Monday, May 12, 2014

A word on phone scammers

You have probably heard of any of the terms "cold call", "calling from Windows" or "phone scam" before. 

Microsoft's definition:
In this scam cybercriminals call you and claim to be from Microsoft Tech Support. They offer to help solve your computer problems. Once the crooks have gained your trust, they attempt to steal from you and damage your computer with malicious software including viruses and spyware.

In other words:
someone unknown to you calls you, telling you there's an issue with your computer and they can fix it.

Recently, I received a machine and report from people who had been so unfortunate as to fall for this scam.


In this post I'll be dissecting how the scam works, why it works and what to do to protect yourself, as well as what to do if you've already been scammed.

How it works
Why it works

What to do next 

Conclusion



How it works

Preface

Usually, the scammers will simply open up a phonebook and start going down the list of names.

Other means may be, but are not limited to:



  • Fake support services -
    websites claiming to help you with computer issues- but in fact are just another scam
  • Your phonenumber has been spread on the web one too many times (by either yourself or someone else)
Only just recently several internet giants (Google, Facebook, Twitter, ...) have joined forces to combat malicious tech support ads. You can find them on: http://trustinads.org



 
Scenario

The phone rings. You do not recognise the number, but you pick up anyway. A voice says: 
"Hello Sir/Madame, we are calling from Windows". A man or woman tells you to browse to a certain website and connect with them so they can repair or restore your computer.

Some characteristics about the call itself:


  • The man or woman often has an Indian accent
  • They call from a number outside your current country or have an unknown caller ID
  • They urge you that there's a problem with your computer that needs immediate fixing
  • They impersonate legit companies, for example Microsoft or even an antivirus company


On this Pastebin is a list of numbers which are being used or have been used for these cold calls. Often though they'll use a "private number", "anonymous" or unknown caller ID. They may also spoof the caller ID.

It doesn't matter which operating system you use or which type of computer, they'll always state there are critical system errors, thus you should connect to a certain website, download and run a program.

They always use legitimate services - remote software tools which are not harmful by itself, but can be used (as in these cases) by phone scammers. A comprehensive list of the tools most often used:


  • Ammyy
  • Bomgar
  • GoToAssist
  • ScreenConnect (ConnectWise Control)
  • ShowMyPC
  • TeamViewer
  • LogMeIn (LogMeIn Rescue)
  • ...  Others


Like stated before, these tools are not malicious. Often free - they're a simple way for a technician to connect to a customer's machine (for example) and solve a technical issue. Unfortunately, they can also be used for malicious purposes.

Some of these tools have clearly stated they are not associated with any of these scams. Other tools provide a form to fill in if abuse is suspected or witnessed, like LogMeIn.

Next up: say you have downloaded and executed one of those tools and the scammer now has access to your machine. There are several known scenarios, but it usually boils down to them showing you the Event Viewer (a legit tool by Windows which can provide useful information in event of system crashes or simply system information. More information here). 

Usually, you'll find one or more errors in there, unless the machine was freshly installed. Note that it is not unusual at all. Sometimes, this part works the other way around: they will first ask you to open up the Event Viewer so you can verify they are speaking the truth (but not really) and there are indeed "errors on your machine which need to be fixed as soon as possible."


"Scary errors in the Windows Event Viewer." Source





















Afterwards, you'll have to pay a certain amount of money to fix the errors (which weren't there in the first place). This can usually go down in either of these ways:


  • You have to pay a reasonable sum of money, say 5 or 10 euros/dollars/pounds.
  • You have to pay a not-so-reasonable amount of money, varying from 100 to 300 euros/dollars/pounds.

In both cases, chances are very likely you'll end up paying even more. Again, some possibilities:


  • The "technician" claims the transfer did not work or was incomplete and asks to try again.
    (but in fact it did work and they're just trying to rip you off even more.)
  • They will steal login information and/or CC credentials or other bank account/Paypal/.... information.
    (several possibilities here obviously, depending on which type of payment you used.)

It is also possible they install fake antivirus software (rogueware) or even a cracked copy of antivirus software (for the cynics: no, they are not the same). Which in turn means you'll need to get rid of that as well... And have to cough up more money.

Other reports have pointed out that - when the scammer's patience runs out- critical files (Windows system files) or personal documents were deleted by the scammer.


Background

It is not entirely certain when the first phone scams as described in this blog post began. If you do have a timeline, be sure to let me know so I can include it.

This type of social engineering may be well known by now, but is not that much in the media in comparison to other types of threats. 

Small remark here, don't be fooled: you're not the first one and certainly not the last one they will try to scam. There's in fact a whole business model behind the scam - call centers filled with "technicians" whom will do nothing all day but call people and try to scam them.

There's also an excellent video by Malwarebytes showing the different stages of the scam - and the scammer eventually getting irritated and going on a rampage (or that's what the scammer believed):



Why it works

Obviously, the scammers use a certain tactic to convince you to pay them your hard-deserved money. This tactic is mostly known as FUD. (Fear, Uncertainty, Doubt) There's a Wiki link available by clicking here.

In short:
  • Fear: they tell you there's an issue or several issues with your computer
  • Uncertainty: you may have had some slowdowns recently. Or - coincidentally or not- you just had malware.
  • Doubt: "I did have this issue, maybe they can help me?"

No! Doubt is their product, you being uncertain is their second step for a successful scam. The third part is fear and eventually you giving in.

The scam or social engineering tactic may be as old as the hills, but that doesn't mean it won't work. Hence the many reports on this scam - and people still falling for it, even though it exists for several years. (but no exact figures or statistics present on that.)

It is always possible you recently had some issues with your machine, but that doesn't mean the scammers know. They are just guessing and hoping you'll fall for it - most people are trustworthy, right? Not on the internet.


What to do next

Investigation

If possible, write down as much information as you can before following the remediation steps:


  • Often, the remote tools mentioned will utilize an ID or code. Write down the ID or code.
  • Write down the date and time when this remote sessions happened. Write down your public IP address if known - you can also check this via whatismyip.com.
  • Write down the phone number(s) as well as date and time when they called you.
  • Write down the name of the remote program/tool, as well as any other information you may think of. (name of the person calling you (99,9% of the time fake, but you never know), what exactly happened, if/how/when you paid or transferred any money and any other information which you think may be helpful.)

Remediation or disinfection

If it is too late, the first thing to do is to stop whatever the scammers are/were doing. In particular:


  • Unplug the ethernet cable or turn off your wireless. Reboot your machine. Is a pop-up coming up asking for a connection or waiting for a connection? Close it.
  • Call your bank, your CC card provider, Paypal or whichever means you have used - call your financial institution as soon as possible to cancel the transfer!
  • Uninstall any new & unknown software you find. Verify in Add/Remove programs if none of the above mentioned tools have been installed, for example.
    Also check the usual locations, for example C:\Program Files or C:\Program Files (x86).
  • Perform a full scan with your antivirus software, especially in the case of a fake antivirus or rogueware. Restore internet access at this point and run a scan with another online antivirus.
  • Call your phone company! Ask them if they can verify who has called in case of an unknown caller ID - or to block the specific numbers should you receive these calls regularly.
  • Change passwords of your computer - meaning your user password, but the password(s) of your bank account/Paypal and others as well.
  • When you deem this necessary, perform a system restore of your machine. In serious cases, an even better option is to format your machine completely (though usually not necessary).

Now, file a complaint via the Internet Crime Complain Center (IC3) or via your local police station or CERT (list of CERTs available via Enisa or Europol). Include any information you have gathered. It is important you do this to be able to uncover and jail these scammers. If you were redirected via an ad on a legitimate website, file a report via TrustInAds as well. Do not be afraid to ask for further information.

Prevention

Unfortunately, there aren't too many options to prevent this particular scam. A few pointers:



  • Unknown caller ID or private number? Don't pick up, unless you're indeed expecting a phone call.
  • Weird or long number calling you? Don't pick up. If you decide to pick up, listen to what they have to say, smile and put down the phone anyway.
  • Receiving these calls regularly? Call your phone company so they can block it. If you're receiving a lot of these calls, be sure to not pick up, as they'll know there's someone on the other side, even though you put down the phone immediately.
  • Missed a few calls from these numbers? Don't be tempted to call back. A similar scam is calling you, but after 1 second immediately hanging up. This may tempt you into calling back. Don't fall for that scam either. (they are not necessarily the same cybercriminals, but they both want your money.)
  • Avoid shady "tech support" websites. A tool which may help you in this is WOT - Web Of Trust.
  • Add yourself to the National Do Not Call Registry (US only). This may not prevent phone scammers, but it does prevent other marketeers from calling you and spreading your number to others. For all other countries: inform with your local CERT for options, as there aren't many available.
  • If you are managing someone else's computer it may be a good idea to set up a limited user account.
  • Last but not least: use your common sense! When in doubt, simply hang up the phone.


For providers of these remote tools:


  • Include a clear page on your website warning about the possible malicious use of your software.
  • Include an abuse report form - whether via a ticketing system, by call or mail or any other means.
  • Send all information the victim provided to the legal authorities so they can take action.
  • Inform the user of what has happened - should they blame you. Refer to your warning page about this scam.



Conclusion

As pointed out in this blog post, phone scammers are not new. Yet their scare tactics still seem to work. 

Just like other cybercriminals, phone scammers need to be put down. You can help if you were a victim by reporting this incident to the authorities. Follow the tips above to be able to protect yourself better.

For any other questions, suggestions or remarks: do not hesitate to leave a comment or contact me on Twitter: @bartblaze

Finally, I've added some other useful resources and documentation on this type of scam down below. 


Resources

Federal Trade Commision (FTC) - Phone Scams
DataNews / Knack - Hoe herken je een oplichter via de telefoon? (NL)
DataNews / Knack - Comment reconnaître un escroc au téléphone? (FR)
KrebsonSecurity - Tech Support Phone Scams Surge
Malwarebytes - Tech Support Scams – Help & Resource Page

Microsoft - Avoid tech support phone scams
TrustInAds - Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams (PDF)  
WeLiveSecurity - My PC has 32,539 errors: how telephone support scams really work (PDF)