Search this Blog

Loading...

Sunday, November 16, 2014

Malware spreading via Steam chat

If you're only interested in how to remove this malware from your machine or other tips and prevention advise, click here. In case you have questions, issues or doubts, feel free to leave a comment and I'll be happy to help or answer any questions you may have.


Today I was brought to the attention of a Tumblr post - apparently there's malware doing the rounds making use of Steam chat, (adding Steam friends and) spamming Steam users.

Example message:
"karpathos" sending a bit.ly link (Image source)




















Onyx is right, the link's indeed phishy and uses bit.ly (a URL shortener) to trick users into clicking it. Remember the worm that spread via Skype and Messenger last year? (reference here and here) This is a similar campaign.



Setup

Someone adds you on Steam, you accept and immediately a chat pops up as similar to above.

Alternatively someone from your friends list already got infected and is now sending the same message to all his/her friends.

The bit.ly link actually refers to a page on Google Drive, which immediately downloads a file called IMG_211102014_17274511.scr, which is in fact a Screensaver file - an executable.
The file is shared by someone named "qwrth gqhe". Looks legit.

Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file. In this case, the string "&confirm=no_antivirus" is added to the link, which means the file will pop-up immediately asking what to do: Run or Save.
(and in some cases download automatically)

At time of writing, the file is actually still being hosted by Google Drive. I have reported it however.

Afterwards, you're presented with the screensaver file which has the following icon:
Image of IMG_211102014_17274511.scr file














Opening the file will result in installing malware on your system, which will steal your Steam credentials.



Technical details

IMG_211102014_17274511.scr

Meta-data
=======================================================================
File:    IMG_211102014_17274511.scr
Size:    1031168 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
MD5:     138ec432db0dd6b1f52f66cc534303db
SHA1:    7d0575a883fed7a460b49821c7d81897ae515d43
ssdeep: 12288:HX24H8aUg/YGX5mYL/s8n2XtK8XXSTbVqbUFp6F7PdpECZ9dVIN:3n8DgQSpk8n2d9STgQFpO7VykbVIN
Date:    0x5460FA18 [Mon Nov 10 17:47:04 2014 UTC]
EP:      0x4bb1fa .text 0/3
CRC:     Claimed: 0xfdcdb, Actual: 0xfdcdb
VirusTotal: link

Resource entries
=======================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_ICON            0xbe0e8  0x42028  LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_GROUP_ICON      0x100110 0x14     LANG_NEUTRAL SUBLANG_NEUTRAL          MS Windows icon resource - 1 icon
RT_VERSION         0x100124 0x44c    LANG_NEUTRAL SUBLANG_NEUTRAL          data

Sections
=======================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy  
--------------------------------------------------------------------------------
.text      0x2000       0xb9200      0xb9200      7.978522    [SUSPICIOUS]
.reloc     0xbc000      0xc          0x200        0.101910    [SUSPICIOUS]
.rsrc      0xbe000      0x42570      0x42600      6.429023  

Version info
=======================================================================
Translation: 0x0000 0x04b0
LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
Assembly Version: 6.0.6000.16384
InternalName: wrrrrrrrrrrrr.exe
FileVersion: 6.0.6000.16384
CompanyName: Windows (R) Codename Longhorn DDK provider
Comments: Office Licensing Admin Access Provider
ProductName: Windows (R) Codename Longhorn DDK driver
ProductVersion: 6.0.6000.16384
FileDescription: LICLUA.exe
OriginalFilename: wrrrrrrrrrrrr.exe


Connects to:
185.36.100.181


Server in Czech Republic. VirusTotal reference










Downloads and executes:
temp.exe

Meta-data
=======================================================================
File:    temp.exe
Size:    4525568 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
MD5:     d0f8b90c85e5bedb691fca5c571a6794
SHA1:    cd9b3bf5c8d70e833b5c580c9b2fc1f3e5e4341e
ssdeep:  98304:seRaRLOvFLHpNeV/riwz58R42is6e3RXjOWDucCnp1DA9sv7o2s2kbsUOEGx4VKm:zRaidjjqPdDsDbsU0akJyxL405+fiX
Date:    0x5460F588 [Mon Nov 10 17:27:36 2014 UTC]
EP:      0x8522b6 .text 0/3
CRC:     Claimed: 0x0, Actual: 0x4564dd [SUSPICIOUS]
VirusTotal: link

Resource entries
=======================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_VERSION         0x4540a0 0x234    LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_MANIFEST        0x4542d4 0x1ea    LANG_NEUTRAL SUBLANG_NEUTRAL          XML document text

Sections
=======================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy  
--------------------------------------------------------------------------------
.text      0x2000       0x450384     0x450400     6.884893  
.rsrc      0x454000     0x4c0        0x600        3.689538  
.reloc     0x456000     0xc          0x200        0.101910    [SUSPICIOUS]

Version info
=======================================================================
Translation: 0x0000 0x04b0
LegalCopyright:
Assembly Version: 1.0.0.0
InternalName: vv.exe
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
FileDescription:
OriginalFilename: vv.exe


Interesting information in the debug path, note the "steamstealer" string. Screenshot via PeStudio












Remediation

What if you clicked the link and executed the file? Follow these steps:


  • Exit Steam immediately
  • Open up Task Manager and find a process called temp.exewrrrrrrrrrrrr.exevv.exe or a process with a random name, for example 340943.exe
  • Launch a scan with your installed antivirus
  • Launch a scan with another, online antivirus or install & scan with Malwarebytes
  • When the malware has been disinfected or deleted, change your Steam password - if you use the same password for other sites, change those as well
  • De-authorize any unknown machines, read how to do that here:
    Family Library Sharing User Guide
  • Verify none of your Steam items are missing - if so, reinstall Steam as well.




Prevention

  • Be wary when someone new adds you on Steam and immediately starts sending links
  • In fact, don't click on links someone unknown sends to you
  • If you did, don't open or execute anything else - just close the webpage (if any) or cancel the download
  • By default, file extensions are not shown. Enable 'Show file extensions' to see the real file type. Read how to do that here
  • Follow the tips by Steam itself to further protect your account:
    Account Security Recommendations




    Conclusion 


    Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)
    Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

    Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and it's (in this case) a screensaver file.

    For checking what is really behind a short URL, you can use:

    For checking whether a file is malicious or not:

    Follow the prevention tips above to stay safe.


    Monday, November 10, 2014

    Thoughts on Absolute Computrace


    Introduction

    Not too long ago my friend and colleague from Sweden, Jimmy, contacted me in regards to a strange issue. In the firewall, he saw tons of outgoing connections to a certain server:

    Each second outgoing connection to search.namequery.com





















    A quick Google search revealed this was actually part of Absolute's Computrace tool - aka Absolute Persistence. Doesn't ring a bell? Try Lojack. From their website:

    List of BIOS & firmware compatibility: http://www.absolute.com/en/partners/bios-compatibility








    Why would this be an issue? First of all, there has been some excellent research by Anibal Sacco and Alfredo Ortega here: Deactivate the Rootkit, in which they describe attacks on BIOS anti-theft technologies, which Absolute also offers. An excerpt from their paper:

    In order to be an effective system, the anti-theft agent must be stealthy, must have complete control of the system, and most importantly, must be highly persistent because wiping of the whole system most often occurs in the case of theft.
    This activity is also consistent with rootkit behavior, the only difference being that rootkits are generally malicious, while anti-theft technologies act as a form of protection against thieves.

    Secondly, there has been research from Kaspersky as well on the subject, read their blog post here: Absolute Computrace Revisited

    I advise you to read their post, as it provides excellent information as well. I'm not going to repeat their research here, as it's pretty extended. What you should remember however:

    While Absolute Software is a legitimate company and information about Computrace product is available on the company's official website, the owner of the system claimed he had never installed Absolute Computrace and didn't even know the software was present on his computer. It could be assumed that the software was pre-installed by an OEM manufacturer or reseller company, but according to an Absolute Software whitepaper this should be done by users or their IT service. Unless you have a private IT service or your PC vendor took care of you, someone else has full access and control over your computer.

    Back to our post. After booting the machine and pressing F1 to access the BIOS settings, we are presented with the following screen:


    Lenovo ThinkPad (BIOS version: J9ET58WW)



















    This was the initial state of Computrace in the BIOS. The setting was Enabled and the state indicated Not Activated. This suggests Computrace is not active on the machine... Wrong!

    The Item Specific Help reads:

    Enables or disables the UEFI interface to activate Computrace module. Computrace is an optional monitoring service from Absolute Software.
    [Enabled] Enables the Computrace activation.
    [Disabled] Disables the Computrace activation.
    [Permanently Disabled] Permanently disables the Computrace activation.


    The machine was freshly bought and the user never ordered, installed or even heard of Computrace software. In this case, the reseller didn't install it either. This leaves the option the manufacterer or a possible previous owner [or someone else] installed Computrace.


    ... When we want to permanently disable Computrace:


    Computrace module activation warning



















    Here comes the fun part: even after permanently disabling the Computrace module, the software was still active and running; contacting the server (search.namequery.com) like crazy.

    I decided to contact Absolute Software in order to get an answer as to why this behaviour was occurring. Since neither of us are customers, I used the form here to contact them.

    After two days I got a reply from their customer service. In reply as to why permanently disabling didn't seem to work:

    It is also worth noting that many used or refurbished devices may have motherboards with a Computrace BIOS module that was activated by the previous owner.  In these cases, my recommendation would be the following:

    1.       Obtain and install any missing or outdated HECI\Intel Management\IMEI drivers from the manufacturer.  Once these drivers are in place, any potential Absolute software installed on the computer will correctly communicate with the BIOS and it should automatically deactivate itself over the course of a few days.

    2.       Contact the manufacturer and request a motherboard replacement.  Activated motherboards should not be re-sold by manufacturers or retailers if the necessary de-activation steps are not taken first.

    Reason for seeing numerous outgoing connections to their server is probably due to their module wanting to receive instructions from the server that the original license should no longer be active, or to download new binaries.



    Binaries & BIOS information & characteristics

    There's already a good list available by Kaspersky which I'm not going to repeat here. You can find that list on this link.

    However, the following points are worth noting:


    • Two new binaries (different hashes) have been identified:
      ad73c636bb2ead416dfa541a74aea016 (wceprv.dll)
      4011590af6f13a42a869ae57d6174f4f (rpcnetp.exe)
    • Several files are packed with UPX
    • The wceprv.dll module has a Digital Signature which is issued to
      Absolute Software Corp. 
      Serial Number: 35:ba:ec:87:59:d7:84:62:c3:d2:b7:ff:d4:c4:6e:51
    • Machines will have an altered Master Boot Record (MBR); this is because Computrace parses the MBR and partition table - it writes some data into the sectors before the primary partition. According to the patent (US 20060272020 A1):
      In another embodiment, the CLM is stored in a substitute Master Boot Record (MBR), or a combination of the foregoing.


    CLM or Computrace Loader Module is one of Computrace's main modules. (besides the Adaptive Installer Module (AIM) and the Communications Driver Agent (CDA) - see the patent for reference)




    How to determine if you have Absolute Computrace installed

    First things first: check in the BIOS if there's a mention of Absolute Computrace somewhere:
    (re)boot your machine and access the BIOS with one of the Function keys on your keyboard. 

    Typically, this is F2, but may differ. See here for a complete list:
    BIOS Setup Utility Access Keys for Popular Computer Systems


    Secondly, see if any of the files mentioned in Kasperky's blog post are running or exist on the file system. For the full list see here, but keep in mind the two new additional hashes added above.
    Note that new hashes may pop-up as well.


    Thirdly, network activity as mentioned in above blog post.
    (but mainly to search.namequery.com or 209.53.113.223)




    How to remove or uninstall Absolute Computrace

    I won't provide any specific information on how to remove or uninstall Computrace, as its main purpose is still - and I quote:

    [...] to perform preemptive and reactive security measures to safeguard a missing, lost, or stolen device and the data it contains. With Computrace Mobile you can determine the location of the device and whether or not it’s on the move. You can also freeze it to prevent unauthorized access and send a message to the user to validate the status of the device. If the device contains important information, you can remotely retrieve files or delete them immediately. And you can generate an audit log of the data that’s been removed so you can prove compliance with corporate and government regulations.


    However, should you have bought (what you believe is) a new machine and it is apparent Computrace is active, download the latest drivers fit for your system:
    Download BIOS drivers  Also find information on How to Update Your Computer's BIOS.

    When correctly executed and the option for Computrace in the BIOS is set to Permanently Disabled, it should correctly disable itself - taken into account the original license has expired or the original owner deactivated it, if existent.

    Another option would be to request a motherboard replacement for your machine, as suggested above. Additionally you may reinstall the Operating System afterwards.




    Absolute Computrace FAQ


    Is Computrace malicious?
    No.



    Which devices does Computrace support and may be installed on?

    (Source)
















    So yes, it's possible Computrace is installed on any other of your (mobile) devices. If you're looking for pointers, once again look for outbound connections to *.namequery.com or *.absolute.com.



    Which firmware or BIOS brands does Computrace support and may be installed on?

    • Acer
    • Apple
    • ASUS
    • Daten
    • DELL
    • Fujitsu
    • GammaTech
    • General Dynamics Itronix
    • Getac
    • HP
    • Lenovo
    • Microsoft
    • Motion
    • NEC
    • Panasonic
    • Samsung
    • Sony
    • Toshiba
    • Winmate
    • Xplore Technologies





    How recent was the Computrace agent variant you found?
    I added this question as to compare it with Kaspersky's binary- which was compiled in June 2012


    This variant of the Computrace agent was compiled in May 2012 (assuming it's not altered)














    Another version of Computrace was found. Note that this is possibly due to small updates of the loader or agent module.



    Will flashing the BIOS remove Computrace?
    No, as it resides in a non-flashable portion of the BIOS.



    Will downloading the latest BIOS drivers for my machine remove Computrace?
    See "How to remove or uninstall Absolute Computrace".



    I'd like to see more information about my BIOS/EFI/coreboot/firmware/optionROM.
    You can use the excellent tool flashrom. If you are using anything but Windows, Anibal and Alfredo have also written a Python program to to dump the BIOS firmware and search for a CompuTrace Option ROM: dumpComputrace.py (Note: you'll need to apt-get flashRom/dmiDecode/UPX)



    What if I'm a customer of Computrace and have doubts or want more information? 
    Best thing to do is call them directly: +00 1 877 337 0337 (US number), choose option #1. The general number in Europe is: +44 118 902 2005 and for Asia: +65 6595 4594

    More information on how to contact them as existing customer can be found here:
    Absolute Software Support



    What if I'm not a customer of Computrace and have doubts or want more information?
    You can still use the numbers above if you like, or you can use the Absolute Software Contact Form.



    What if I suspect I bought a stolen machine which has Computrace installed?
    Contact Absolute Software (see above)! They will set up a case together with you and law enforcement.



    Is there similar software out there like Computrace?
    Yes, but it is not exactly the same as Computrace. An example is Prey. Another example is Intel's Anti-Theft Technology - which apparently will cease to exist in January 2015. Source:
    Intel Anti-Theft Service FAQ

    Nowadays, most Antivirus vendors also offer some form of anti-theft. For more information, refer to the corresponding websites of the vendors.



    Why did you decide to write this blog post?
    To provide even more additional & useful information, as well as out of sheer interest.



    Do you have any additional information to share? 
    Yes, see right below in the Resources section.




    Resources

    Absolute Software - Perspective on Kaspersky Report & FAQ
    Absolute Software - Persistent servicing agent  (Patent US20060272020 A1)
    Corelabs - Deactivate the rootkit (PDF)
    Kaspersky - Absolute Computrace Revisited
    Kaspersky - Absolute Computrace: Frequently Asked Questions





    Acknowledgements

    I'd like to thank, in no particular order:


    • Anibal Sacco and Alfredo Ortega for their initial research.
    • Alfredo Ortega for a refreshing chat and answering some additional doubts I had.
    • Vitaliy Kamlyuk and Sergey Belov for their additional/follow-up research.
    • Absolute Software's service desk/support specialists for their excellent service & answering any questions I had.

    Thank you for reading.


    Sunday, September 21, 2014

    A word on CosmicDuke


    On Thursday F-Secure released a blog post on CosmicDuke. But what is CosmicDuke exactly?

    CosmicDuke - the first malware seen to include code from both the notorious MiniDuke APT Trojan and another longstanding threat, the information-stealing Cosmu family. When active on an infected machine, CosmicDuke will search for and harvest login details from a range of programs and forward the data to remote servers.
    Source: COSMICDUKE: Cosmu with a twist of MiniDuke (PDF)

    In other words, it will (attempt to) steal your login credentials from browsers and any other programs you may or may not use. I was interested to take a look, queue how Twitter comes in handy:



    In this post we'll be focusing on sample 82448eb23ea9eb3939b6f24df46789bf7f2d43e3 - which supposedly handles about the EU sanctions against Russia.


    When opening the document:

    (Source)


















    When you open the document with macros disabled:














    Seems they got prepared in case anyone disabled macros. Think this is a legit Word document?
    Nope.

    When you open the document, there's actually a child process spawned (tmp4D.tmp) which also loads a file called input.dll:


    Don't be fooled by the company name or description,
    this isn't IIS Express Worker Process nor has it anything to do with Microsoft.









    We'll soon see what all this does. First, I'd like to provide some background information. The file's a .docx file, which means it is a combination of XML architecture and ZIP compression for size reduction and was implemented when Office 2007 was introduced. Why is that relevant?

    Because you can unzip (with 7-zip for example) any Office file with the new extension:
    (.docx, .xlsx, .pptx, ...)


    Unzipped content of a .docx file











    Thus, you can have a peek inside the document without actually opening it. If we look inside the "word" folder from our document, we can see the following (note the highlighted entries):
    Unzipped content of  our .docx file


    As you can see, there are 3 extra files there, 2 DLL files and a BIN file. Those files are embedded into the Word document. The BIN file loads an OLE , which then loads either the input.dll or input64.dll file, depending on your Operating System architecture. (in other words, the Office macro loads a malicious binary file.)

    If you're interested in what the OLE artifact contained, here's a Pastebin link:

    Afterwards, the malware tries to kill the following processes:
    cmd.exe
    savadminservice.exe
    scfservice.exe
    savservice.exe
    ekrn.exe
    msseces.exe
    MsMpEng.exe
    dwengine.exe
    ekern.exe
    nod32.exe
    nod32krn.exe
    AvastUi.exe
    AvastSvc.exe
    kav.exe
    navapsvc.exe
    mcods.exe
    mcvsescn.exe
    outpost.exe
    acs.exe
    avp.exe

    It will then try to gather as much data as possible, from cookies to files containing *psw*;*pass*;*login*;*admin*;*sifr*;*sifer* or *vpn. Soon after your data will be uploaded to an FTP server... Which wasn't too hard to find.

    Anyways, here's some additional information on the Word file by automated tools:
    MalwareTracker Result
    VirusTotal Result



    Prevention



    Conclusion

    It seems obvious that malware authors are keeping up-to-date with the latest news and as such adapting their campaigns as well. Better be safe than sorry and don't trust anything sent via email. ;-)



    Resources

    Friday, September 5, 2014

    Analysing Android files



    In this post I'll simply be listing several tools to analyse (malicious) Android files. All tools or scanners listed are free to use.

    Someone commented how to be able to analyze files from the Google Play store without actually installing/downloading them directly to your phone (or, for example, you don't use Android). Therefore, you can use APK Downloader. It will fetch the APK for you - you'll then be able to analyze or scan it without the need to install.

    If you have knowledge of more free tools or scanners for Android files (.apk), then feel free to comment and I'll add them.



    Online tools


    AndroTotal









    http://andrototal.org/




    Anubis




    http://anubis.iseclab.org/





    Apk Analyzer





    http://www.apk-analyzer.net/




    ApkScan











    http://apkscan.nviso.be/




    Android APK Decompiler







    http://www.decompileandroid.com/




    AVC UnDroid










    http://www.av-comparatives.org/avc-analyzer/




    VirusTotal









    https://www.virustotal.com/en/





    Offline tools


    AndroGuard




    https://code.google.com/p/androguard/




    Android-apktool





     http://code.google.com/p/android-apktool/




    Android SDK





     http://developer.android.com/sdk/index.html




    Apkinspector






    https://github.com/honeynet/apkinspector/






    Dex2jar





    http://code.google.com/p/dex2jar/








    Monday, May 12, 2014

    A word on phone scammers


    You have probably heard of any of the terms "cold call", "calling from Windows" or "phone scam" before. 

    Microsoft's definition:
    In this scam cybercriminals call you and claim to be from Microsoft Tech Support. They offer to help solve your computer problems. Once the crooks have gained your trust, they attempt to steal from you and damage your computer with malicious software including viruses and spyware.

    In other words:
    someone unknown to you calls you, telling you there's an issue with your computer and they can fix it.

    Recently, I received a machine and report from people who had been so unfortunate as to fall for this scam.


    In this post I'll be dissecting how the scam works, why it works and what to do to protect yourself, as well as what to do if you've already been scammed.


    How it works

    Preface

    Usually, the scammers will simply open up a phonebook and start going down the list of names.

    Other means may be, but are not limited to:



    • Fake support services -
      websites claiming to help you with computer issues- but in fact are just another scam
    • Your phonenumber has been spread on the web one too many times (by either yourself or someone else)
    Small update: only just recently several internet giants (Google, Facebook, Twitter, ...) have joined forces to combat malicious tech support ads. You can find them on: http://trustinads.org



     
    Scenario

    The phone rings. You do not recognise the number, but you pick up anyway. A voice says: 
    "Hello Sir/Madame, we are calling from Windows". A man or woman tells you to browse to a certain website and connect with them so they can repair or restore your computer.

    Some characteristics about the call itself:


    • The man or woman often has an Indian accent
    • They call from a number outside your current country or have an unknown caller ID
    • They urge you that there's a problem with your computer that needs immediate fixing
    • They impersonate legit companies, for example Microsoft or even an antivirus company


    On this Pastebin is a list of numbers which are being used or have been used for these cold calls. Often though they'll use a "private number", "anonymous" or unknown caller ID. They may also spoof the caller ID.

    It doesn't matter which operating system you use or which type of computer, they'll always state there are critical system errors, thus you should connect to a certain website, download and run a program.

    They always use legitimate services - remote software tools which are not harmful by itself, but can be used (as in these cases) by phone scammers. A comprehensive list of the tools most often used:


    • Ammyy
    • Bomgar
    • GoToAssist
    • TeamViewer
    • ShowMyPC
    • Logmein (or Logmein Rescue)
    • ...  Others


    Like stated before, these tools are not malicious. Often free - they're a simple way for a technician to connect to a customer's machine (for example) and solve a technical issue. Unfortunately, they can also be used for malicious purposes.

    Some of these tools have clearly stated they are not associated with any of these scams, like Ammyy for example. Other tools provide a form to fill in if abuse is suspected or witnessed, like Logmein.

    Next up: say you have downloaded and executed one of those tools and the scammer now has access to your machine. There are several known scenarios, but it usually boils down to them showing you the Event Viewer (a legit tool by Windows which can provide useful information in event of system crashes or simply system information. More information here). 

    Usually, you'll find one or more errors in there, unless the machine was freshly installed. Note that it is not unusual at all. Sometimes, this part works the other way around: they will first ask you to open up the Event Viewer so you can verify they are speaking the truth (but not really) and there are indeed "errors on your machine which need to be fixed as soon as possible."



    "Scary errors in the Windows Event Viewer." Source



















    Afterwards, you'll have to pay a certain amount of money to fix the errors (which weren't there in the first place). This can usually go down in either of these ways:


    • You have to pay a reasonable sum of money, say 5 or 10 euros/dollars/pounds.
    • You have to pay a not-so-reasonable amount of money, varying from 100 to 300 euros/dollars/pounds.

    In both cases, chances are very likely you'll end up paying even more. Again, some possibilities:


    • The "technician" claims the transfer did not work or was incomplete and asks to try again.
      (but in fact it did work and they're just trying to rip you off even more.)
    • They will steal login information and/or CC credentials or other bank account/Paypal/.... information.
      (several possibilities here obviously, depending on which type of payment you used.)

    It is also possible they install fake antivirus software (rogueware) or even a cracked copy of antivirus software (for the cynics: no, they are not the same). Which in turn means you'll need to get rid of that as well... And have to cough up more money.

    Other reports have pointed out that - when the scammer's patience runs out- critical files (Windows system files) or personal documents were deleted by the scammer.


    Background

    It is not entirely certain when the first phone scams as described in this blog post began. If you do have a timeline, be sure to let me know so I can include it.

    This type of social engineering may be well known by now, but is not that much in the media in comparison to other types of threats. 

    Small remark here, don't be fooled: you're not the first one and certainly not the last one they will try to scam. There's in fact a whole business model behind the scam - call centers filled with "technicians" whom will do nothing all day but call people and try to scam them.

    There's also an excellent video by Malwarebytes showing the different stages of the scam - and the scammer eventually getting irritated and going on a rampage (or that's what the scammer believed):



    Why it works

    Obviously, the scammers use a certain tactic to convince you to pay them your hard-deserved money. This tactic is mostly known as FUD. (Fear, Uncertainty, Doubt) There's a Wiki link available by clicking here.

    In short:
    • Fear: they tell you there's an issue or several issues with your computer
    • Uncertainty: you may have had some slowdowns recently. Or - coincidentally or not- you just had malware.
    • Doubt: "I did have this issue, maybe they can help me?"

    No! Doubt is their product, you being uncertain is their second step for a successful scam. The third part is fear and eventually you giving in.

    The scam or social engineering tactic may be as old as the hills, but that doesn't mean it won't work. Hence the many reports on this scam - and people still falling for it, even though it exists for several years. (but no exact figures or statistics present on that.)

    It is always possible you recently had some issues with your machine, but that doesn't mean the scammers know. They are just guessing and hoping you'll fall for it - most people are trustworthy, right? Not on the internet.



    What to do next


    Investigation

    If possible, write down as much information as you can before following the remediation steps:


    • Often, the remote tools mentioned will utilize an ID or code. Write down the ID or code.
    • Write down the date and time when this remote sessions happened. Write down your public IP address if known - you can also check this via whatismyip.com.
    • Write down the phone number(s) as well as date and time when they called you.
    • Write down the name of the remote program/tool, as well as any other information you may think of. (name of the person calling you (99,9% of the time fake, but you never know), what exactly happened, if/how/when you paid or transferred any money and any other information which you think may be helpful.)


    Remediation or disinfection


    If it is too late, the first thing to do is to stop whatever the scammers are/were doing. In particular:


    • Unplug the ethernet cable or turn off your wireless. Reboot your machine. Is a pop-up coming up asking for a connection or waiting for a connection? Close it.
    • Call your bank, your CC card provider, Paypal or whichever means you have used - call your financial institution as soon as possible to cancel the transfer!
    • Uninstall any new & unknown software you find. Verify in Add/Remove programs if none of the above mentioned tools have been installed, for example.
      Also check the usual locations, for example C:\Program Files or C:\Program Files (x86).
    • Perform a full scan with your antivirus software, especially in the case of a fake antivirus or rogueware. Restore internet access at this point and run a scan with another online antivirus.
    • Call your phone company! Ask them if they can verify who has called in case of an unknown caller ID - or to block the specific numbers should you receive these calls regularly.
    • Change passwords of your computer - meaning your user password, but the password(s) of your bank account/Paypal and others as well.
    • When you deem this necessary, perform a system restore of your machine. In serious cases, an even better option is to format your machine completely (though usually not necessary).

    Now, file a complaint via the Internet Crime Complain Center (IC3) or via your local police station or CERT (list of CERTs available via Enisa or Europol). Include any information you have gathered. It is important you do this to be able to uncover and jail these scammers. Do not be afraid to ask for further information.



    Prevention


    Unfortunately, there aren't too many options to prevent this particular scam. A few pointers:



    • Unknown caller ID or private number? Don't pick up, unless you're indeed expecting a phone call.
    • Weird or long number calling you? Don't pick up. If you decide to pick up, listen to what they have to say, smile and put down the phone anyway.
    • Receiving these calls regularly? Call your phone company so they can block it. If you're receiving a lot of these calls, be sure to not pick up, as they'll know there's someone on the other side, even though you put down the phone immediately.
    • Missed a few calls from these numbers? Don't be tempted to call back. A similar scam is calling you, but after 1 second immediately hanging up. This may tempt you into calling back. Don't fall for that scam either. (they are not necessarily the same cybercriminals, but they both want your money.)
    • Avoid shady "tech support" websites. A tool which may help you in this is WOT - Web Of Trust.
    • Add yourself to the National Do Not Call Registry (US only). This may not prevent phone scammers, but it does prevent other marketeers from calling you and spreading your number to others. For all other countries: inform with your local CERT for options, as there aren't many available.
    • Last but not least: use your common sense! When in doubt, simply hang up the phone.


    For providers of these remote tools:


    • Include a clear page on your website warning about the possible malicious use of your software.
    • Include an abuse report form - whether via a ticketing system, by call or mail or any other means.
    • Send all information the victim provided to the legal authorities so they can take action.
    • Inform the user of what has happened - should they blame you. Refer to your warning page about this scam.



    Conclusion

    As pointed out in this blog post, phone scammers are not new. Yet their scare tactics still seem to work. 

    Just like other cybercriminals, phone scammers need to be put down. You can help if you were a victim by reporting this incident to the authorities. Follow the tips above to be able to protect yourself better.

    For any other questions, suggestions or remarks: do not hesitate to leave a comment or contact me on Twitter: @bartblaze

    Finally, I've added some other useful resources and documentation on this type of scam down below. 


    Resources

    Federal Trade Commision (FTC) - Phone Scams
    KrebsonSecurity - Tech Support Phone Scams Surge
    Malwarebytes - Tech Support Scams – Help & Resource Page

    Microsoft - Avoid tech support phone scams
    TrustInAds - Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams (PDF)  
    WeLiveSecurity - My PC has 32,539 errors: how telephone support scams really work (PDF)