Phone support scammers attempt repeat business

Posted by   Virus Bulletin on   Jan 29, 2013

Previous victims contacted again and tricked into 'renewing' service.

Phone support scammers have found a new way to make easy money: by calling back people whom they have previously tricked into paying for their services, and tricking the same innocent users into paying for a 'renewal' of the service.

As someone who regularly works from home, I have had my fair share of calls from 'support scammers'. Most readers will be familiar with their tactics: they phone people and tell them they know that their computer has an issue, then use some social engineering to convince their victims that the problem is real, collect payment for their services, then 'fix' the 'problems'.

Like many security researchers who find themselves speaking to such scammers, I tend to play the clueless victim to find out how the scam works. One year ago this week, I managed to make it appear as if I had paid and thus got an interesting insight into what is done to 'fix' the PC. As it turns out, the scammers run a number of free security tools, some of which will actually improve the state of the machine.

Yesterday, I received yet another such call which, to my surprise, referred to the conversation I had a year ago. Then I had paid for one year's protection and this was up for renewal. Unlike previous experiences, when the spammers took their time to convince me I had a problem with my PC, this time they got straight to the point: I had to give the caller remote access (via AMMYY) to my PC, upon which they downloaded Advanced WindowsCare, a legitimate, if somewhat dubious product that has been used by scammers before. It reported that my PC had thousands of errors and thus it was important for me to pay to be protected for another year.

I did not question the fact that my PC was badly infected, even though I was supposed have paid for protection a year ago. Nor did I ask why the name of the company they called from had changed from PC Optimizers to PC Wizards. But then, they didn't ask me why the machine they were fixing wasn't hiding the fact that it was running inside VirtualBox either.

Once again, I bypassed the payment of GBP119 (up from GBP89 last year). Interestingly, 'security' had been added to the payment page by the inclusion of a CAPTCHA. And once again, after the call had ended, the scammers spent some time 'fixing' my PC using a number of free products, such as a disk defragmentation tool. To finish off, they installed the free anti-virus product Microsoft Security Essentials and used it to run a thorough scan of the machine. It reported one potential threat: the AMMYY remote access tool the scammers had installed themselves.

While it is easy to laugh at the scammers' lack of professionalism, they have taken advantage of many victims in the past: people who have become worried after hearing the many stories about malware infections, or people for whom the call just 'made sense'. I have spoken to someone who received a call, supposedly from Microsoft, shortly after having contacted the company himself about a problem with his PC; hence he never questioned the veracity of the callers' claims.

I have also seen people who seemed genuinely happy with the service provided (in one case someone even wrote a poem on the scammers' Facebook page), and it's good to keep in mind that tools like disk defragmentation do tend to improve performance. It is thus not surprising that many previous victims will fall for the same scam again - which means there is still a lot of work for us to do: to catch the scammers and educate the users.

Posted on 29 January 2013 by Martijn Grooten



Latest posts:

VB2019 paper: Domestic Kitten: an Iranian surveillance program

At VB2019 in London, Check Point researchers Aseel Kayal and Lotem Finkelstein presented a paper detailing an Iranian operation they named 'Domestic Kitten' that used Android apps for targeted surveillance. Today we publish their paper and the video…

VB2019 video: Discretion in APT: recent APT attack on crypto exchange employees

At VB2019 in London, LINE's HeungSoo Kang explained how cryptocurrency exchanges had been attacked using Firefox zero-days. Today, we publish the video of his presentation.

VB2019 paper: DNS on fire

In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation.

German Dridex spam campaign is unfashionably large

VB has analysed a malicious spam campaign targeting German-speaking users with obfuscated Excel malware that would likely download Dridex but that mostly stood out through its size.

Paper: Dexofuzzy: Android malware similarity clustering method using opcode sequence

We publish a paper by researchers from ESTsecurity in South Korea, who describe a fuzzy hashing algorithm for clustering Android malware datasets.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.