Support scammers up their game

Posted by   Virus Bulletin on   Nov 9, 2011

Websites and Facebook accounts created to make callers appear more legitimate.

'Support call scammers' have started to use professional-looking websites and social media accounts to make themselves appear more legitimate.

In these scams - which have been prevalent in many English-speaking countries for some time - victims are telephoned and told that their computer has been engaged in malicious behaviour such as the sending of spam. To make the claim more credible, users are usually socially engineered into opening the Event Viewer in Windows and are made to believe that the harmless alerts they see are a serious problem. To solve this 'problem', the user is told that the caller requires remote access to the PC - which, of course, allows the caller to install malware. Sometimes users are also charged for having their PC 'fixed'.

The callers often claim to call on behalf of Microsoft or the victim's ISP, but now they have started to use phony company names as well. In one case witnessed by researchers from ESET and Virus Bulletin, the call came from a company named 'eFIX', which has a legitimate-looking website, as well as a Facebook account.

The website's domain name was registered in September 2011 from India, although 'eFIX' uses a boilerplate address in Glasgow and claims to have employees in five different countries and to offer 24/7 support. The website also displays testimonials from happy 'customers'; interestingly, one such customer can be seen on another website used by scammers as an employee of that company.

The 'eFIX' Facebook page displays more genuine-looking reviews from customers thanking 'eFIX' for fixing their PC. Comments from people saying it was a scam and demanding their money back are being removed.

Customers whose PCs are infected with malware are a serious problem for ISPs, most of which are looking into ways of notifying infected customers. Support call scams are therefore not only a problem for the victims of such scams, but also potentially jeopardize the trustworthiness of such ISP notifications.

More at ESET's blog here, or in an article published in VB in January 2011 here (free registration required).

Posted on 09 November 2011 by Virus Bulletin


phone scam support


Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.