Support scammers up their game

Posted by   Virus Bulletin on   Nov 9, 2011

Websites and Facebook accounts created to make callers appear more legitimate.

'Support call scammers' have started to use professional-looking websites and social media accounts to make themselves appear more legitimate.

In these scams - which have been prevalent in many English-speaking countries for some time - victims are telephoned and told that their computer has been engaged in malicious behaviour such as the sending of spam. To make the claim more credible, users are usually socially engineered into opening the Event Viewer in Windows and are made to believe that the harmless alerts they see are a serious problem. To solve this 'problem', the user is told that the caller requires remote access to the PC - which, of course, allows the caller to install malware. Sometimes users are also charged for having their PC 'fixed'.

The callers often claim to call on behalf of Microsoft or the victim's ISP, but now they have started to use phony company names as well. In one case witnessed by researchers from ESET and Virus Bulletin, the call came from a company named 'eFIX', which has a legitimate-looking website, as well as a Facebook account.

The website's domain name was registered in September 2011 from India, although 'eFIX' uses a boilerplate address in Glasgow and claims to have employees in five different countries and to offer 24/7 support. The website also displays testimonials from happy 'customers'; interestingly, one such customer can be seen on another website used by scammers as an employee of that company.

The 'eFIX' Facebook page displays more genuine-looking reviews from customers thanking 'eFIX' for fixing their PC. Comments from people saying it was a scam and demanding their money back are being removed.

Customers whose PCs are infected with malware are a serious problem for ISPs, most of which are looking into ways of notifying infected customers. Support call scams are therefore not only a problem for the victims of such scams, but also potentially jeopardize the trustworthiness of such ISP notifications.

More at ESET's blog here, or in an article published in VB in January 2011 here (free registration required).

Posted on 09 November 2011 by Virus Bulletin

 Tags

phone scam support
twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.