Latest news
"Microsoft support" scammers still cold calling users
Posted on 06 August 2012.
The old "Microsoft support center" scam is back. It is likely that it never went away, but lately the scammers have increased their efforts, targeting users again and again.
The scammers' modus operandi is practically always the same: they call users by phone, present themselves as employees of the Microsoft support center, and try to trick them into believing that their computer has been infected.
"They will then offer (for free) to verify if this is the case. If the victim agrees on this, they will ask the victim to perform certain actions, and also type certain commands, which will trick a non-experienced user that the output is actually showing that the computer is infected," explains Kaspersky Lab expert David Jacoby, who has recently receiving many of these calls.
According to him, German, Swedish and British users have lately been targeted, and likely others, too.
In order to try and discover who is behind these scams and where they are located, he let one of the scammers walk him through the process of "discovery" of the malware on his virtual machine and through the steps that would lead to him buying antivirus software.
The scammers misuse a number of legitimate tools (Windows Task Manager, Event Manager, etc.) found on every Windows computers in order to create the illusion that the computer is, indeed, infected.
Then, by using a Remote Administration Software called AMMYY, the scammers dig up an old, expired certificate from the Certification Manager and use it to "prove" that the user's computer hasn't been updated for a long time.
Having convinced the user, the scammers urge him to install software that would protect the computer from "viruses, malware, Trojans, hackers and other things," and allow the operator to "fix" his computer - all for $250.
"The operator then installed a program called ‘G2AX_customer_downloader_win32_x86.exe’ from the website www.fastsupport.com," Jacoby narrates his experience. "When this was done a chat popup come up. It was a person with the name 'David Stone' who informed me that my computer was no longer at risk."
Now, the user is asked to pay up. The scammers open up a PayPal form and wait for the user to pay either via his PayPal account or credit card.
Jacoby, of course, used fake VISA and MasterCard information. Then he urged the scammers to visit a website of friend that has supposedly made public his credit card information. But the site - sporting a static text saying “Hi, please connect from a different IP since your behind a proxy” - actually belongs to him, and once the scammers visited them, he was able to see from which IP address they came.
He also managed to get some of their phone numbers, and to write down the different PayPal accounts they used to collect the money - all information he shared with Paypal and law enforcement agencies.
"I know that people have been warned about these scams, but my conclusion is that they are still calling people because they are still making money out of these scams," he says. "This is one of the main reasons for this article and others like it - we need to keep informing people about it until the cybercriminals are forced to stop."
The scammers' modus operandi is practically always the same: they call users by phone, present themselves as employees of the Microsoft support center, and try to trick them into believing that their computer has been infected.
"They will then offer (for free) to verify if this is the case. If the victim agrees on this, they will ask the victim to perform certain actions, and also type certain commands, which will trick a non-experienced user that the output is actually showing that the computer is infected," explains Kaspersky Lab expert David Jacoby, who has recently receiving many of these calls.
According to him, German, Swedish and British users have lately been targeted, and likely others, too.
In order to try and discover who is behind these scams and where they are located, he let one of the scammers walk him through the process of "discovery" of the malware on his virtual machine and through the steps that would lead to him buying antivirus software.
The scammers misuse a number of legitimate tools (Windows Task Manager, Event Manager, etc.) found on every Windows computers in order to create the illusion that the computer is, indeed, infected.
Then, by using a Remote Administration Software called AMMYY, the scammers dig up an old, expired certificate from the Certification Manager and use it to "prove" that the user's computer hasn't been updated for a long time.
Having convinced the user, the scammers urge him to install software that would protect the computer from "viruses, malware, Trojans, hackers and other things," and allow the operator to "fix" his computer - all for $250.
"The operator then installed a program called ‘G2AX_customer_downloader_win32_x86.exe’ from the website www.fastsupport.com," Jacoby narrates his experience. "When this was done a chat popup come up. It was a person with the name 'David Stone' who informed me that my computer was no longer at risk."
Now, the user is asked to pay up. The scammers open up a PayPal form and wait for the user to pay either via his PayPal account or credit card.
Jacoby, of course, used fake VISA and MasterCard information. Then he urged the scammers to visit a website of friend that has supposedly made public his credit card information. But the site - sporting a static text saying “Hi, please connect from a different IP since your behind a proxy” - actually belongs to him, and once the scammers visited them, he was able to see from which IP address they came.
He also managed to get some of their phone numbers, and to write down the different PayPal accounts they used to collect the money - all information he shared with Paypal and law enforcement agencies.
"I know that people have been warned about these scams, but my conclusion is that they are still calling people because they are still making money out of these scams," he says. "This is one of the main reasons for this article and others like it - we need to keep informing people about it until the cybercriminals are forced to stop."
Spotlight
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
Application vulnerabilities still a top security concern
Posted on 16 May 2013. | Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ concerns.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
