Risk
5/13/2013
11:23 AM
100%
0%

Microsoft Tech Support Scams: Why They Thrive

Readers detail "frozen DNS Trojan" cold calls and "repairs" that lead to $882 in unauthorized wire transfers.

Windows Blue
(click image for larger view and for slideshow)
8 Things Microsoft Should Fix In Windows Blue
Consumers: Hang up on anyone who cold-calls offering Windows technical support, never believe an Internet pop-up that reports your PC is infected with malware, and, above all, don't ever install software from an untrusted source who offers to rid your PC of viruses, perhaps for free.

If people followed those precepts, they'd avoid the hassle and expense of scammers out to make a quick buck. But Microsoft technical support scams continue to be alive and well, sticking victims with bills of between $50 and $450 for security smoke and mirrors, or sometimes perpetrating financial fraud that costs far more.

According to a 2011 Web survey of 1,298 people conducted by British consumer rights watchdog Which?, 3% of respondents said they'd allowed scammers to log onto their PC and 2% gave them money. Interestingly, 3% said they weren't sure if a technical support cold call had really been a scam or not.

Here's a hint: Cold callers offering tech support advice are scammers. Here are six recent examples of how these fraudsters operate.

1. Scammers Reuse Scripts.

The con artists behind telephone repair scams often reuse the same script, which often begins: "I'm calling from Microsoft. We've had a report from your Internet service provider of serious virus problems from your computer."

[ Tired of being stuck in password hell? See 10 Top Password Managers. ]

One reader emailed Saturday to say that he'd received "an almost word for word phone call on my landline." After hanging up, he alerted his telephone company. "All they could offer was ... a call trace, and to notify my local police. Which I may pursue," he said.

2. South African Targeted By StartControl.

Another reader, a retired South African systems programmer, emailed last week to report that he'd been targeted by telephone scammers offering technical support. First, they asked him to press the Windows start button, then enter this URL: www.startcontrol.com. That took his browser to a site labeled as BeAnywhere support express, which prominently features the following message: "Please insert the reference supplied to you," with the reference referring to a six-digit PIN. "They even give you a six-digit PIN, that's where I stopped them, 19 minutes later," he said.

BeAnywhere is legitimate remote-control software. But who is Startcontrol.com? According to Alexa, Startcontrol.com has been operating for 10 years and ranks in the top 3.8 million of all websites globally. It appears that 77% of search engine traffic to the site involves Arabic speakers. A link to the website's "Termos of Service," however, lead to a "server error: 404 - File or directory not found" message.

The site's whois listing says that the domain was registered by GoDaddy, which lists the site's administrative and technical contact as being based in Portugal. But an email sent to the listed whois contact bounced back with an error message that the account didn't exist. Likewise, the telephone number listed in the whois entry appears to be bogus; a call to that number lead to BSPI - Intelligent Business Solutions. An employee at the firm said his company, which resells Sophos security products, has no affiliation with startcontrol.com, and that he'd never before heard of the company.

GoDaddy.com didn't immediately respond to an abuse report filed Friday morning for www.startcontrol.com.

3. Support Routines Might Be Real-Time Smokescreens.

One risk from allowing scammers to install software on your PC is that the "support application" might be used to disguise fraudulent activities. In April, for example, a reader emailed to say he'd been cold-called by someone claiming to be a Microsoft representative, warning that he had numerous viruses on his computer. The caller offered to remove the viruses and get the PC "running like new" for free, provided he "renew" his software.

"He then [asked] for card info which I gave him. Then I [got] an email from Western Union of a transfer of money which I did not authorize so I [checked] my account and found he had taken $882 out," said the reader. "I called Western Union about it and they said there was nothing they could do as the money was picked up and they could not give me the name of who got it."

The supposed virus-killing offer seemed to mask fraudulent activity. "He went so far as to show me all the errors he found but, while the program was supposed to be loading, my screen was black and I suspect that was when he was hitting my account," he said.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
5/13/2013 | 4:35:07 PM
re: Microsoft Tech Support Scams: Why They Thrive
The real reason why they thrive? Lack of education/passing this information along to family and friends. That's the bottom line. And it doesn't take a whole lot either -- instead of posting yet another silly meme on your Facebook profile, post a notice reminding friends and family to hang up when they get these calls.
rjones2818
50%
50%
rjones2818,
User Rank: Moderator
5/14/2013 | 6:26:58 PM
re: Microsoft Tech Support Scams: Why They Thrive
Is anyone surprised? Most computer users probably shouldn't be allowed near a computer, much less trusted to take the rudimentary steps needed to protect said computer. Until training/schooling focuses on security from day one scamming and the like will remain a major problem.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
5/15/2013 | 3:00:48 PM
re: Microsoft Tech Support Scams: Why They Thrive
I actually enjoyed getting the telephone scam call a couple months ago. I told the woman who called (Indian accent) that I needed to know the IP address of the PC with the problem, since I have several and she wanted me to go to a URL from that PC. She didn't know what an IP address was, let alone the difference between IPv4 and IPv6. I asked for a phone number that I could call her back at, and got one that I found out later was for a florist in Wisconsin!

After continuing to get nowhere with my IP question, I asked if I could talk with someone who could help. I got her "supervisor," told him that I work in IT, and he tried to convince me that I don't know how networking works. Um, yeah, good luck with that. I was probably coding network software before he was running his first scam. I finally hung up on him, but I regret not getting that URL.

Sounded like a boiler room operation, not an individual.

I agree with Tom. The call was the first time I'd heard about this particular scam. Lots of people could fall for this.
majenkins
50%
50%
majenkins,
User Rank: Apprentice
5/15/2013 | 6:05:06 PM
re: Microsoft Tech Support Scams: Why They Thrive
I got one of these a couple of weeks ago. "I am calling about problem with operating system of, Microsoft Windows, blah, blah, blah" something like that. I just hung up, maybe next time if I have time and feel like it I'll play them like Number 6 did.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/17/2013 | 1:59:17 AM
re: Microsoft Tech Support Scams: Why They Thrive
Let me be the first to say it... Thank you Steve Case.

Without the explosive popularity of America OnLine and the massive expansion of the Internet in the 90s, I highly doubt that this would be an issue at this point. Remembering the days when the Internet was a utopia of thinkers, students, educators, defense contractors and technically savvy people - a very small percentage of those people would fall for this sort of social engineering.

But, since we've got Ma and Pa Kettle bringing home a brand new PC from their closest big box store and hooking it up to that "new fangled" Internet, you'll have people taking advantage of those who are less savvy.

Something to keep in mind here - how much of a role does the media play in feeding into this monster? Remember Nimda and CodeRed and all of those virii from days gone by? The entire world was made to be extremely afraid of virii - possible considering them to be even worse than a virulent strain of H1N1... because they don't really grasp the idea of a computer virus and what it really does, while everyone knows that H1N1 gives you physical symptoms of an infection.

That said, why isn't there more of an effort to educate people, BEFORE they become a victim of this sort of thing? Ounce of prevention being worth a pound (or dollar) of cure, and all...

Andrew Hornback
InformationWeek Contributor
WilburD802
50%
50%
WilburD802,
User Rank: Apprentice
12/3/2014 | 10:40:15 AM
MicroSoft Fraud
Recieved last night a phone call from MicroSoft that my computer had some problems and He has called to fix them.  I thought it was a Scam so I played on a little while, knowing that I did not have a problem with my MicroSoft because I do Not have Microsoft. 

Their telephone number is 348-975-6987 they called me @ 7:06 P.M. Tuesday the 2nd, Wanting me to turn on my computer and he would fix things for me..  No Thanks I told him he was a Scam and he hung up.

Micro Soft should be able to stop this someway. I do not know what the outcome would be but I did not want to find out.

Can you give me any feedback ?    wedandmed50@gmail.com
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2014 | 10:57:06 AM
Re: MicroSoft Fraud
You were wise not to fall victim to that vishing scam, @WilburD802. But you are in the minority. Here's some data from a recent Dark Reading poll on the subject of social engineering tactics like this one...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.