Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

Security Expert Fools, Records Fake Antivirus Scammers

Phony AV scammers posing as Microsoft dialed the wrong number when they inadvertently phoned a security researcher at home -- who exposed their obvious lack of technical know-how

Fake antivirus scammers recently got more than they bargained for when they unknowingly dialed the home number of a Sourcefire security researcher who then lured them to an impromptu honeypot and recorded their activity on his machine.

Noah Magram, principal software engineer with Sourcefire, says it was about dinner time -- also known as telemarketing time -- last week when he decided to answer what appeared to be a local call according to his caller ID. Magram says it was his local area code in Oregon and "Borders" showing up on caller ID that tempted him to pick up.

The caller said he was from Microsoft and that Magram's computer had been sending multiple error messages to the software company. "He said they thought I had some viruses and malware," recalls Magram, who immediately knew it was a scam. "It was surreal."

"I was curious. I wanted to see if they would send me to any websites or get me to download any malware, something that we could analyze. I was really curious about what their script was," Magram says.

Fake antivirus and security software scams are rampant, and typically occur via drive-by Web-borne infections where a user is hit after visiting a compromised site and then sees a pop-up message that his or her machine is infected. The attacker ultimately attempts to basically extort a subscription fee out of the victim to get his or her machine back in working order after locking it down. Most recently, a massive rogue AV scam targeted more than 200,000 Web pages and 30,000 different websites that was detected by Websense.

Others, like the one Magram stumbled on, are more direct social-engineering scams, either by phone or email.

Patrik Runald, research director at Websense Security Labs, says Websense doesn't see as many of these social-engineering-based attacks that mostly go after home users. "My mom and some of my friends did receive a similar phone AV scams and reported it to me," Runald says. "It's really a continuation of the fake/rogue AV scams that gets delivered to users' PCs via drive-bys or social engineering. The people operating those scams already have call centers to receive 'support' calls from their 'customers,' so the step to make outbound calls isn't much of a reach."

[ Actors looking to monetize from malware infections are continuing to invest in developing increasingly convincing fake software in order to maintain their cover. See Scareware Is Evolving. ]

Magram says the agent on other end of the line did not appear to be technically adept and didn't stray much from his script. Magram played along from the comfort of his living room couch, pretending to be pulling up the event viewer on his Windows machine. "I said I saw a couple of warnings and errors in my event viewer, and he said, 'That's malware,'" Magram says. Then without any introduction or warning, a new agent came on the phone and basically picked up where the first agent left off. He urged Magram to install a remote administration tool so the agent could get a closer look at the "problem."

So after 30 minutes of dragging out the call, Magram decided that this rare, firsthand look at a fake AV and security software scam was too good not to study up-close and record. So he started up a VMware virtual machine on his Windows PC. "I realized I could give them an environment to bang around in," Magram says. Upon the urging of the scammers, he installed LogMeIn, a legitimate remote access tool, and "Victor," the technician, was then inside the machine. Magram recorded every click the scammers made.

At first, Victor tried to remotely bring up a website with information on the subscription options, but apparently fat-fingered the browser button, and the Web page for another legit RAT product, ShowMyPC.com, appeared instead. He eventually got the "company's" Web page to successfully load, and the agent carefully explained to Magram the various services and subscriptions they offer.

Interestingly and suspiciously, they no longer were pretending to be Microsoft at that point. "The website was not Microsoft's. Their story had changed because initially they said they were calling from Microsoft," Magram says.

Taking The Bait
Magram finally "agreed" to a one-year subscription for a one-time $50 fee, and they pushed him to a Web page using a legitimate-card processing service. He typed in a test number, which rejected the transaction.

Then Victor systematically began disabling all Windows Services right there on the screen for all to see, while the agent on the voice call told Magram he would need to renew his subscription, noting that the machine was so compromised that they couldn't be "held responsible for what happens next."

"I asked the agent why they were disabling those things, and he said they are a list of malware. But they were obviously a list of standard Windows services," Magram says.

Victor continued the destruction, ultimately disabling VMWare as well. "I even asked what VM services are ... he insists they are malware," Magram recalls.

The scammers didn't give up easily, either. Even with the "rejected" credit card and no payment on the table yet from their mark, Victor rebooted the machine under Safe Mode while the agent on the line warned that there was so much malware on the machine that they wouldn't be responsible for what happened next. Magram knew that Victor's actions would disable the system altogether after a reboot, but the scammers apparently were trying one last-ditch effort to get him to cough up some cash.

He finally admitted to the scammers that they were on a VM, and he was a security expert who had been stringing them along. They quickly hung up.

Magram says he was surprised how low-tech the scammers actually were. Not only were they blatant about deleting the Windows services, but they also didn't realize they were trapped inside a VM, even when the VMware services appeared on the screen. "I had always wondered what their capabilities are" in these scams, he says. "But I was shocked how clueless and clumsy there were. They are placing thousands of these calls, and they are not sophisticated."

And they didn't install any malware. "I thought that would be the first thing they would have done. I assume that when they 'fixed' the machine they would install the malware," he says.

Their approach was "so stone age," he says, using legitimate RAT tools and an unprofessional and shaky script by the caller. Even so, it's a social-engineering scam, and those are the hardest to defend against, he says. The only real defense is educating users about these types of scams out there.

And catching the culprits behind it is unlikely. Magram was able to root out that their company's physical address, if legit, was in Utah, and that's about it. "It's doubtful they are set up in the U.S.," he says.

Magram said, overall, the experience was interesting and kind of fun. "My wife was cracking up [in the background] and first couldn't figure out why I was talking to a telemarketer," he says.

"This is not something you'd expect as a software engineering [pro] at a security firm to have somebody call you who wants to won your box and it falls in your lap," he says.

Websense's Runald says he has scammed a few scammers in his day as well. "It's always interesting to turn the table on scammers. I've played along with the bad guys when it comes to job scams and other social-engineering tricks, and as soon as they figure out you know more than most, they just stop communicating, just like what happened to Noah," Runald says.

Meanwhile, Magram has now posted a video of the scam online, which can be viewed here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/17/2012 | 7:27:09 PM
re: Security Expert Fools, Records Fake Antivirus Scammers
Victim of Fake Anti-Virus Software Scams Shares Her Story: http://www.onlinethreatalerts....
User Rank: Apprentice
5/25/2012 | 2:53:53 PM
re: Security Expert Fools, Records Fake Antivirus Scammers
One of my users got a call from these cons, but was smart enough to only play along a little to see what they were up to.- She actually got the guy to give her his phone number, even though caller ID came back blocked.- Now, every now and again, I call him back and mess with him.- Playing along with his script until I felt like turning it around and creatively insulting him and belittling him in various ways.- If anyone else would like to join in on the fun, while the number is still active, it's 209-965-7943.- They harass us and our users, now its our turn!
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...
PUBLISHED: 2021-05-06
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
PUBLISHED: 2021-05-06
** UNSUPPORTED WHEN ASSIGNED ** The 'id' parameter of IBM Tivoli Storage Manager Version 5 Release 2 (Command Line Administrative Interface, dsmadmc.exe) is vulnerable to an exploitable stack buffer overflow. Note: the vulnerability can be exploited when it is used in "interactive" mode wh...
PUBLISHED: 2021-05-06
Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denial of service.