The problem with preventing such scams is that social engineering is very lo-tech in nature, requiring little in the way of technical resources and investment. Scammers are relying on the victims naivety, to grant them access to their computer and credit card details, so there’s very little a security company can do to prevent them, apart from keeping its own software up to date so as to block scammer websites and detect the malware they may try to install and use once granted access.
However, David Harley comments that:
Since victims of the scam are either not using up-to-date, legitimate security software or are voluntarily replacing it with compromised versions of other products, this may have little impact on the problem.
Most often it is difficult enough even learning of the various scam calls taking place, as there is no single, centrally-organised reporting system for such occurrences known to victims that may smell something fishy in due course: some call the police, some call AV vendors’ tech support and some just hang up and forget about it. Furthermore, Harley comments that:
While we’re doing our best to warn potential victims of the risk, this fraud is already all too similar to the fake antivirus reports we’ve grown accustomed to over recent years. It would be all too easy to extend the scam to use completely fake software, and not just antivirus software. Threats like this don’t only harm users, but are an assault on the credibility of real security software, system maintenance tools and so on.
A tactic we’re trying out at ESET Ireland is to give the topic public exposure with regular monthly newspaper and magazine columns where we explain and warn computer users of the current cyber-crime activity and ask them to report unusual computer issues to us for further examination. Not only does this provide the public with a regular insight into latest threats and dangers, but it also provides us with valuable feedback from readers, which we can then use in planning improvements in our security solutions. In the case of support scams our message to readers was simple. Unless you know the company you're regularly dealing with, such calls are bogus. Not only are you handing over control of your computer to total strangers who can copy any of your files from it, access your browsing history, or get your stored passwords or banking and credit card details, but you're also handing your credit card numbers to them directly for any kind of possible abuse, and that may go far beyond a single fraudulent payment.
A white paper on support scams by David Harley, Urban Schrott and Jan Zeleznak is currently in preparation and will be available in due course from http://www.eset.com/documentation/white-papers.
Some more resources (including some more links):
- Fake AV Support Scams: https://www.welivesecurity.com/2010/07/20/fake-av-support-scams
- Fake AV, Fake Support: http://securityweek.com/fake-av-fake-support
- Marketing Misusing ESET's Name: https://www.welivesecurity.com/2010/06/23/marketing-misusing-esets-name
Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland
<< Part 1