Tech support scams persist with increasingly crafty techniques
Credit to Author: msft-mmpc| Date: Mon, 03 Apr 2017 12:58:02 +0000
Millions of users continue to encounter technical support scams. Data from Windows Defender SmartScreen (which is used by both Microsoft Edge and Internet Explorer to block malicious sites) and Windows Defender Antivirus show that some three million users are subjected to these threats every month.
In addition to being rampant, technical support scams continue to evolve, employing more and more complex social engineering tactics that can increase panic and create a false sense of legitimacy or urgency in an effort to get more victims.
Given the sheer volume of tech support scams and the pace at which they evolve, here at Microsoft we take a holistic approach to this problem. We monitor the threat landscape for patterns and variations in threat behavior. Using intelligence from sensors, we employ machine learning models to deliver cloud-based protection against the latest tech support scams, whether they take the form of web pages with malicious scripts or Trojans that run on computers.
In 2016, the threat of support scam was most felt in the United States, which saw 58% of encounters. United Kingdom, Canada, and Australia follow, with 13%, 11%, and 8% of encounters, respectively. Notably, significant encounters were also registered in France and Spain, where we saw localized technical support scam attacks.
Figure 1. Top counties that saw the most number of tech support scam encounters in 2016
(Note: This blog post is the third in the 2016 threat landscape review series. It follows the review of exploit kits and ransomware. The series looks at how major areas in the threat landscape transformed over the past year.)
The evolution of technical support scam malware
Technical support scams are built on the deception that your computer is somehow broken, and you need to contact technical support to fix it. You may then be asked to pay for support. In some cases, the tech support agent may ask you to install other software or malware disguised as support tools on your computer, bringing in more threats that can cause even more damage.
You may come across these threats while browsing dubious websites, most notably those that host illegal copies of media and software, crack applications, or malware. Links or ads on these sites may lead you to tech support scam websites, which display pages that are designed to look like error messages and serve pop-up messages indicating fictitious errors. Some tech support scam threats take the form of executable programs like other malware.
Although tech support scams have been around for many years, in 2016 we saw the threat evolve by integrating more scare tactics. At the beginning of the year, the landscape was dominated by threat families with simple techniques and social engineering lures. However, more evolved threat families have since taken over.
Figure 2. Top support scam families based on encounters in 2016
FakeCall and FakeBSOD: The early types that used one pop-up window and simple messages
Tech support scams are known for their use of pop-up windows to advance their pretense. While most of the scams today abuse pop-up windows to the point of locking the browser, the earlier types relied on just pop-up windows and effective social engineering lures.
FakeCall is a family of malicious scripts hosted in tech support scam sites. It may use messages about virus infection or suspicious activities on your computer. The first sign you have been led to a FakeCall tech support scam site is a pop-up message that tries to create an impression that it’s a system pop-up and usually describes a fake problem and contains instruction to contact fake technical support.
Figure 3. A sample pop-up message from FakeCall
If you click OK, the website loads a page giving more details about the supposed problem, and more instructions to call the technical support number. It may spoof security products and list malware that have purportedly been found on your computer. The goal is to convince you to call the support number.
Figure 4. Sample FakeCall support scam website, which asks potential victims to call 855–400–3930
On the other hand, FakeBSOD is a very similar threat but instead pretends to be a system error, like Blue Screen of Death (BSOD), where it got its name.
Figure 5. Sample FakeBSOD site that pretends to look like system errors, such as BSOD, and asks to call 1–844–330–7888
FakeBSOD sites usually force the browser to go on full-screen mode to simulate the BSOD experience. Just like FakeCall, it also has a pop-up message detailing the fake problem and a number to call fake technical support.
Both FakeCall and FakeBSOD heavily rely on social engineering lures to get you to take action, and don’t have much in terms of technical complexity. Simply closing the browser will work in most cases.
TechBrolo: Support scam malware on steroids
TechBrolo takes on characteristics of both FakeCall and FakeBSOD, but integrates technical enhancements that not only makes the pretense more believable but can also adversely affect your overall computing experience.
For instance, TechBrolo employs the dialogue loop technique. When you visit the TechBrolo site, you get a pop-up message that won’t go away, no matter how many times you click OK. This method effectively locks your browser; you must manually terminate the process via Task Manager in order to close your browser.
Figure 6. Sample TechBrolo site with dialogue loop and fake support number 1–866–219–0211
Most variants of TechBrolo also play an audio describing the problem, adding a sense of urgency. For example, one recent variant mimics Windows Defender Antivirus, and when the website loads, it plays an audio with the following message:
“Critical alert from Microsoft. Your computer has alerted us that it is infected with a virus and spyware. This virus is sending your credit card details, Facebook login, and personal emails to hackers remotely. Please call us immediately at the toll-free number listed, so that our support engineers can walk you through the removal process over the phone. If you close this page before calling us, we will be forced to disable your computer to prevent further damage to our network. Error #268D3.” It is important to note that Windows Defender Antivirus does not act this way.
Figure 7. Sample TechBrolo site that spoofs Windows Defender Antivirus, plays an audio message, and uses fake support number 07–5405–9588
Recently, we also spotted a TechBrolo variant that uses website elements to spoof the Microsoft support site and fake the pop-up dialogue box. It does this by loading a page that looks like a browser and then going to full screen. If you are not too paying attention, you might think Microsoft is giving you a warning. Microsoft does not deliver warning messages like this via the browser.
Figure 8. One TechBrolo site uses website elements to achieve a browser in a browser effect and asks target victims to call 1–844–313–7003
Non-English support scam websites
Consistent with our findings that some of the countries most affected by tech support scam are non-English speaking countries (see Figure 1), we have seen some localized tech support scam malware.
These sites employ a combination of the techniques discussed in this blog, only presented in non-English websites, images, or pop-up messages.
Figure 9. French tech support scam website that uses fake support number 01–86–26–42–66
Figure 10. Spanish tech support scam website that uses fake support number 900–839–260
Figure 11. German tech support scam website that uses fake support number 0–800–183–8114
Figure 12. Japanese tech support scam website that uses fake support number 03–4578–9419
Cusax, Hicurdismos, and Monitnev: Support scam Trojans
Apart from scripts hosted on websites, we have also seen tech support scam malware in the form of executable files. They may be installed on your computer by other malware or downloaded from drive-by sites.
These malware have the same goal as their script counterparts: to get you to call the technical support number. However, the difference is that their malicious behaviors are not limited to the browser.
For instance, Cusax is a tech support scam malware that makes system changes, including registry modifications that ensure it runs every time your computer starts. It then forces a reboot, further reinforcing the scam that there is a problem with your computer.
As soon as your computer boots, it opens a window that asks for your Windows activation key as well as the technical support number.
Figure 13. Cusax uses the lure that you need to enter your activation key and asks to call the number 1–877–256–3313
Hicurdismos, on the other hand, displays an image that looks like the BSOD. However, this fake BSOD screen has instructions to call a technical support number, something that the real error doesn’t have.
In order to further its pretense, Hicurdismos hides the mouse cursor, disables Task Manager, and makes sure the fake BSOD image occupies the entire screen and is always on top of other windows.
Figure 14. The fake BSOD screen displayed by Hicurdismos contains the number 1–800–418–4202
More recently, Monitnev was discovered to monitor event logs. It then displays fake error notifications every time an application crashes. This can appear more convincing because the pop-up messages are timed with legitimate computing behavior.
Cusax, Hicurdismos, Monitnev and other tech support scam malware can be more complex than scripts. Because they make system changes, they can inflict more damage and can be trickier to remove. However, we’re seeing significantly fewer of these types of tech support scam threats because they are more difficult to distribute than their script counterparts. Despite that, they pose threats that you need protection from.
Protection against tech support scams
Tech support scams take different forms and are known to take on more characteristics over time. Get the protection against the latest tech support scams by upgrading to Windows 10. The Windows 10 Creators Update brings in additional security features and will start rolling out on April 11, 2017. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigation from Microsoft.
A majority of these threats, like TechBrolo, FakeCall, and FakeBSOD, are scripts hosted on websites where you are led to by malicious ads on dubious sites. To avoid tech support scam websites, use Microsoft Edge. It uses Windows Defender SmartScreen (also used by Internet Explorer) to block known malicious websites.
Figure 15. Microsoft Smart Screen blocks techs support scam websites
In addition, Microsoft Edge provides a way to close dialogue loops, which are used by support scam sites to keep on delivering pop-ups even after you close them. At the bottom of pop-up dialogue messages, you have an option to tick the checkbox Don’t let this page create more messages, which will stop the recurring messages.
Figure 16. Dialogue loop protection for Microsoft Edge
Enable Windows Defender Antivirus to remove tech support scam Trojans, such as Cusax and Hicurdismos. Windows Defender AV uses cloud-based protection, which helps make sure you are protected from the latest threats.
Tech support scams employ varying social engineering techniques to get you to call the support hotline. Do not call the number in pop-up messages. Microsoft’s error and warning messages never include a phone number.
Some scammers can also contact you directly and claim to be from Microsoft. Remember, Microsoft will never proactively react out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you. Reach out directly to one of our technical support experts at the Microsoft Answer Desk.
For more help, read our page on avoiding technical support scams.
Jonathan San Jose, Alden Pornasdoro, Francis Tan Seng
Microsoft Malware Protection Center