 and asked if I'd be calling back using that number. I said, no. I already had a Microsoft Tech Support number and would use that...He hung up immediately.
spsehruh
50%
50%
spsehruh,
User Rank: Apprentice
10/23/2012 | 7:48:20 PM
re: Microsoft Windows Support Call Scams: 7 Facts
I was just contacted by one of these spam companies. The caller claimed he was with Windows Tech Support. I kept insisting that he prove to me he was really affiliated with Microsoft, & he was unable to do that. While I was researching him, he asked me to go to his website to see that he was legitimate, gettech-supports.com, & click the "get support" button. This instantly generated a .exe file download, which I immediately canceled, so it couldn't finish downloading. Bottom line, Tech Support isn't going to call you first, EVER. You have to call them. If you get one of these calls, don't do anything they say, just hang up.
KurtW333
50%
50%
KurtW333,
User Rank: Apprentice
9/20/2012 | 7:55:06 PM
re: Microsoft Windows Support Call Scams: 7 Facts
I had a similar scenario take place, but I was directed to Microsoft Support through Norton when I called because I was having difficulty removing Norton from my computer. Scary.
rsssr2h
50%
50%
rsssr2h,
User Rank: Apprentice
8/8/2012 | 5:36:32 AM
re: Microsoft Windows Support Call Scams: 7 Facts
Has there been any progress made on catching the scumbags?
Pat F
50%
50%
Pat F,
User Rank: Apprentice
8/6/2012 | 5:14:54 PM
re: Microsoft Windows Support Call Scams: 7 Facts
This particular company in India from all indicaitons has added a new twist to their SCAM. If you challenge them get ready for the threats including to distruction of your system to one that advised me they knew where I lived and I should be very careful and I could have an accident or be hurt.

Now I stop ignoring these folks when you threaten my safety or that of my family. The Indial agent who called me was not just rude, he was hostile the mintue I advised him I knew it was a scam. So I think it is time for the government to step in here is they can. For me I will simply have all calls that are private or unknow user blocked.

However it is a very sorry state of events when you don't have the right to your own phone, or safety in your home, and yet these just continue. One day let's hope these callers don't actually do more then threaten.
<<   <   Page 3 / 3
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed