Tech support scammers now utilizing ransomware-like lock screens to threaten people

By Justin Luna | Neowin

Some of us may be very well aware of the classic tech support scam stories, where a man randomly calls people, and informs them that they are from “Windows company” and that the call recipient’s computer has been detected full of viruses. These cold callers then use fake Blue Screen of Deaths, and make the victim think there really is something wrong with their PC.

Tactics like these can be easily terminated, with the use of a few built-in Windows tools, as well as a few keystrokes. However, scammers have been seen improving their game, and are now incorporating lock screens, in order to threaten a user even more.

This technique can be attributed to the infamous ransomware, where a malicious program encrypts a user’s computer files, and sets a PC to be stuck on a lock screen prompting them to pay up.

As for this one, the scammers trick the victims into thinking that their Windows’ license has expired, and then removes any ability for the user to control their computer. “This is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it,” according to Jérôme Segura of Malwarebytes Labs.

There is an entire ecosystem on how these malware are being distributed, one of which includes bundling them into Pay Per Install applications. “What you thought was a PC optimizer or Flash Player update turns out to be a bunch of useless toolbars and, in some cases, one of these lockers,” said Segura.

A security researcher, @TheWack0lian has shared a sample on how the new tech support scam tactic works. Through a genuine-looking Microsoft program, which installs without any particular incident, the malware waits for the user to restart their system. Upon rebooting, a user will be welcomed by what looks like Windows configuring updates, though this is already the malware kicking in.

Once its “process” is done, it displays an error screen saying that the user’s Windows license is expired. It even takes the time to display the user’s current license key and computer name, to make it look more legitimate.

Now, to be able to unlock the system, the only choice a user has is to dial the number flashed on the screen, leading them into the said cold tech support scammers who are eager to steal victims’ personal information, as well as their credit card number. Calling the number, it was discovered by the researchers that there is a hidden functionality to the locker. Pressing Ctrl+Shift+T will display an installer for TeamViewer, a remote access computer program. However, the scammer refused to proceed with unlocking the computer unless a payment of $250 is made.

Fortunately, the researchers were able to find a way to bypass the lock screen. Victims of the said issue can press Ctrl+Shift and then the S key. Alternatively, a user can enter either “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w” into the “Product Key” field to be able to unlock the PC. This however, might only work for some versions of the rogue program.

With these kinds of programs rapidly evolving right before our eyes, it is very alarming to see how much these kinds of malware can take many innocent and susceptible people hostage, and play on their fears in addition to stealing money from them.

It always pays to be wary of where we always go on the internet, as well as what links we click on. Also, a good security software is always handy, to be able to block out the malware that can possibly not only ruin our computers, but also possibly a part of our lives.

Classic Facebook “Color Changer” scam makes another comeback

On Facebook, some scams are so alluring that they seem to live forever.

So it goes with “Facebook Color Changer,” a new malware attack that masquerades as a way to change the appearance of Facebook’s Website. Security firm Cheetah Mobile claims that the latest scam has affected more than 10,000 people around the world.

Don’t fall for this.

According to Cheetah Mobile, the app advertises the ability to “select your favourite color scheme for facebook layout,” and appears to direct users to “apps.facebook.com/themsandcolors.” But instead, the app sends users to a phishing site.

Once there, the site asks users to view a tutorial video. Launching the video supposedly provides temporary access to the user’s Access Tokens, letting the malicious site connect to the user’s Facebook friends. If the user doesn’t view the video, the site then attempts to download a pornographic video player on PCs or a bogus malware scanner on Android devices.

Cheetah Mobile blames a “a vulnerability that lives in Facebook’s app page itself, allowing hackers to implant viruses and malicious code into Facebook-based applications directs users to phishing sites.”

As Mashable points out, color-changing capabilities have been a popular hook for Facebook malware peddlers in the past. At least two previous scams have gained traction by inviting users to switch the color of Facebook’s blue menu bar. The color changer joins a number of other recurring scams that pose as oft-requested features, including the fabled ”dislike” button and ability to see who viewed your profile.

There is a legitimate way to change the color of Facebook’s menu bar, using an extension in the Chrome Web Store, but in general it’s best to treat these “feature enhancements” with extreme caution. Just because a friend posts a link your feed doesn’t mean it’s safe to click.

via Classic Facebook “Color Changer” scam makes another comeback | TechHive.

Watch out for this Netflix “tech support” scam

Jerome Segura has been tracking tech support scams for a year, documenting the ploys he’s encountered. But even this one found him unprepared.

“Combining a phishing scam with a fake tech support call center is something that I’d never seen before,” the Malwarebytes senior security researcher told Wired.co.uk. A video of the find shows Segura trying to enter a fake Netflix login on the streaming service’s homepage, only to be presented with a notice telling him the account has been suspended, and telling him to call a fake tech support number.

He dutifully called up and was asked to download “Netflix Support Software”—really the remote control software TeamViewer, which allowed the scammer access to his system. Once he had hopped on, the hacker told Segura he’d been hacked. In fact, the scammer said he’d been hacked nine times, with one coming from Serbia, four from Russia, three from China, and one from Italy. It’s all part of a tactic to instill fear and get the user to comply, explains Segura. Like when the helpful voice on the other end of the phone showed him a scan of apparent hacker activity—which was really just custom-made Windows batch script.

“By running their own tool, which looks authentic, the crooks can detect ‘problems’ that do not exist,” says Segura. “Finally, showing those scan results adds to the fear factor, as well as creating a sense of urgency to fix the issue.”

As well as scraping plenty of personal information from Segura’s system, including a file named “banking 2013,” the scammers continued by attempting to secure a payment of $389.97 (with a generous $50 Netflix discount) for Microsoft support to fix the problem. (He was repeatedly told that the problem happened because his security software is not up to scratch).

Then comes a little “fixing” after the call is passed on to a technician. This time, it’s designed to induce the victim’s comfort—”I can also see that these hackers were trying to access some of your personal information like documents and pictures. Do you have any pictures?” asked the helpful hacker, before proceeding to recover them for him.

Perhaps the most bizarre and unusual part, the “Microsoft technician” asked Segura to hold up a photo ID with his credit card information, because they are doing the transaction over the Internet and Microsoft wants to make sure he’s the cardholder.

“The Neftlix theme was well thought out—from the suspended account ploy to the discount coupon if you agree to fix the issue, the bad guys have planned their approach in detail,” Segura tells us. “Requesting a photo ID, as well as a snapshot of my credit card, was completely novel too. Despite being the untrustworthy ones, it is ironic they are trying to make sure the mark is not playing them. Aside from the fact that it is creepy, it creates a huge identity theft risk.”

Although this particular investigation took place in the US, Segura says it will “most likely” also affect users in the UK, Canada, Australia, and New Zealand.

“The scammers, usually located in India, are not native English speakers, but it is one of the idioms they know and are comfortable with.” Segura tracked the scammers, and they were indeed located in India. “This scam seems relatively fresh; at least the domain they used was registered and updated recently,” he adds in a blog post on the investigation.

But how often does a scam like this really work? Surely most people’s natural suspicions would be piqued way before they’re asked for a photo of their ID. Surprisingly, says Segura, this is not the case.

“Anyone could fall for these scams, although certain people are more vulnerable. The older generations that did not grow up with computers are more susceptible to be social-engineered. The argument about hackers infiltrating your computer is more likely to be won with someone unfamiliar with such technology. Availability is another important factor here. People that work from home or spend the majority of their time at home are often targeted simply because most calls will happen during business hours, when other people will be out working.”

Unlike with the Microsoft support call scam Segura uncovered last year, the scammers were generally cordial (“bye asshole” one “technician” signed off the last time around after Segura entered the wrong banking details). But he did not confront them.

“I’ve learned early on that trying to expose them on the phone is a pointless exercise resulting in a spiral of denial. My goal is to play along, collect as much information as I can while remaining polite in order to build a case against them. They gave themselves away many times, but that’s just because I know enough not to be caught off guard.”

via Watch out for this Netflix “tech support” scam | Ars Technica.