Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

Security Expert Fools, Records Fake Antivirus Scammers

Phony AV scammers posing as Microsoft dialed the wrong number when they inadvertently phoned a security researcher at home -- who exposed their obvious lack of technical know-how

Fake antivirus scammers recently got more than they bargained for when they unknowingly dialed the home number of a Sourcefire security researcher who then lured them to an impromptu honeypot and recorded their activity on his machine.

Noah Magram, principal software engineer with Sourcefire, says it was about dinner time -- also known as telemarketing time -- last week when he decided to answer what appeared to be a local call according to his caller ID. Magram says it was his local area code in Oregon and "Borders" showing up on caller ID that tempted him to pick up.

The caller said he was from Microsoft and that Magram's computer had been sending multiple error messages to the software company. "He said they thought I had some viruses and malware," recalls Magram, who immediately knew it was a scam. "It was surreal."

"I was curious. I wanted to see if they would send me to any websites or get me to download any malware, something that we could analyze. I was really curious about what their script was," Magram says.

Fake antivirus and security software scams are rampant, and typically occur via drive-by Web-borne infections where a user is hit after visiting a compromised site and then sees a pop-up message that his or her machine is infected. The attacker ultimately attempts to basically extort a subscription fee out of the victim to get his or her machine back in working order after locking it down. Most recently, a massive rogue AV scam targeted more than 200,000 Web pages and 30,000 different websites that was detected by Websense.

Others, like the one Magram stumbled on, are more direct social-engineering scams, either by phone or email.

Patrik Runald, research director at Websense Security Labs, says Websense doesn't see as many of these social-engineering-based attacks that mostly go after home users. "My mom and some of my friends did receive a similar phone AV scams and reported it to me," Runald says. "It's really a continuation of the fake/rogue AV scams that gets delivered to users' PCs via drive-bys or social engineering. The people operating those scams already have call centers to receive 'support' calls from their 'customers,' so the step to make outbound calls isn't much of a reach."

[ Actors looking to monetize from malware infections are continuing to invest in developing increasingly convincing fake software in order to maintain their cover. See Scareware Is Evolving. ]

Magram says the agent on other end of the line did not appear to be technically adept and didn't stray much from his script. Magram played along from the comfort of his living room couch, pretending to be pulling up the event viewer on his Windows machine. "I said I saw a couple of warnings and errors in my event viewer, and he said, 'That's malware,'" Magram says. Then without any introduction or warning, a new agent came on the phone and basically picked up where the first agent left off. He urged Magram to install a remote administration tool so the agent could get a closer look at the "problem."

So after 30 minutes of dragging out the call, Magram decided that this rare, firsthand look at a fake AV and security software scam was too good not to study up-close and record. So he started up a VMware virtual machine on his Windows PC. "I realized I could give them an environment to bang around in," Magram says. Upon the urging of the scammers, he installed LogMeIn, a legitimate remote access tool, and "Victor," the technician, was then inside the machine. Magram recorded every click the scammers made.

At first, Victor tried to remotely bring up a website with information on the subscription options, but apparently fat-fingered the browser button, and the Web page for another legit RAT product, ShowMyPC.com, appeared instead. He eventually got the "company's" Web page to successfully load, and the agent carefully explained to Magram the various services and subscriptions they offer.

Interestingly and suspiciously, they no longer were pretending to be Microsoft at that point. "The website was not Microsoft's. Their story had changed because initially they said they were calling from Microsoft," Magram says.

Taking The Bait
Magram finally "agreed" to a one-year subscription for a one-time $50 fee, and they pushed him to a Web page using a legitimate-card processing service. He typed in a test number, which rejected the transaction.

Then Victor systematically began disabling all Windows Services right there on the screen for all to see, while the agent on the voice call told Magram he would need to renew his subscription, noting that the machine was so compromised that they couldn't be "held responsible for what happens next."

"I asked the agent why they were disabling those things, and he said they are a list of malware. But they were obviously a list of standard Windows services," Magram says.

Victor continued the destruction, ultimately disabling VMWare as well. "I even asked what VM services are ... he insists they are malware," Magram recalls.

The scammers didn't give up easily, either. Even with the "rejected" credit card and no payment on the table yet from their mark, Victor rebooted the machine under Safe Mode while the agent on the line warned that there was so much malware on the machine that they wouldn't be responsible for what happened next. Magram knew that Victor's actions would disable the system altogether after a reboot, but the scammers apparently were trying one last-ditch effort to get him to cough up some cash.

He finally admitted to the scammers that they were on a VM, and he was a security expert who had been stringing them along. They quickly hung up.

Magram says he was surprised how low-tech the scammers actually were. Not only were they blatant about deleting the Windows services, but they also didn't realize they were trapped inside a VM, even when the VMware services appeared on the screen. "I had always wondered what their capabilities are" in these scams, he says. "But I was shocked how clueless and clumsy there were. They are placing thousands of these calls, and they are not sophisticated."

And they didn't install any malware. "I thought that would be the first thing they would have done. I assume that when they 'fixed' the machine they would install the malware," he says.

Their approach was "so stone age," he says, using legitimate RAT tools and an unprofessional and shaky script by the caller. Even so, it's a social-engineering scam, and those are the hardest to defend against, he says. The only real defense is educating users about these types of scams out there.

And catching the culprits behind it is unlikely. Magram was able to root out that their company's physical address, if legit, was in Utah, and that's about it. "It's doubtful they are set up in the U.S.," he says.

Magram said, overall, the experience was interesting and kind of fun. "My wife was cracking up [in the background] and first couldn't figure out why I was talking to a telemarketer," he says.

"This is not something you'd expect as a software engineering [pro] at a security firm to have somebody call you who wants to won your box and it falls in your lap," he says.

Websense's Runald says he has scammed a few scammers in his day as well. "It's always interesting to turn the table on scammers. I've played along with the bad guys when it comes to job scams and other social-engineering tricks, and as soon as they figure out you know more than most, they just stop communicating, just like what happened to Noah," Runald says.

Meanwhile, Magram has now posted a video of the scam online, which can be viewed here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/17/2012 | 7:27:09 PM
re: Security Expert Fools, Records Fake Antivirus Scammers
Victim of Fake Anti-Virus Software Scams Shares Her Story: http://www.onlinethreatalerts....
User Rank: Apprentice
5/25/2012 | 2:53:53 PM
re: Security Expert Fools, Records Fake Antivirus Scammers
One of my users got a call from these cons, but was smart enough to only play along a little to see what they were up to.- She actually got the guy to give her his phone number, even though caller ID came back blocked.- Now, every now and again, I call him back and mess with him.- Playing along with his script until I felt like turning it around and creatively insulting him and belittling him in various ways.- If anyone else would like to join in on the fun, while the number is still active, it's 209-965-7943.- They harass us and our users, now its our turn!
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
PUBLISHED: 2020-02-22
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
PUBLISHED: 2020-02-22
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
PUBLISHED: 2020-02-22
fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
PUBLISHED: 2020-02-22
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.