HackDig : Dig high-quality web security articles for hackers

Tech Support Scams: a Beginner’s Guide

2015-11-26 21:10
Tech Support Scams: a Beginner’s Guide

Posted by on November 26, 2015.


I’ve spent a lot of time over the last few years writing and talking about tech support scams. That is, scams implemented by persuading victims that they need help to deal with a problem on their computer. Perhaps it’s time to rethink what potential victims need to know in order to make them less vulnerable to scammers. I don’t know how many relatively technically-inexperienced people read this blog, but perhaps the more tech-savvy readers will find it useful to think about how they can raise awareness.

Basic scam gambits

Often, the scammer claims that the victim’s PC has been hacked, or is infected or affected by viruses or other forms of malware.

The classic cold-calling scam works something like this: you get a telephone call from someone telling you that he is from or working with Microsoft, and that your Windows PC has been reported as being compromised in some way. There are a number of standard tricks (most of which are described in a paper Martijn Grooten, Craig Johnston, Steve Burn and I wrote for Virus Bulletin) that this kind of caller uses to persuade you that he really knows something about your PC.

The CLSID scam gambit

A longstanding favourite is the CLSID gambit, when he tells you that this string of characters is unique to your system: ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

CLSID scamshot

In fact the ASSOC command will show this very same string on just about any Windows machine.

The Event Viewer gambit

Another gambit is to ‘prove’ that your PC is ‘infected’ by misrepresenting the results of running standard utilities such as Event Viewer. He’ll tell you that those alarming yellow triangles with the word ‘Warning’ next to them are to tell you that your system has been hacked, or infected with malware. In fact, 99 times out 100 they signify a transient glitch – a minor issue that may only affect your system for microseconds.

Utilities like EventViewer do have their uses, of course, for a tech looking for real problems. The trouble is, it’s easy for a scammer to misrepresent their output when talking to someone who isn’t knowledgeable about Windows internals.

Event Viewer scamshot

The Netstat scam gambit

Another tool that the scammers sometimes misuse is Netstat, which gives information about your network/internet connections. The scammers use the output to con you into believing that the ‘foreign addresses’ it shows represent hacking attacks. Actually, a foreign address is simply any internet system to which you might connect in the course of a normal computing session. If there weren’t any ‘foreign addresses’ you almost certainly wouldn’t be connected to the internet at all.

netstat scamshot

The New Wave

All those ploys and gambits are still there, still being used by scammers. However, they’re less likely to be presented by scammers in out-of-the-blue cold calls: rather, they’ll be used when the scammer has lured the victim into calling the scammer, rather than vice versa.

Nowadays, there’s an accelerating trend among support scammers towards luring victims using pop-up ‘security alerts’ and fake system crashes. These invariably incorporate a phone number which is supposed to be to an ‘appropriate’ help line, thus trying to trick victims into making the initial telephone contact. For the scammer, this approach has an additional advantage: the scams can easily be changed to target users of OS X and iOS, Android and even Linux. Furthermore, as long as people aren’t aware of this variation on the scam theme, it can be implemented without the complicated social engineering sometimes involved in misrepresenting system utilities, messing about with batch files, and so on.

For example, a longer article for my Mac Virus blog compares a fake system crash targeting iOS users, a typical Windows fake Blue Screen of Death (BSOD) screenshot, and a fake OS X ‘systems crash’. All of them alarming to see, and none of them presenting a real threat: they’re designed only to trick the victim into ringing a fake helpline.

What do I do now?

However, blog comments come up time and time again from people who’ve been sucked at least part way into the scam, asking ‘What should I do now?’

I’m not comfortable making some sort of blanket recommendation: it’s a question best answered on a case-by-case basis, though I’m afraid I can’t generally offer one-to-one support. Still, it’s perhaps a question most easily answered when the victim has actually given away pretty much everything the scammer has asked for.

  • If you gave them access to your device and haven’t restarted it, do that. They generally warn you against restarting, but that’s because it then becomes obvious that you aren’t looking at a real, permanent problem.
  • Run a reputable security program to check for anything untoward they may have installed.
  • Change any passwords you’ve given them. If you gave them remote access, change any passwords to which they might have had access without your knowing.
  • Contact your credit card provider for their advice on stopping payment, getting money back, and if necessary, replacing cards.
  • Contact law enforcement: even if the police can’t help as regards restitution and prosecution of the scammer, they can advise you on the possibility of identity theft. You can also file a report with the FTC in the US, or Action Fraud in the UK.

Let me help you trash your system

There have been cases where the scammer’s ‘solution’ to the non-existent problems on the victim’s system has actually caused significant damage. Sometimes, though, the scammer sets out to cause deliberate damage, most often to a Windows system. This usually occurs when the victim has allowed the scammer access to the system and then decided not to pay for the ‘service’. The scammer may then delete files and/or lock the victim out of his own system, more often than not by using Microsoft’s own Syskey utility. There are a number of sites that offer advice about self-help in such a case, but my fear is that in some cases even well-meant advice may actually make the situation worse. In any case, computer users who fall for this scam are not usually particularly tech-savvy, and it seems wrong somehow to expect them to undertake a potentially technically complex salvage operation on their own. Better to get professional help as soon as possible.


In spite of the widespread and longstanding nature of the problem, information on this kind of scam tends to be piecemeal. Even the security industry doesn’t in general spend much time on it. You might think that at least the anti-malware industry would be driven to give regular exposure to the issue: after all, the scammers are making money out of stealing our clothes.

Where to get information

One of the few blogs that does regularly explore the issue, often in some technical depth, is Malwarebytes, which also has a resource page that summarizes the problem and includes some advice to victims. My own resources page at AVIEN offers links to other resources. Not only to my own articles and papers, but useful commentary from any source that I happen to come across, including the occasional article from other anti-malware vendors.

Detecting deception

The best way to counter the problem, though, is to forestall it by being aware that:

  • You can’t trust unsolicited phone calls: anyone can ring you up and say they’re calling from or on behalf of Microsoft. (Or anyone else.) Ring back to a known genuine number, if you think it might be a genuine call.
  • The circumstances under which some random caller can really know anything about your computer(s) are very rare. In general, if someone rings and says your PC is infected, it’s a scam. If he or she asks you for money to fix it, it’s always a scam. Or, at best, aggressive marketing, which is sometimes barely distinguishable from fraud.
  • The current spate of pop-ups showing security alerts or even something that seems to be a system crash involve two main strands of social engineering:
    • Persuading you to ring a specific phone number (which real systems crashes and alerts hardly ever do)
    • Persuading you to do so immediately so that you don’t notice that what appears to be a Blue Screen of Death is actually just a pop-up.

Have I been hacked?

The most common requests for help I get are from people saying something like ‘I ran ASSOC: could that have allowed him to hack my system?’ (Or EventViewer or Netstat, or one of the other common Windows utilities the scammers misuse and misrepresent.)

And while I won’t claim to give authoritative advice regarding a system I’ve never seen, the answer is generally no. The scammer can’t do anything to your system if you don’t give him remote access to that system. Of course, it’s sometimes convenient for a real support tech to be able to access your PC when you have a real system problem. (Depending on the nature of the problem, of course: sometimes a lack of network connection is the problem, so remote access isn’t an option.)

How do you know?

So how do you know if you’re talking to a real support tech? Well, if it’s some random phone caller telling you about a problem you didn’t know you had, it’s a fairly safe bet that it’s a scammer. If you have some sort of support contract that might just possibly involve someone calling you out of the blue, make sure you have a way to verify their bona fides. If you see some sort of pop-up message or even a Blue Screen of Death including a ‘helpdesk’ telephone number, expect the worst. If it turns out you really do have a problem, find a more reliable local source for a helpdesk number.

Good links, bad links

Bear in mind, though, that a search engine is likely to find links to scam pages as well as to companies offering genuine support services, including sites that have deceptive names suggesting links with Microsoft or Windows or Apple or Android. By sites, I mean not only company sites, but secondary sites such as Facebook pages and blog pages, where a great deal of unpleasant content of all sorts can be found lurking.

Given what I do for a living, I suppose you’d expect me to recommend security software, but there is plenty of software passed off as a security product that ranges from useless to downright malicious. And it wouldn’t be appropriate for me to make specific recommendations, since much of my income derives from a security vendor.

What I can do is recommend that you try one of the mainstream security product testing organizations. I don’t always agree with their testing methodologies and claims, but they’re not usually fooled into recommending fake products. A good starting point would be the testers who are represented in AMTSO including (apologies if I’ve missed any):

  • AV-Comparatives
  • AV-Test
  • Dennis Technology Labs
  • ICSAlabs
  • NSS Labs
  • Veszprog
  • Virus Bulletin
  • Westcoast Labs

Links are given on that AMTSO page. I’m not going to say that I’d always agree with their recommendations, but they do look at genuine products, and they do tend to conform to ethical guidelines.

David Harley


Share This:

Source: /ediug-srennigeb-a-smacs-troppus-hcet/11/5102/ku.oc.ytirucesti

“Tech Support Scams: a Beginner’s Guide”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud