To Customer Support To Customer Support

How I got tech support scammers infected with Locky

RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Fri, 08/05/2016 - 23:01 — ivan
 
A few days ago, I received a panicked call from my parents who had somehow managed to land on a (now defunct) (snapshot here) claiming they had been infected by Zeus. This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows' BSoD days, and yet somehow it displayed a random IP address instead of the visitor's one.

First call:

After everyone had a good laugh on Twitter, I decided I would give them a call to know more about what they hoped to accomplish. So I fire up an old Windows XP VM, and get in touch with the "tech support". I am greeted with a pre-recorded message, then Patricia is kind enough to anwser my call. I immediately try to get her hopes up by telling her that I'm a businessman working on an important, high-figure contract, and that time is of the essence. Sadly, it turns out that her French is quite poor so going off-script is a no-no. She guides me through the steps needed to download some kind of remote-assistance client: Windows+R, type in iexplore remote.join360.net, jump through a few more hoops and run whatever executable is offered to you. From what I gather, this is actually a legitimate tech-support program, it being digitally signed and all.
The fun starts now. Patricia fires off cmd.exe after failing to recognize OllyDbg and IDA's icons on the desktop. In what I can only assume is a ploy to establish her technical expertise, she runs dir /s and tells me that the dates match my logins on this system and the files are all the documents I accessed. I feign amazement. Meanwhile, I stealthily send a CTRL+C into the terminal so we can go on with our lives. Patricia then types "1452 virus found", then "ip hacked", and asks me about which antivirus software I use. None, I reply: they're too expensive and@taviso keeps breaking them anyway. The reference is lost on her but she chastises me nonetheless. Then something weird happens. She tells me that I'm at the end of my 15 minutes of free support and that she's calling me back so I don't have to pay. A few minutes later, I do indeed receive a call from a phone number in Pennsylvania (+1-267-460-7257). She goes back to berating me about my apparent disregard for basic computer hygiene. In the end, she reaches the following conclusion: my computer has been infected, and now it needs to be cleaned up. I'm encouraged to buy either ANTI SPY or ANTI TROJAN, for the measly sum of $189.90. Before I have the opportunity to get my credit card, she goes back to the terminal, runs netstat and tells me that there's someone connected to my machine at this very moment.
 
Read the Full Article Here
 
Daniel

21 replies

Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
Brilliant!!!! They were caught hook, line and sinker.
Baldrick
Rank
Userlevel 7
Indeed, a very nice 'catch'...;)
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
Ssherjj
Rank
Userlevel 7
Badge +62
Awesome story! "Excellent!" 😉
Windows Insider, iMac 2021 27 in i5 Retina 5, iMac OS Sonoma (14.3.1}, Security: iPads, W 10 & (VM:15), ALIENWARE 17R4, W10 Workstation, ALIENWARE 15 R6, W11, Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester. Security
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Here's another for the Article Writer to use against the scammers! :D
 
?
D
Rank
Userlevel 6
LOL  this is pure gold
G
Userlevel 1
I'm going keep learning so I can do the same!  That is epic!
U
Userlevel 1
"Patricia fires off cmd.exe after failing to recognize OllyDbg and IDA's icons on the desktop." ?????
What the?
I have far too few precious brain cells left to bother learning a new language, or trying to memorise
countless acronisms, no matter how important they may seem to some tech experts. Can anybody
translate this article into something a dummy like me can understand?
Baldrick
Rank
Userlevel 7
Hi UsTwo
 
Welcome to the Community Forums.
 
Essentially this is about scammer and what constitutes a scam perpurtrated by people looking to con the unwary user into either (i) giving them access to their system for nefarious purposes and/or (ii) into purchasing fatuous, unnecessary and usually costly 'technical' support services.
 
The key message is that no professional company would sends emails, generte pop ups, or make phone calls of any kind advising that one that you may have a problem with your system. Askyourself this...how would they know that this could possiblely the case?
 
In those circumstances you have 2 options; the safest option is to ignore and add popup blockers to your browser or the cheekier option is to engage withthem and waster their time by stringing them along...albeit makings ure that they are not given access to the system, i.e., not clinking on any links that might allow one to allowed them to remote into your computer, or send one to malicious websites, etc.
 
If you would like more information, in perhaps a more understandable format than the original article then read on
 
NEWS ARTICLE: Tech Support Scams are on the rise.
 
Microsoft never issues this type of warning or email or anything of a sort!  Please see the following link for Microsoft's official word on this:
 
http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx
 
"Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.
 
Cybercriminals often use publicly available phone directories so they might know your name and other personal information when they call you. They might even guess what operating system you're using.
 
Once they've gained your trust, they might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable."
 
Also see Avoid scams that use the Microsoft name fraudulently
 
http://www.microsoft.com/security/online-privacy/msname.aspx 
 
For more information here's what the United States Federal Trade Commission has to say on the subject::
 
http://www.consumer.ftc.gov/articles/0346-tech-support-scams
 
"In a recent twist, scam artists are using the phone to try to break into your computer. They call, claiming to be computer techs associated with well-known companies like Microsoft. They say that they've detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don't need.
 
These scammers take advantage of your reasonable concerns about viruses and other threats. They know that computer users have heard time and again that it's important to install security software. But the purpose behind their elaborate scheme isn't to protect your computer; it's to make money."
 
This scam is common and has been around for quite a while.  Here is a good Webroot Blog article from April 2013 by Threat Researcher Roy Tobin.
 
http://www.webroot.com/blog/2013/04/30/fake-microsoft-security-scam/
 
But the bottom line in all of this is:
 


 
Hope that the above responds adequately to your request for a translation?
 
Regards, Baldrick
 
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
U
Userlevel 1
Thanks for that Baldrick. I got the basic message, but some of it seemed like another language. lol
I was warned ages ago, when I started self teaching back in 1994, not to engage with spammers, but I guess if you know what you're doing it teaches them a good lesson.
Cheers, UsTwo.
Baldrick
Rank
Userlevel 7
Hi UsTwo
 
No worries...glad to be able to help. Let us know as and when you have any further questions, etc.
 
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
BlazeTen
Rank
Userlevel 7
Badge +7
Amazing to me :robotsurprised: !  I took the time to read the entire article.  Although they are criminals ( in the article) I never cease to be amazed at their audacity and capabilities.  I read every text after getting hooked into the article.  I never miss reading the Anon interviews at SecurityAffairs.com:D  How could anyone ever be bored and own a computer...Thanks for the post  there ? .  A long and interesting read for those of you who haven't taken the time. !
BlazeTen
Rank
Userlevel 7
Badge +7
I do not view Anonymous as criminals,  I pointed that label at the guys in the mentioned article.. I hope that was obvious.:$
B
Rank
@BlazeTenwrote:
 A long and interesting read for those of you who haven't taken the time. !
Agreed, @. Makes me want to fire up the old XP machine I have in the basement and try this myself. Although I just don't think I'd feel comfortable messing around with Locky samples. :S
 
But a great read nonetheless. Thanks for posting, Daniel. :)
 
bd
BlazeTen
Rank
Userlevel 7
Badge +7
Makes me want to take some computer classes so I can join Anonymous>>>LOL .
B
Rank
@ wrote:
Makes me want to take some computer classes so I can join Anonymous>>>LOL .
Don't forget the mask.

LOL
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
@ wrote:
@ wrote:
Makes me want to take some computer classes so I can join Anonymous>>>LOL .
Don't forget the mask.

LOL
fsociety
 
https://www.google.ca/#q=fsociety&gws_rd=cr
B
Rank
Mr. Robot is on my binge-watching list of shows that I plan to watch this upcoming hibernation season (winter). Nic has referenced it a couple of times as well. Looks interesting. 🙂
nic
Userlevel 7
Badge +56
Mr Robot is a great show. I need to catch up on Season 2, which is underway, but my wife refuses to watch anything besides Supernatural at the moment 🙂
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
@ wrote:
Mr Robot is a great show. I need to catch up on Season 2, which is underway, but my wife refuses to watch anything besides Supernatural at the moment :)
I feel for you Nic, I had a similar thing with the series "Roswell" a while ago, it is all my wife wanted to watch.
M
Userlevel 1
This was just GOLDEN! Now, I want to learn more about computers. I'm just the person that my family calls and asks how to Google stuff, or whether they REALLY need security software. I'm just glad none of them have fallen for one of these scams. And yes, I read the whole article. Couldn't stop giggling.
B
Rank
Hi Mom2Demonz,
 
I hope that when they ask you if they really need security software that you say "yes". :)
 
I worry about friends and family falling for this scam too so I make sure to tell them all about it. This scam can also be perpetrated through pop-ups on a computer that claim to be from Microsoft or a bogus tech support company, and indicate that you have a problem. You can lessen the chances of those types of popups by installing a good AdBlocker.
 
These are some that we here in the Community use:
 
For Internet Explorer Ad Block Plus: https://adblockplus.org/
 
For Firefox uBlock Origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/?src=ss or Privacy Badger: https://addons.mozilla.org/en-us/firefox/addon/privacy-badger-firefox/

 
Google Chrome uBlock Origin: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en
 
or Privacy Badger: https://chrome.google.com/webstore/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp
 
Glad you enjoyed this story as much as I did. ;)
 
Cheers,
 
BD
 
ps. I love your screen name. Aren't kids fun???

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.