A Warning to the Credulous – The Next Step in Malware Propagation

A month or so ago I encountered several cases of the poorly named System Tools Virus within the space of 24 hours.

That’s nothing special in itself; we run a tight ship at work, with regards anti-virus protection but, these insidious spoof anti-virus warning systems, have become increasingly adept at getting past conventional anti-virus and anti-malware programmes.

They often piggy back on banner advert systems, much to the embarrassment of the sites providing or carrying these adverts.

Even the most tech-savvy user could be fooled by one of these alerts, some look dangerously like existing anti-virus packages.

Once you know what you’re doing when you encounter these fake alerts they really aren’t as problematic as they could be.

End your browsing session, don’t click any buttons and run a scan through your usual anti-virus/anti-malware product just to be sure.

In my experience, they seem to only infect one user’s personal folders with a species of malware that can be removed by simply starting Windows in Safe Mode and purging the user’s temporary folders; before thendownloading a copy of MalwareBytes Anti-Malware and running that whilst in Safe Mode.

That advice certainly worked last month, in every case bar one.  In that case just ending the Internet Explorer session using Task Manager was all it took to protect the effected PC.

Now the means of these fake system defenders being carried over to internet users are being clamped down on.  High profile sites have had their brands tarnished by being associated with this kind of infection and so it is increasingly difficult for this malware to be offered up to users.

This week I think I have encountered the next step in malware propagation – cold calling!

For the past week or so, my partner and I have received calls, on an almost daily basis, asking to speak to the “computer owner” or “person responsible for the computer”.

If given a chance, the caller identifies themselves as calling from “Windows technical support” or “your broadband provider”.

If the call goes further we discover that the caller has identified virus activity on our account and assistance is offered in dealing with the threat.

Now, my partner is great at handling this kind of call.  She usually fobs them off with a glib “They’re not in” or “My boyfriend works in IT, he’d tell me if there was a problem.”; this causes the caller to hang up… no muss no fuss.

Yesterday, however, she was nearly caught out.

The caller referred to her by name and claimed to be from our broadband provider.  When asked, the caller stated that they were calling from Virgin Media (our provider) and that they had noticed “slow connection speeds” that indicated to them that our home PC was riddled with viruses.  The caller then went on to explain that we had to run a scan “there and then”.

Bless her, my partner stuck to form.

If there is a problem, my boyfriend will be able to deal with it.

At which point, the caller hung up and my partner sent me an email to tell me about it.

I had a quick hunt on the internet and found a number of similar incidents reported all the way back to early 2010.

Had we continued with the call, the caller would have guided us through downloading an executable file and then running it (via the Start menu’s Run option).  This would have then displayed all the viruses we supposedly had – just in the same way as the “System Tools” malware.

In a worst case scenario; the caller would have talked us through allowing them to remotely connect to our PC and do this for us.

To add insult to injury, many victims have then been charged £100+ and bullied into paying by PayPal or worse – credit card over the phone.

In the end, users have had their financial security breached along with a PC being infected with a whole host of trojans, malware and back door openings to future digital abuse.

What is really disturbing is that only recently, April 2011 onwards, the callers seem to be working from a database of named contacts and relevant broadband providers.

I called Virgin Media, no mean feat to do so without using their 0845 number when away from home.  A very helpful chap, named Dom, confirmed that we had not been called and then explained his understanding of how these scams worked.  Apparently they have a team investigating this kind of scam; after all, it is damaging to Virgin’s brand to have scammers calling in their name.

So, there we are then (my favourite acrostic).  There appears to be a current tele-canvassing campaign – seemingly driven by non-UK based VOIP users – targeting UK broadband users and trying to:

  • Install a range of malware on the victim’s PC.
  • Gain confidential credit card details.
  • Gain remote connection credentials.

What concerns me most in this regard, is the number of credulous internet users that don’t have access to tech-savvy or web-savvy advice.

My maternal Grandfather for example would fall for this kind of scam easily, not even mentioning to anyone afterwards.  He knows to let us know if he sees anything untoward whilst browsing and he knows that Prince Mazuma of Umboto Gorge doesn’t really have several million szlotaks ready to transfer into his bank account.

But, he doesn’t know that it isn’t really Sky calling him and charging him a tonne to clean his PC for him.

So, advise your friends and family, gullible or otherwise: when someone calls telling you they’re from windows support, do what good old Jack Burton would do and tell them that you know they’re scammers, and I guarantee they will hang up straight away.

They did when they called again this evening anyway.

I wrote this up on the Money Watch site (linked above) where users continue to post their experiences of this kind of thing.

We had a call yesterday from an undisclosed number. It sounded like an offshore/Delhi call centre.

The caller claimed to be from Virgin Media and even refered to my partner by name.

They said that they could tell our PC was infected with viruses as our connection was slow.

They wanted to help my partner run a scan.

I was at work at the time so my partner told them “My partner is an IT Manager, I’m sure he’ll know what to do”. The line went dead straight away.

We were suspicious on a number of levels. Firstly, Virgin only ever phone if they’re owed money. Secondly, we’ve had a number of cold calls asking for the “Computer User” or “Computer Owner”.

Furthermore, our PC died months ago. Our broadband is used for a games console, smart phones and the occasional netbook.

My partner told me this as soon as she’d had the call. So I phoned Virgin Media to check.

Virgin confirmed that they hadn’t contacted us and that our broadband connection speed and bandwidth usage were normal.

We still don’t know how they knew we were on Virgin or how they got my partners name… the account is in my name.

My partner fully intends to lead these scammers on from this point on, in true scam-baiter style.


3 thoughts on “A Warning to the Credulous – The Next Step in Malware Propagation

  1. The first time I came across this scam was a couple of years ago while working at the Tech Support Call Centre for a major retailer.

    A Customer had the savvy to ring us before paying someone claiming to be calling on behalf of Microsoft to scan and fix their PC.

    So I did a quick google, and found that this scam had just started doing the rounds in the UK, after a year or so in Australia.

    I was able to protect that Customer, and then made sure the information about this scam was spread throughout the Call Centre, as it was a major step up from the pop-up scams.

    A couple of months ago, my Dad took one of these calls, and almost fell for it, having got as ar as downloading, but not running, the file the guy on the phone told him to get. At that point, he called me instead, and I was able to stop the machine from being infected.

    The various Gods and Goddess’ bless MalwareBytes!

  2. .. ah szlotacks, the forgotten currency.

    Your paternal grandfather has the right idea – ignore the internet but give your son’s aluminium ladders away to any passing scammster 😦


  3. I too have seen a rise in the cold-calling ‘technical support’ offers in our area too (Merseyside)

    Mostly they claim to be from Microsoft and tell you that there is a fault on your PC. They then talk you through a series of ‘fault finding’ exercises, which leads you to check for a specific System Process (of course it is running, it is part of the Windows OS!)
    The worst cases scenario is when they ask you to allow them remote access to fix the fault! You can guess what happens next….

    How do they ‘know’ who to target?…. Well, I’ve been thinking about this one for a while. I suspect, they check online for legitimate faults at exchanges and local lines [worryingly anyone can do this] It’s also not too difficult to find out which homes have services that might be affected, then make a call and take a chance.

    Why do they do it? Well, there’s got to be financial gain somewhere down the line (excuse the pun) – maybe they do catch enough people out who pay to have the phoney faults removed? Personally, I think they want to be able to gain control of your computer to carry out further illegal activities, which is where their real pot of gold lies.

    Microsoft, et al. will NEVER call you up to offer to fix your fault – why would they? They release fixes and patches on their support sites, for you to download. They most certainly wouldn’t carry out this personal service for Doris from Milton Keynes! 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s