Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland, contributed an article to ESET's July ThreatSense report about support scams. Since this is an issue that is still being under-reported, we thought it was worth reproducing, with the urbane Mr. Schrott's permission, on the blog.
While we're on that topic, there's a video worth watching here, where our friends at Symantec carried out a conversation with one of the companies claiming to offer support. (Thanks Eric Chien for drawing my attention to it.)
Thanks also to my friend and colleague Aryeh Goretsky for pointing out that Innovative Marketing Ukraine (IMU), a notorious purveyor of scareware (fake AV, not just cracked or pirated security software) seems to have had hundreds of employees:
- http://www.reuters.com/article/idUSTRE62N29T20100324
- http://www.ftc.gov/os/caselist/0723137/index.shtm
Thanks also to McAfee's Toralv Dirro for his further insights into IMU's operation. (That's a topic I may come back to in another context.) And to Alan Thake and his colleagues at ESET UK, who have contributed vastly to my own knowledge of this scam. And not least, and not for the first time, to Steve Burn.
OK. That's me done. Take it away, Urban.
Several months ago, reports started coming in from our ESET Ireland tech support staff and on online forums, that people are receiving unusual phone calls. These are calls from people claiming to represent online computer repair services, with various generic names such as PC Support, PC Doctor, Online PC Repairs, etc, and offering to“fix” someone’s computer.
This sort of scam has been going on quietly since 2008, but has hit big this year. Worst affected, of course, are English speaking countries (and some sites and crimefighting institutions' public warnings have already been set up in the UK, USA and Australia), but cases have also been reported in countries with other languages.
Usually the caller says they have MCSEs (Microsoft Certified Systems Engineers) and Cisco Certified engineers available and offers to fix and optimise the computer remotely and clean it of any malware. The hesitant “customer” is told his system is probably riddled with worms and viruses, and is given simple instructions on how to open the Event Viewer and look for errors and warnings.
As the Event Viewer is a reporting tool and therefore usually flags frequent but usually non-critical errors and warnings anyhow, this looks convincing enough for most computer-wary victims to lend the caller an ear, believing that something may actually be seriously wrong with their computer, and being all too ready to believe that their antivirus has let them down.
The victim is then usually instructed to access a certain website with Internet Explorer (which is more likely to be targeted for exploits) and download components needed to remotely “fix their computer”(and we all know what that can entail). But to add insult to injury, the victim is asked for credit card details to pay for the procedure and then offered an extended "Warranty Service" at serious prices, such as 1 year for €99, 2 years €189, or 3 years €289 in some of the reported cases.
A number of similar stories come from the UK. In one case, the caller claimed to belong to a Microsoft-affiliated organization called "Support One Care" and had contacted a prospective victim to tell her that her PC was infected, her AV was out-of-date, and that for a one-off fee of £79 they would install a better product and give her a year's support. But in this case, unlike the above “no-name” magical solution, they claimed that the product they would be installing would be ESET's. And while "Support One Care" is a real India-based company, upon contact, they claimed to have nothing to do with the phone calls.
Investigation by ESET researchers in the US, Ireland and the UK, in consultation with independent researcher Steve Burn, law enforcement and other agencies, has thrown up a number of similar cases, nearly all of them traced back to companies based in Kolkata, India. And sure enough, cracked/pirated versions of ESET software have been installed by the scammers, though of course, being illegitimate copies, they have failed to work. This has led to a number of requests for support being placed with real ESET support desks. We can’t tell how many similar scams have used or claimed to use products from other legitimate companies, but as we are aware of many sites offering cracks for other companies, it may be that reports to ESET are just the tip of a mighty iceberg.
So, what we’re seeing in these and many other similar cases is a further personalisation and development of computer-related criminal activity. Evidently it is proving financially sound for cyber-criminals to set up call centres with own personnel, then cold call and bait their way through long lists of phone numbers all over the world, making some easy income in the process.
>> Part 2