Tech support scams gain sophistication, now using malware

Malwarebytes' Jerome Segura said the method is new, but growing.
Malwarebytes' Jerome Segura said the method is new, but growing.

Tech support scammers are upping their game, actively using malware to cause computer technical issues— effectively holding devices for ransom and forcing consumers to call a fake support number, which opens them up to identity theft and future credit problems.

Malwarebytes Senior Security Researcher Jerome Segura said tech support scammers are moving away from the annoying and costly browser locks and fake antivirus alerts that had been their go-to weapons, and are instead utilizing malware to create actual problems with a computer, giving the victim little choice but to call the supplied “tech support” help phone number.

An attack starts with the victim picking up the malware through a fake Flash or software update. Shortly thereafter, one of several official-looking screens pops up on the display informing the person something is wrong with the computer. The so-called problem usually has something to do with Windows; for instance, the product key is out of date or the license needs to be renewed. In each case the crook thoughtfully supplies a 1-800 tech support number.

“It's fairly new, but just in the past week I've seen many cases on forums and via our own support channels. I think this is going to be a major change and is likely to get very common,” Segura told SCMagazine.com in an email.

The difference between these new tricks and the older browser lock methodology is that the older tactic tried to scare people into thinking they did something illegal, forcing them to pay several hundred dollars as a fine, typically via vouchers, Segura said, while this version is more subtle.

Once the warning screen appears, the computer is effectively locked up, but the image that shows on the screen looks quite legitimate, Segura said, making it very difficult for the average person to differentiate between a tech support scam and activity that is normally associated with their computer's software, such as a Windows update.


 

 

A few windows supplied to Malwarebytes by @TheWack0lian.

Malwarebytes cited a few keyboard maneuvers from a security researcher known as @TheWack0lian that can free the computer, such as holding Ctrl+Shift and pressing the S key, to unlock the screen. But otherwise the computer has to be rebooted using special tools supplied by an Internet security company, Segura said.

“To be clear, this is not a fake browser pop-up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it,” Segura wrote in his blog.

Those who don't catch on and end up calling the number supplied by the crooks will find themselves out about $250 to “fix” the problem, and it also opens the victim up to identity theft by giving away their payment card credentials.

A person's best defense is to stay away from any free optimizer or software pop-up ads along with adware supported programs.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS