Thursday, 31 October 2013

Tech Support Scam Update: Still Flourishing, Still Evolving

[Update 30th October 2013: with regard to the ping gambit discussed below, please note that protection.com now responds to ICMP echo requests - in other words, if you now run the command "ping protection.com" you should now see a screen something like this:
ping protection new
Note that this is perfectly normal behaviour for a site that responds to ping requests. It's probable that protection.com is now doing so because its owners have no wish, understandably, to have their site associated with support scammer misuse, having been notified by Malwarebytes that the abuse was taking place. However, the ping interface is rather minimal, and might still be confusing enough for a computer user with little knowledge of network to encourage a scammer to try to persuade the victim that these messages somehow prove that his system is infected. It doesn't, of course: as explained below, to ping the protection.com tells you nothing whatever about the protection status of your computer.
If you have no idea what I'm talking about, read on, or skip to the 'Mac Attack' section of the article. (Hat tip to Les Bell of Macquarie University, Sydney, for drawing this development to my attention.]
If you regularly read this blog (come to think of it, even if you don’t…), you will probably be familiar with the tech support scams I’ve written about here so often. If not, I’m referring to the unsolicited phone calls telling you that your computer has a problem of some sort (perhaps a mysterious virus, corrupted files or disk partitions, or attacks by a remote hacker) that the caller will be pleased to fix for you, for a “small” fee.
This is, however, an area of cybercrime I haven’t looked at lately on this blog: partly because I’ve been getting far fewer of them myself. (Maybe they’ve got tired of my asking them awkward questions and calling them names when the entertainment value has worn thin.) That doesn’t mean they’ve gone away, of course, and it’s about time I brought you up to date with some of the recent tricks I’ve seen and heard reported.
Some relate to the type of ‘problem’ the scammer claims has affected your system, some relate to the ongoing development of new ways of misusing system utilities and legitimate software in order to ‘prove’ that (a) the scammer is really able to identify your system (b) there really is something wrong on that system. And finally, there’s some information on a trick that has been reported as targeting Mac users, but could also be used against PC users.
Our previous blogs on the topic still attract lots of comments, and very interesting and useful they are too. Some of them tell us a lot about the type of social engineering that the scammers are using to ‘soften up’ the intended victim. One commenter was told:
…there have been complaints from my IP address about scam emails sent to the government, that there have been mentions of bombs and terrorism in my messages, and he asked me if I was one of them. Then he said that lots of porn has been downloaded from my PC if I was downloading it or not!
The same comment also describes how the scammer asked:
…if I thought it was a joke that he had my phone number … and he had my address … and of course that the called was being recorded.
I love it when a scammer gets irritated and self-righteous because he doesn’t think you’re taking him seriously enough. However, it’s probably not a good idea to annoy him if and while he has remote access to your computer.
There are several gambits here worth noting.

Dial Tone

One is the use of the threat of government or law enforcement interest and action, based on the supposition that the victim has engaged in fraudulent or terrorist activity, or even sharing pornographic material. This kind of threat is commonly associated with malware and especially ransomware, and seems increasingly associated with support scamming. At any rate, I’ve heard several reports recently of incidents where the scammer has persuaded the victim to allow him access to his machine and taken advantage of the access to install ransomware – or some other type of malware – and then required payment for its removal.
Another is the assertion that ‘knowing’ the victim’s telephone number and address somehow proves the scammer’s claims. In fact, we know that cold-call scammers use a variety of techniques for finding their victims. Sometimes they use automated or semi-automated predictive call dialers (diallers for those of us in the UK…): that is, hardware or dialing software that simply works through a sequence of numbers. This approach is often used by cold-callers to play a recorded message when the call is answered.
(Readers in the UK will probably be all too familiar with automated messages urging them to claim back money they’re owed by Payment Protection Insurance companies – these aren’t all unequivocal scams, but should certainly be taken with a pinch or three of salt, and I may come back to that particular issue in another blog.)
However In support scams (as well as in other scams and even in more legitimate telemarketing operations), the dialer normally connects the call recipient to a live agent when the call is answered. Legitimate telemarketers should (but often don’t) avoid numbers that are on a local do-not-call registry like the US National Do Not Call database, Canada’s National Do Not Call List or the UK’s Telephone Preference Service. Scammers, however, usually have no such qualms.
The disadvantage of the automated dialing method is that they don’t necessarily have personalized information relating to a specific number. However, support scammers are as capable as anyone else of looking up names and addresses in on-line directories and less legitimate sources. (Unfortunately, having an unlisted telephone number isn’t a guarantee that someone won’t sell it on.)
None of this proves in the least that:
  • The scammer is who he says he is, or represents Microsoft or any other company he claims to be working for or with, or the police, or the FBI, the NSA or even the BBC. ;-)
  •  That Microsoft or anyone else has given him information about your system, your IP address, or anything else that’s supposed to show that your system is insecure or ailing.
The threat that the phone call is being recorded is just that: bullying and fearmongering. If anyone seriously suspects you of wrongdoing, you’re still more likely to get a knock on the door than a phone call (or email) that might be from anyone at all. For example, another commenter tells us that he was told that his PC was being used as a slave to download music, presumably illegally. A scammer might also accuse a potential victim of other kinds of copyright infringement, theft of intellectual property, and all kinds of other criminal activity. Don’t let them panic you into parting with credit card information for fear of being wrongfully accused. If it comes to that, don’t let them panic you in other ways, such as telling you that your town or even your country is being buried under an avalanche of malware that anti-virus doesn’t detect but which they can somehow fix.

CLSID still isn’t a unique identifier for your PC

Another commenter told us that he received a call from someone claiming to be Microsoft Support. The victim was told that his computer would not receive Windows updates because of infection. He was convinced by the CLSID gambit that the scammer really knew of a problem with his system, not realizing at that time that CLSID does not uniquely identify a Windows PC (see Support desk scams: CLSID not unique for more details), so he allowed the scammer to access his PC remotely. (AMMYY, LogMeIn and Team Viewer are legitimate remote access programs commonly misused by support scammers for this purpose.)
When I questioned how they could tell my computer was infected, he directed me to do something. A window showed several IP addresses (all my computer) and another number next to each IP address that looked like MAC addresses, but I am not certain. The next column had a label of some sort that I can’t remember, but it seemed to indicate that each was a foreign or infected file.
My colleague Aryeh Goretsky suggests that the utility misused in this case was the Windows netstat utility, though we’re not sure exactly what version or combination of parameters might have been used. Aryeh points out that the values the commenter suggests are MAC addresses might be IPv6 addresses, which are displayed in hexadecimal notation. Here’s an example:
[fe80::841c:83ff:993f:cf0e%13]:445
This screenshot shows the Windows 8.0 version used with the –n parameter, which displays addresses and port numbers numerically. Of course, ‘Foreign Address’ doesn’t mean infected, but non-local.
(Click on any of the images below if you want a closer view.)
netstat
And this screenshot shows the default display (again, in Windows 8.0),
netstat2
The command ‘netstat -? will display the options available on your particular system at the command line.
Another commenter told us that he’d been told to ‘press Windows R’ (i.e. bring up the Run command) and then type ‘inf location virus’ into the dialog box.  Fortunately, this commenter knew that the inf command – strictly speaking, a search term – simply shows the contents of a folder normally named C:\Windows\Inf, which contains files used in installing the system. Inf doesn’t recognize – and in fact simply ignores – any parameters even if they’re as sinister-sounding as ‘virus locations’.
inf copy
I discussed the misuse of the inf search term at some length in Support Scammers (mis)using INF and PREFETCH, but clearly it’s still being used. So, it turns out, is prefetch: Virus Bulletin’s Martijn Grooten, with whom I’ve worked several times on support-scam-related issues, recently reported its reappearance in one of his blog articles for Virus Bulletin – Phone support scams: an old scam with some new tricks. In this instance, the scammer homed in on the fact that rundll32.exe was found in the Windows Prefetch folder (not surprisingly, as it’s an essential system utility), and ran a Google search that flagged the fact that malicious files sometimes masquerade as rundll32.exe. Presumably, in the hope that a victim would be convinced that prefetch was really flagging malware in this instance.
Martijn also mentioned the Indexing Service gambit flagged by Kaspersky’s David Jacoby that I talked about in yet another blog – New Support Scam Gambits: Frozen Virus a Frozen Turkey. The image below, from my older blog, shows typical misuse, where the VBScript ‘service not running’ message is claimed to be proof that a software or hardware licence has expired. In fact, the error message simply shows that there is no such service as ‘software warranty’.
indexing service
Or ‘software warrenty’, in the example cited by Martijn: scammers are often notable for their haphazard spelling and command of English in general, though good English is by no means an infallible indication of honesty and good intentions.

View to a Shill

And, naturally, the old favourite Event Viewer (eventvwr.exe) still rates a mention in Martijn’s blog (after all these years!), continuing to be misrepresented as showing the presence of imaginary malware or system problems that the scammer can ‘fix’ for you.
event-viewer

Mac Attack

However, the last gambit I’m going to talk about on this occasion is something a little different. While there has been the occasional hint of Mac-specific scam action, cold-calling scammers don’t usually have a script prepared for Mac users. (I particularly appreciated the scammer who, when I said I was using a Mac – as in fact I was at that time – went to consult her supervisor and then came back and said she was unable to ‘help’ me.) However, a recent blog article for Malwarebytes by Jerome Segura describes how a company called Speak Support offering “Mac® Techical Support” misused the internet utility ping in the hope of convincing a potential victim that he has no active protective software on his system.
When Jerome allowed Speak Support to access his Mac remotely using TeamViewer, the tech opened a terminal window and used ping from the command line to query a site called protection.com. This is what I got when I did the same thing.
wilbur:~ davidharley$ ping protection.com
PING protection.com (72.26.118.81): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
^C
--- protection.com ping statistics ---
10 packets transmitted, 0 packets received, 100.0% packet loss
The ^C shows where I got bored with counting timeouts and terminated the request.

Winging it and Pinging it

So what does this tell us? The utility was designed, back in the early days of networking, to determine whether a server was available by sending it ICMP (Internet Control Message Protocol) packets, and to measure how long it took for an acknowledgement to be received. In this instance, the packets are not being acknowledged, which you might think means that protection.com is not online.
However, it’s very common (and has been for many years, certainly back when I was administering Unix systems) for Internet-facing servers to be configured not to respond to ping requests, as a countermeasure against certain classes of Denial of Service attack. So it’s not surprising if the protection.com domain is configured not to respond. And that appears to be the case: protection.com is certainly online at the time of writing, even though ping isn’t acknowledged. The domain actually belongs to Life Alert, which describes itself as “a Personal Emergency Response and Home Medical Alert System company”, and seems to have no connection whatsoever with Speak Support and its activities.
However, the essential message here is that the use of ping tells you nothing about whether the Mac is protected against malware. However, the Malwarebytes blog suggests that scammers are asserting – quite incorrectly and presumably with intent to mislead – that the ‘lost packets’ message that results is an indication that the system is unprotected.
I should make it clear that this wasn’t a cold call: Jerome actually made a call proactively to a ‘support line’ advertised on a web site that offered Mac support ‘expertise’. He suggests that:
It’s quite possible the next time cold call scammers phone you up, they’ll already have a script made for Mac users as well, just in case.
An interesting speculation, but at the moment, I’m not seeing any reports of cold-callers who use this gambit when a potential victim says that they’re using a Mac. In fact, you’d think that even the most naïve user would be slightly suspicious if someone rang him to say his Windows PC was in trouble when he was actually using a Mac, but I guess there are ways round that.
There are, however, two aspects to this scam that are of particular interest. One is that the attack is clearly aimed at Mac users, albeit Mac users who go out of their way to contact Speak Support, and it might indeed fool a Mac user with no experience of old-school Internet utilities or Unix command-line prompt.
The other interesting aspect is that this isn’t actually a Mac-specific attack, since the ping utility is supported on many platforms, including Windows. The screenshot below shows the same ping request on a Windows 8.0 machine.
ping protection copy
And this, just for complete information, is what a successful ping request looks like:
ping virgin
I hate to think what a support scammer would claim that successfully pinging virgin.com tells us about the system I’m running, but it took me quite a few attempts to find a well-known domain that does acknowledge ping requests.
Martijn, Steve Burn of Malwarebytes, and independent researcher Craig Johnston and I put together papers for Virus Bulletin 2012 – My PC has 32,539 errors: how telephone support scams really work – and CFET (Computer Forensics Education and Training) 2012 – FUD and Blunder: Tracking PC Support Scams – which cover much of this material in a lot more detail.
Hat tips to Martijn, Jerome, Greg Wasson for a conversation at this year’s Virus Bulletin, and the many people whose comments have added to our knowledge of this scam.

No comments:

Post a Comment