By David Harley and Josep Albors
If you asked most people what they believe to be
the most prevalent form of threat right now, they’d almost certain say
‘ransomware’. However, my colleague Josep Albors has come to a surprising
conclusion in his Spanish language blog Fake technical support is the most detected threat in Spain during
January. While the data on which he drew indicates that Spain leads
the field in detections of HTML/FakeAlert, several other countries (including
the UK and France) are seeing detections in surprisingly large quantities.
The following is a very free translation of Josep’s
article with some commentary from me. Any errors in translation are down to me.
It’s not all about
ransomware
Malicious software (malware) and ransomware in
particular are among the most notorious threats at the moment, and capable of
causing a great deal of harm to their victims, whether it’s financial loss or
the loss of valued data. Nevertheless, there are other threats that may be less
damaging – at any rate to targeted organizations, which tend to be required to
pay larger ransoms than random individual victims – but are by no means harmless.
Even the range of weaselly nuisances that the security industry tends to
categorize as ‘Possibly Unwanted’ are sometimes intrusive enough to impact
seriously on a computer/device user’s online experience. While messages, phone
calls and web pages used to execute fraud such as support scams are no less
criminal in intent than ransomware, though they may in most cases cause less
damage.
That said, a support scammer who has succeeded in
luring victims into giving him access to their systems has often proved more
than happy to trash that system if the victim isn’t sufficiently compliant.
Help with the
problem you didn’t know you had
Support scams are by no means new: I first started writing about them in 2010 or thereabouts, as did Josep. In those days, the problem was mostly confined
to cold calls (unsolicited telephone calls) made to more-or-less random
English-speaking computer users. In due course, these calls got to be supported
by a dubious infrastructure of websites and Facebook pages
offering ‘help’ to users of specific products. These gave the scammers the
ability to point to sites marketing their apparently ‘legitimate’ services when
cold-calling reluctant victims. However, they were also widely advertised
through search engines so that potential victims with a genuine computer
problem were likely to come across these less-than-genuine services and phone
numbers when searching for a source of assistance.
Irritatingly, we have seen many instances of such
sites offering ‘support’ for specific legitimate products where the vendor
already offered real support via their own pages. Though we have also
seen isolated instances where a vendor outsourced support to
companies who misused their position of trust to press their own advantage using classic support scam techniques.
Cold-calling to SEO
to fake alerts
In recent years, cold-calling and basic SEO (Search
Engine Optimization) exploitation has to a large extent been augmented or
supplanted by the use of various highly proactive methods – including what
amounts to malware – of luring the victim into actively ringing the ‘support
line’.
Consider, for instance, a malicious program that
masquerades as an installer for Microsoft’s own Security Essentials program. Hicurdismos generated a
fake Blue Screen of Death (BSoD) including a ‘helpline number’: so it was
essentially a malware-aided tech support scam, spread by drive-by-download, and
taking steps – such as hiding the mouse cursor and disabling Task Manager – to
make its payload look like a serious system issue.
However, most attacks take the form of fake system
alerts that ‘warn’ the victim of a virus or similarly frightening issue and
provide a ‘support’ telephone number. (Sometimes these use a similar fake
system crash to those used by some bottom-feeder ransomware gangs.)
When a victim is frightened into ringing one of
these numbers, he or she is connected to a scammer who uses similar techniques
to the cold-call scammers of yore to trick the victim into thinking that they
have a real problem, and that the scammer can really fix it. Though once the
scammer has direct contact with victims, the tricks they use against Windows
users are much the same deceptive gambits as those used for years:
·
To ‘prove’
that the scammer has information specific to the victim’s system (e.g. the
CLSID gambit)
·
And to
‘prove’ that there is a real problem (as proven by misrepresenting the output
of standard Windows utilities).
Telemetry and
statistics
There is a disadvantage to this trend, however, as
far as the scammer is concerned. It’s obviously easier for security companies
to track scam URLs that pop up deceptive messages
than it is to track random phone calls. I don’t track our telemetry regularly
at this point in my career, but Josep has noted that in recent months, we have
seen a considerable increase in the number of Spanish users who have received a
call or seen an alert on their system urging them to call a ‘support’ phone
number. He continues:
If we look at the evolution of this threat we see
that until July 2016 it was hardly ever reported in Spain. However, from that
date, the number of detections has grown continuously, and this type of attack
at times now accounts for almost 50% of threats detected in Spain according to
ESET’s monthly monitoring system Virus Radar.
Continued
on