Microsoft Tech Support Scams: Why They Thrive

Readers detail "frozen DNS Trojan" cold calls and "repairs" that lead to $882 in unauthorized wire transfers.

Mathew J. Schwartz, Contributor

May 13, 2013

8 Min Read
Dark Reading logo in a gray background | Dark Reading

Windows Blue

LinkedIn: 10 Important Changes


(click image for larger view and for slideshow)
8 Things Microsoft Should Fix In Windows Blue

Consumers: Hang up on anyone who cold-calls offering Windows technical support, never believe an Internet pop-up that reports your PC is infected with malware, and, above all, don't ever install software from an untrusted source who offers to rid your PC of viruses, perhaps for free.

If people followed those precepts, they'd avoid the hassle and expense of scammers out to make a quick buck. But Microsoft technical support scams continue to be alive and well, sticking victims with bills of between $50 and $450 for security smoke and mirrors, or sometimes perpetrating financial fraud that costs far more.

According to a 2011 Web survey of 1,298 people conducted by British consumer rights watchdog Which?, 3% of respondents said they'd allowed scammers to log onto their PC and 2% gave them money. Interestingly, 3% said they weren't sure if a technical support cold call had really been a scam or not.

Here's a hint: Cold callers offering tech support advice are scammers. Here are six recent examples of how these fraudsters operate.

1. Scammers Reuse Scripts.

The con artists behind telephone repair scams often reuse the same script, which often begins: "I'm calling from Microsoft. We've had a report from your Internet service provider of serious virus problems from your computer."

[ Tired of being stuck in password hell? See 10 Top Password Managers. ]

One reader emailed Saturday to say that he'd received "an almost word for word phone call on my landline." After hanging up, he alerted his telephone company. "All they could offer was ... a call trace, and to notify my local police. Which I may pursue," he said.

2. South African Targeted By StartControl.

Another reader, a retired South African systems programmer, emailed last week to report that he'd been targeted by telephone scammers offering technical support. First, they asked him to press the Windows start button, then enter this URL: www.startcontrol.com. That took his browser to a site labeled as BeAnywhere support express, which prominently features the following message: "Please insert the reference supplied to you," with the reference referring to a six-digit PIN. "They even give you a six-digit PIN, that's where I stopped them, 19 minutes later," he said.

BeAnywhere is legitimate remote-control software. But who is Startcontrol.com? According to Alexa, Startcontrol.com has been operating for 10 years and ranks in the top 3.8 million of all websites globally. It appears that 77% of search engine traffic to the site involves Arabic speakers. A link to the website's "Termos of Service," however, lead to a "server error: 404 - File or directory not found" message.

The site's whois listing says that the domain was registered by GoDaddy, which lists the site's administrative and technical contact as being based in Portugal. But an email sent to the listed whois contact bounced back with an error message that the account didn't exist. Likewise, the telephone number listed in the whois entry appears to be bogus; a call to that number lead to BSPI - Intelligent Business Solutions. An employee at the firm said his company, which resells Sophos security products, has no affiliation with startcontrol.com, and that he'd never before heard of the company.

GoDaddy.com didn't immediately respond to an abuse report filed Friday morning for www.startcontrol.com.

3. Support Routines Might Be Real-Time Smokescreens.

One risk from allowing scammers to install software on your PC is that the "support application" might be used to disguise fraudulent activities. In April, for example, a reader emailed to say he'd been cold-called by someone claiming to be a Microsoft representative, warning that he had numerous viruses on his computer. The caller offered to remove the viruses and get the PC "running like new" for free, provided he "renew" his software.

"He then [asked] for card info which I gave him. Then I [got] an email from Western Union of a transfer of money which I did not authorize so I [checked] my account and found he had taken $882 out," said the reader. "I called Western Union about it and they said there was nothing they could do as the money was picked up and they could not give me the name of who got it."

The supposed virus-killing offer seemed to mask fraudulent activity. "He went so far as to show me all the errors he found but, while the program was supposed to be loading, my screen was black and I suspect that was when he was hitting my account," he said. 4. Telephone Scams: Cheap, Easy, Repeatable.

Microsoft support scams succeed in part because they're cheap and easy to run. International call centers -- think boiler rooms -- are often used, situated in an inexpensive labor market such as India, and facilitated via low-cost VoIP telephony.

Thankfully, consumer watchdogs have been mobilizing. Last year, the Federal Trade Commission cracked down on some tech support scams, filing charges and freezing assets associated with 14 businesses and 17 people. It said the scam operations had successfully conned tens of thousands of English-speaking consumers in the United States, as well as Australia, Canada, Ireland, New Zealand and the United Kingdom, into paying between $49 and $450 for fake services.

At the time, the FTC detailed how many of these scam artists operate: "When consumers agreed to pay the fee for fixing the 'problems,' the telemarketers directed them to a website to enter a code or download a software program that allowed the scammers remote access to the consumers' computers," according to the FTC. "Once the telemarketers took control of the consumers' computers, they 'removed' the non-existent malware and downloaded otherwise free programs."

5. Technobabble Warnings: "Frozen DNS Trojan."

Obviously, support scams often succeed because many consumers don't understand Windows information security intricacies. But con artists often operate on the edge of believability, slowly reeling in even technologically savvy targets, who they might have caught unaware with an impromptu phone call.

One reader, for example, emailed earlier this year to say the lure of "free" technical support -- no apparent harm there -- initially caught her off guard. "I just received one of those scam calls from an 800 number obviously from someone in India trying to tell me my computer was infected with a 'frozen DNS Trojan' -- originally he said 'virus' but switched to 'Trojan' later in the call," she said. "I didn't fall for it at all but was curious enough to find out exactly what he was up to. Eventually I told him I knew he was a scammer and didn't believe a word he was saying and hung up."

Technobabble aside, she reported almost falling for the scam. "I'm relatively computer savvy and for a brief second I wondered if this was for real," she said. "So if I could be duped (even for a split second) I can see how people get pulled into this type of scam especially when the scammer tries to tell you this is all 'free' for him to show you are infected with this virus or Trojan."

6. Virus Scanners Fake Results.

To try to get their way, scammers might bring psychological pressure to bear. For example, when Jerome Segura, senior malware research at Malwarebytes, was cold-called by tech support con artists he gave them access to a virtual machine. They flew into repair rage when he refused to pay $229 following their fake ministrations. "They got mad and deleted documents and pictures from my (virtual) machine before cutting me off in a very rude way," he said in a blog post.

Fake bells and whistles might also be employed. This month, for example, Segura said he decided to call a tech-support number that flashed up in a pop-up advertisement window, just to see where it might lead. As before, he gave the tech support person who answered remote access to his PC -- not telling him it was a fully cleaned and isolated virtual machine -- on which he installed, as instructed, TeamViewer software, through which the supposed tech-support agent accessed the PC, then ran a downloaded scanner. Just two seconds later, the scanner reported extensive virus infections. Segura said his analysis of the scanner's database found that it was "stuffed with false positives which aren't just accidents, but clearly used to add some drama."

Added drama or not, don't fall for tech-support scams.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights