[
Update 30th October 2013: with regard to the ping gambit discussed below, please note that protection.com now responds to ICMP echo requests - in other words, if you now run the command "ping protection.com" you should now see a screen something like this:
Note that this is perfectly normal behaviour for a site that responds to ping requests. It's probable that protection.com
is now doing so because its owners have no wish, understandably, to
have their site associated with support scammer misuse, having been
notified by Malwarebytes that the abuse was taking place. However, the ping
interface is rather minimal, and might still be confusing enough for a
computer user with little knowledge of network to encourage a scammer to
try to persuade the victim that these messages somehow prove that his
system is infected. It doesn't, of course: as explained below, to ping the protection.com tells you nothing whatever about the protection status of your computer.
If you have no idea what I'm talking about, read on, or skip to
the 'Mac Attack' section of the article. (Hat tip to Les Bell of
Macquarie University, Sydney, for drawing this development to my
attention.]
If you regularly read this blog (come to think of it, even if you don’t…), you will probably be familiar with the
tech support scams I’ve
written
about here so often. If not, I’m referring to the unsolicited phone
calls telling you that your computer has a problem of some sort (perhaps
a mysterious virus, corrupted files or disk partitions, or attacks by a
remote hacker) that the caller will be pleased to fix for you, for a
“small” fee.
This is, however, an area of cybercrime I haven’t looked at lately on
this blog: partly because I’ve been getting far fewer of them myself.
(Maybe they’ve got tired of my asking them awkward questions and calling
them names when the entertainment value has worn thin.) That doesn’t
mean they’ve gone away, of course, and it’s about time I brought you up
to date with some of the recent tricks I’ve seen and heard reported.
Some relate to the type of ‘problem’ the scammer claims has affected
your system, some relate to the ongoing development of new ways of
misusing system utilities and legitimate software in order to ‘prove’
that (a) the scammer is really able to identify your system (b) there
really is something wrong on that system. And finally, there’s some
information on a trick that has been reported as targeting Mac users,
but could also be used against PC users.
Our previous blogs on the topic still attract lots of comments, and
very interesting and useful they are too. Some of them tell us a lot
about the type of social engineering that the scammers are using to
‘soften up’ the intended victim. One commenter was told:
…there have been complaints from my IP
address about scam emails sent to the government, that there have been
mentions of bombs and terrorism in my messages, and he asked me if I was
one of them. Then he said that lots of porn has been downloaded from my
PC if I was downloading it or not!
The same comment also describes how the scammer asked:
…if I thought it was a joke that he had
my phone number … and he had my address … and of course that the called
was being recorded.
I love it when a scammer gets irritated and self-righteous because he
doesn’t think you’re taking him seriously enough. However, it’s
probably
not a good idea to annoy him if and while he has remote access to your computer.
There are several gambits here worth noting.
Dial Tone
One is the use of the threat of government or law enforcement
interest and action, based on the supposition that the victim has
engaged in fraudulent or terrorist activity, or even sharing
pornographic material. This kind of threat is commonly associated with
malware and especially
ransomware,
and seems increasingly associated with support scamming. At any rate,
I’ve heard several reports recently of incidents where the scammer has
persuaded the victim to allow him access to his machine and taken
advantage of the access to install ransomware – or some other type of
malware – and then required payment for its removal.
Another is the assertion that ‘knowing’ the victim’s telephone number
and address somehow proves the scammer’s claims. In fact, we know that
cold-call scammers use a variety of techniques for finding their
victims. Sometimes they use automated or semi-automated predictive call
dialers (diallers for those of us in the UK…): that is, hardware or
dialing software that simply works through a sequence of numbers. This
approach is often used by cold-callers to play a recorded message when
the call is answered.
(Readers in the UK will probably be all too familiar with automated
messages urging them to claim back money they’re owed by Payment
Protection Insurance companies – these aren’t all unequivocal scams, but
should certainly be taken with a pinch or three of salt, and I may come
back to that particular issue in another blog.)
However In support scams (as well as in other scams and even in more
legitimate telemarketing operations), the dialer normally connects the
call recipient to a live agent when the call is answered. Legitimate
telemarketers should (but often don’t) avoid numbers that are on a local
do-not-call registry like the US
National Do Not Call database, Canada’s
National Do Not Call List or the UK’s Telephone Preference Service. Scammers, however, usually have no such qualms.
The disadvantage of the automated dialing method is that they don’t
necessarily have personalized information relating to a specific number.
However, support scammers are as capable as anyone else of looking up
names and addresses in on-line directories and less legitimate sources.
(Unfortunately, having an unlisted telephone number isn’t a guarantee
that someone won’t sell it on.)
None of this proves in the least that:
- The scammer is who he says he is, or represents Microsoft or any
other company he claims to be working for or with, or the police, or the
FBI, the NSA or even the BBC. ;-)
- That Microsoft or anyone else has given him information about your
system, your IP address, or anything else that’s supposed to show that
your system is insecure or ailing.
The threat that the phone call is being recorded is just that:
bullying and fearmongering. If anyone seriously suspects you of
wrongdoing, you’re still more likely to get a knock on the door than a
phone call (or email) that might be from anyone at all. For example,
another commenter tells us that he was told that his PC was being used
as a slave to download music, presumably illegally. A scammer might also
accuse a potential victim of other kinds of copyright infringement,
theft of intellectual property, and all kinds of other criminal
activity. Don’t let them panic you into parting with credit card
information for fear of being wrongfully accused. If it comes to that,
don’t let them panic you in other ways, such as telling you that your
town or even your country is being buried under an avalanche of malware
that anti-virus doesn’t detect but which they can somehow fix.
CLSID still isn’t a unique identifier for your PC
Another commenter told us that he received a call from someone
claiming to be Microsoft Support. The victim was told that his computer
would not receive Windows updates because of infection. He was convinced
by the CLSID gambit that the scammer really knew of a problem with his
system, not realizing at that time that CLSID does not uniquely identify
a Windows PC (see
Support desk scams: CLSID not unique
for more details), so he allowed the scammer to access his PC remotely.
(AMMYY, LogMeIn and Team Viewer are legitimate remote access programs
commonly misused by support scammers for this purpose.)
When I questioned how they could tell my
computer was infected, he directed me to do something. A window showed
several IP addresses (all my computer) and another number next to each
IP address that looked like MAC addresses, but I am not certain. The
next column had a label of some sort that I can’t remember, but it
seemed to indicate that each was a foreign or infected file.
My colleague
Aryeh Goretsky suggests that the utility misused in this case was the Windows
netstat
utility, though we’re not sure exactly what version or combination of
parameters might have been used. Aryeh points out that the values the
commenter suggests are MAC addresses might be IPv6 addresses, which are
displayed in hexadecimal notation. Here’s an example:
[fe80::841c:83ff:993f:cf0e%13]:445
This screenshot shows the Windows 8.0 version used with the
–n
parameter, which displays addresses and port numbers numerically. Of
course, ‘Foreign Address’ doesn’t mean infected, but non-local.
(Click on any of the images below if you want a closer view.)
And this screenshot shows the default display (again, in Windows 8.0),
The command ‘
netstat -?‘ will display the options available on your particular system at the command line.
Another commenter told us that he’d been told to ‘press Windows R’ (i.e. bring up the Run command) and then type ‘
inf location virus’ into the dialog box. Fortunately, this commenter knew that the
inf
command – strictly speaking, a search term – simply shows the contents
of a folder normally named C:\Windows\Inf, which contains files used in
installing the system.
Inf doesn’t recognize – and in fact simply ignores – any parameters even if they’re as sinister-sounding as ‘virus locations’.
I discussed the misuse of the
inf search term at some length in Support Scammers (mis)using INF and PREFETCH, but clearly it’s still being used. So, it turns out, is
prefetch:
Virus Bulletin’s
Martijn Grooten,
with whom I’ve worked several times on support-scam-related issues,
recently reported its reappearance in one of his blog articles for Virus
Bulletin –
Phone support scams: an old scam with some new tricks. In this instance, the scammer homed in on the fact that
rundll32.exe
was found in the Windows Prefetch folder (not surprisingly, as it’s an
essential system utility), and ran a Google search that flagged the fact
that malicious files sometimes masquerade as
rundll32.exe. Presumably, in the hope that a victim would be convinced that
prefetch was really flagging malware in this instance.
Martijn also mentioned the Indexing Service gambit flagged by Kaspersky’s
David Jacoby that I talked about in yet another blog – New Support Scam Gambits: Frozen Virus a Frozen Turkey.
The image below, from my older blog, shows typical misuse, where the
VBScript ‘service not running’ message is claimed to be proof that a
software or hardware licence has expired. In fact, the error message
simply shows that there is no such service as ‘software warranty’.
Or ‘software warrenty’, in the example cited by Martijn: scammers are
often notable for their haphazard spelling and command of English in
general, though good English is by no means an infallible indication of
honesty and good intentions.
View to a Shill
And, naturally, the old favourite Event Viewer (
eventvwr.exe)
still rates a mention in Martijn’s blog (after all these years!),
continuing to be misrepresented as showing the presence of imaginary
malware or system problems that the scammer can ‘fix’ for you.
Mac Attack
However, the last gambit I’m going to talk about on this occasion is
something a little different. While there has been the occasional hint
of Mac-specific scam action, cold-calling scammers don’t usually have a
script prepared for Mac users. (I particularly appreciated the scammer
who, when I said I was using a Mac – as in fact I was at that time –
went to consult her supervisor and then came back and said she was
unable to ‘help’ me.) However, a recent
blog article for Malwarebytes by
Jerome Segura describes how a company called Speak Support offering “Mac® Techical Support” misused the internet utility
ping in the hope of convincing a potential victim that he has no active protective software on his system.
When Jerome allowed Speak Support to access his Mac remotely using TeamViewer, the tech opened a terminal window and used
ping from the command line to query a site called protection.com. This is what I got when I did the same thing.
wilbur:~ davidharley$ ping protection.com
PING protection.com (72.26.118.81): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
^C
--- protection.com ping statistics ---
10 packets transmitted, 0 packets received, 100.0% packet loss
The ^C shows where I got bored with counting timeouts and terminated the request.
Winging it and Pinging it
So what does this tell us? The utility was designed, back in the
early days of networking, to determine whether a server was available by
sending it ICMP (Internet Control Message Protocol) packets, and to
measure how long it took for an acknowledgement to be received. In this
instance, the packets are not being acknowledged, which you might think
means that protection.com is not online.
However, it’s very common (and has been for many years, certainly
back when I was administering Unix systems) for Internet-facing servers
to be configured not to respond to ping requests, as a countermeasure
against certain classes of Denial of Service attack. So it’s not
surprising if the protection.com domain is configured not to respond.
And that appears to be the case: protection.com is certainly online at
the time of writing, even though ping isn’t acknowledged. The domain
actually belongs to Life Alert, which describes itself as “a Personal
Emergency Response and Home Medical Alert System company”, and seems to
have no connection whatsoever with Speak Support and its activities.
However, the essential message here is that the use of
ping
tells you nothing about whether the Mac is protected against malware.
However, the Malwarebytes blog suggests that scammers are asserting –
quite incorrectly and presumably with intent to mislead – that the ‘lost
packets’ message that results is an indication that the system is
unprotected.
I should make it clear that this
wasn’t a cold call: Jerome
actually made a call proactively to a ‘support line’ advertised on a web
site that offered Mac support ‘expertise’. He suggests that:
It’s quite possible the next time cold
call scammers phone you up, they’ll already have a script made for Mac
users as well, just in case.
An interesting speculation, but at the moment, I’m not seeing any
reports of cold-callers who use this gambit when a potential victim says
that they’re using a Mac. In fact, you’d think that even the most naïve
user would be slightly suspicious if someone rang him to say his
Windows PC was in trouble when he was actually using a Mac, but I guess
there are ways round that.
There are, however, two aspects to this scam that are of particular interest. One is that the attack
is
clearly aimed at Mac users, albeit Mac users who go out of their way to
contact Speak Support, and it might indeed fool a Mac user with no
experience of old-school Internet utilities or Unix command-line prompt.
The other interesting aspect is that this isn’t actually a Mac-specific attack, since the
ping
utility is supported on many platforms, including Windows. The
screenshot below shows the same ping request on a Windows 8.0 machine.
And this, just for complete information, is what a successful ping request looks like:
I hate to think what a support scammer would claim that successfully
pinging virgin.com tells us about the system I’m running, but it took me
quite a few attempts to find a well-known domain that
does acknowledge ping requests.
Martijn, Steve Burn of Malwarebytes, and independent researcher Craig
Johnston and I put together papers for Virus Bulletin 2012 – My PC has 32,539 errors: how telephone support scams really work – and CFET (Computer Forensics Education and Training) 2012 – FUD and Blunder: Tracking PC Support Scams – which cover much of this material in a lot more detail.
Hat tips to Martijn, Jerome, Greg Wasson for a conversation at this
year’s Virus Bulletin, and the many people whose comments have added to
our knowledge of this scam.
Cecilia Abadie made history in a way she didn't expect Tuesday night —
when a California Highway Patrol officer gave her the world's first
known ticket for wearing Google Glass while driving. 
The U.S. Department of Defense is getting its very own 
