Technical Support Scams Pt. 1
There has been a lot of activity on the internet where people are being scammed out of their money. Now this is nothing new and every year, there are new attacks coming out. Do you remember the Nigerian Prince? He was willing to transfer millions of dollars into your account to secure his freedom. Once collected and transferred, he would share a portion with the kind hearted person willing to help out? What happened is instead, thousands of people fell victim to having bank accounts cleared out with hardly a trace to recover lost funds.
Nowadays, it is the Tech Support Scam. You surf online when a warning comes up that your computer is infected with a virus and that you should call Microsoft, Windows, or Internet Provider Support at such and such a number. The message will usually tell you that your personal files are at risk with you financial data being compromised unless you request support. Certain ones will tell you that your hardware is at risk of being corrupted and that your IP address is being logged. Now for most people, this can seem like a completely legitimate message but it is designed to scare users into calling the support number for “Windows Support” services. Once people call this number, they are connected to a “Microsoft” Representative who will happily remote onto the system and fix it.
What follows are a technician showing you numerous errors on your computer. To my knowledge, none of the representatives actually perform a virus scan but I will list some of the methods they use to show you that your system is “infected”.
Eventviewer is a useful tool that displays information pertaining to your system. There is information based on applications you run, security logs of users who sign in, and general logging for system functionality. A Systems Administrator can use this area to find out the details for crashes and bugs that may occur within your Windows Operating experience but to someone who has spent little to no time in this window can be put off by the amount of errors and warning that get displayed. For Windows 10 users it is a simple right-click of the Start Menu and selecting Eventviewer to open up the Microsoft Management Console (MMC for short). While most of the information that can come up with errors is correct, for the most part they are not relevant to any issues you may be experiencing and can be ignored. A “Microsoft” Support Technician will use this information and show you vast amounts of errors and warnings that simulate a PC being infected.
The previous windows shows a system with numerous warning stating Outlook has disabled indexing. While this may not be the error that is displayed, what typically happens is that a victim will be told that these are all instances of the computer beginning to fail. Numerous warnings that the computer is at risk of being taken over by a hacker when in reality, a scammer has already been allowed into the system in the first place.
The next window will show a sample TCPIP connection window. This window, while again can be used for legitimate diagnostics in network administration, can also be used to give the illusion that people are actively trying to break into the computer. Most times, these are active connections already being opened on your computer since your web browser is currently being used.
Many of the connections being listed are already established, which is normal since I have many web tabs open to various websites. Certain ones are on a time-wait since they are waiting on a response from my system to the end-server. The close-wait connections are waiting on me to fully end my session by exiting my browser. Each of the addresses being listed is the numerical address of the websites currently open. Many scammers will say that these are currently hackers trying to enter the system right now and in most cases (I say most because NetStat is a valuable tool to detect unwanted traffic but is completely abused when someone tells you that every address listed is a hacker trying to get in.) it is a simple address that you are already connected to.
We also see many people who inadvertently click on a “support” site when trying to reach the support for the product or service they need help with. In a follow on post we will discuss this issue and show you how to parse an internet link to avoid this trap.