Risk
5/13/2013
11:23 AM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Tech Support Scams: Why They Thrive

Readers detail "frozen DNS Trojan" cold calls and "repairs" that lead to $882 in unauthorized wire transfers.

Windows Blue
(click image for larger view and for slideshow)
8 Things Microsoft Should Fix In Windows Blue
Consumers: Hang up on anyone who cold-calls offering Windows technical support, never believe an Internet pop-up that reports your PC is infected with malware, and, above all, don't ever install software from an untrusted source who offers to rid your PC of viruses, perhaps for free.

If people followed those precepts, they'd avoid the hassle and expense of scammers out to make a quick buck. But Microsoft technical support scams continue to be alive and well, sticking victims with bills of between $50 and $450 for security smoke and mirrors, or sometimes perpetrating financial fraud that costs far more.

According to a 2011 Web survey of 1,298 people conducted by British consumer rights watchdog Which?, 3% of respondents said they'd allowed scammers to log onto their PC and 2% gave them money. Interestingly, 3% said they weren't sure if a technical support cold call had really been a scam or not.

Here's a hint: Cold callers offering tech support advice are scammers. Here are six recent examples of how these fraudsters operate.

1. Scammers Reuse Scripts.

The con artists behind telephone repair scams often reuse the same script, which often begins: "I'm calling from Microsoft. We've had a report from your Internet service provider of serious virus problems from your computer."

[ Tired of being stuck in password hell? See 10 Top Password Managers. ]

One reader emailed Saturday to say that he'd received "an almost word for word phone call on my landline." After hanging up, he alerted his telephone company. "All they could offer was ... a call trace, and to notify my local police. Which I may pursue," he said.

2. South African Targeted By StartControl.

Another reader, a retired South African systems programmer, emailed last week to report that he'd been targeted by telephone scammers offering technical support. First, they asked him to press the Windows start button, then enter this URL: www.startcontrol.com. That took his browser to a site labeled as BeAnywhere support express, which prominently features the following message: "Please insert the reference supplied to you," with the reference referring to a six-digit PIN. "They even give you a six-digit PIN, that's where I stopped them, 19 minutes later," he said.

BeAnywhere is legitimate remote-control software. But who is Startcontrol.com? According to Alexa, Startcontrol.com has been operating for 10 years and ranks in the top 3.8 million of all websites globally. It appears that 77% of search engine traffic to the site involves Arabic speakers. A link to the website's "Termos of Service," however, lead to a "server error: 404 - File or directory not found" message.

The site's whois listing says that the domain was registered by GoDaddy, which lists the site's administrative and technical contact as being based in Portugal. But an email sent to the listed whois contact bounced back with an error message that the account didn't exist. Likewise, the telephone number listed in the whois entry appears to be bogus; a call to that number lead to BSPI - Intelligent Business Solutions. An employee at the firm said his company, which resells Sophos security products, has no affiliation with startcontrol.com, and that he'd never before heard of the company.

GoDaddy.com didn't immediately respond to an abuse report filed Friday morning for www.startcontrol.com.

3. Support Routines Might Be Real-Time Smokescreens.

One risk from allowing scammers to install software on your PC is that the "support application" might be used to disguise fraudulent activities. In April, for example, a reader emailed to say he'd been cold-called by someone claiming to be a Microsoft representative, warning that he had numerous viruses on his computer. The caller offered to remove the viruses and get the PC "running like new" for free, provided he "renew" his software.

"He then [asked] for card info which I gave him. Then I [got] an email from Western Union of a transfer of money which I did not authorize so I [checked] my account and found he had taken $882 out," said the reader. "I called Western Union about it and they said there was nothing they could do as the money was picked up and they could not give me the name of who got it."

The supposed virus-killing offer seemed to mask fraudulent activity. "He went so far as to show me all the errors he found but, while the program was supposed to be loading, my screen was black and I suspect that was when he was hitting my account," he said.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/17/2013 | 1:59:17 AM
re: Microsoft Tech Support Scams: Why They Thrive
Let me be the first to say it... Thank you Steve Case.

Without the explosive popularity of America OnLine and the massive expansion of the Internet in the 90s, I highly doubt that this would be an issue at this point. Remembering the days when the Internet was a utopia of thinkers, students, educators, defense contractors and technically savvy people - a very small percentage of those people would fall for this sort of social engineering.

But, since we've got Ma and Pa Kettle bringing home a brand new PC from their closest big box store and hooking it up to that "new fangled" Internet, you'll have people taking advantage of those who are less savvy.

Something to keep in mind here - how much of a role does the media play in feeding into this monster? Remember Nimda and CodeRed and all of those virii from days gone by? The entire world was made to be extremely afraid of virii - possible considering them to be even worse than a virulent strain of H1N1... because they don't really grasp the idea of a computer virus and what it really does, while everyone knows that H1N1 gives you physical symptoms of an infection.

That said, why isn't there more of an effort to educate people, BEFORE they become a victim of this sort of thing? Ounce of prevention being worth a pound (or dollar) of cure, and all...

Andrew Hornback
InformationWeek Contributor
majenkins
50%
50%
majenkins,
User Rank: Apprentice
5/15/2013 | 6:05:06 PM
re: Microsoft Tech Support Scams: Why They Thrive
I got one of these a couple of weeks ago. "I am calling about problem with operating system of, Microsoft Windows, blah, blah, blah" something like that. I just hung up, maybe next time if I have time and feel like it I'll play them like Number 6 did.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
5/15/2013 | 3:00:48 PM
re: Microsoft Tech Support Scams: Why They Thrive
I actually enjoyed getting the telephone scam call a couple months ago. I told the woman who called (Indian accent) that I needed to know the IP address of the PC with the problem, since I have several and she wanted me to go to a URL from that PC. She didn't know what an IP address was, let alone the difference between IPv4 and IPv6. I asked for a phone number that I could call her back at, and got one that I found out later was for a florist in Wisconsin!

After continuing to get nowhere with my IP question, I asked if I could talk with someone who could help. I got her "supervisor," told him that I work in IT, and he tried to convince me that I don't know how networking works. Um, yeah, good luck with that. I was probably coding network software before he was running his first scam. I finally hung up on him, but I regret not getting that URL.

Sounded like a boiler room operation, not an individual.

I agree with Tom. The call was the first time I'd heard about this particular scam. Lots of people could fall for this.
rjones2818
50%
50%
rjones2818,
User Rank: Moderator
5/14/2013 | 6:26:58 PM
re: Microsoft Tech Support Scams: Why They Thrive
Is anyone surprised? Most computer users probably shouldn't be allowed near a computer, much less trusted to take the rudimentary steps needed to protect said computer. Until training/schooling focuses on security from day one scamming and the like will remain a major problem.
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
5/13/2013 | 4:35:07 PM
re: Microsoft Tech Support Scams: Why They Thrive
The real reason why they thrive? Lack of education/passing this information along to family and friends. That's the bottom line. And it doesn't take a whole lot either -- instead of posting yet another silly meme on your Facebook profile, post a notice reminding friends and family to hang up when they get these calls.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.