Last Updated on February 1, 2020 by Mathew Diekhake
The long-term outlook for good overcoming evil, online at least, is good, with some of the largest corporations continually choosing to target the best hackers for employment opportunities. More often than not the expert hackers who are best at finding exploits will take the jobs to then help these companies find and fix the exploits because the jobs pay well—and most importantly, pay better than any job they could have done by using the knowledge for evil instead of good.
In the meantime, you can expect to find plenty more scams coming to your emails that you need to be aware of. My personal email is under constant barrage from scams as my emails are regularly found floating around online as other people try to acquire them for the sake of their websites being able to obtain views from showcasing the addresses. This has lead to many scammers emailing me most days of the week. None of them ever succeed in what they are trying to do which is get me to click a link found within the email (not to be confused with an unsubscribe link found in a regular email—a regular email being a trusted email that you can see is an official email by looking at the senders email address, e.g., contact@mlb.com.)
Now there are some new phishing-like emails coming to people as fake tech support that people need to be on the lookout for. Certain people are more prone to being targeted than others. The CEO of Microsoft would need to be on the lookout for regular email scams for instance while your local grocery store owner with not much of an online presence at all might never find a scam email targeted at them. But it pays for everyone to be educated on the matter and what to look out for just in case you do find a scam targeted at you. There are reasons for scammers to target almost anyone.
In addition to the email threats, there are also advertisement scams users need to be on the lookout for, which isn’t helping publishers fight against people choosing to block ads. There are high-quality ad networks out that and then there are low-quality ad networks. Some sites are not permitted to use high-quality ad networks like what Google offers, and often they resort to using low-quality networks to make money. Torrent sites and sites that offer illegal or adult activity are often some of the most trafficked sites on the web and also the type of sites that run low-quality ads for revenue. Some argue the solution is to run ad block and block all of the websites revenue while occasionally white listing a site that gets regular and routine visits. Others suggest perhaps staying away from the illegal sites is the more logical solution because it then allows the web to survive.
Another way to help tackle the issue of advertisement scams like featured in the article below from the Windows security team is to be educated enough to know what they are so you don’t fall victim to them.
Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites.
Anti-spam filters in Microsoft Exchange Online Protection (EOP) for Office 365 and in Outlook.com blocked the said emails because they bore characteristics of phishing emails. The said spam emails use social engineering techniques—spoofing brands, pretending to be legitimate communications, disguising malicious URLs—employed by phishers to get recipients to click suspicious links.
However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary “technical support services” that supposedly fix contrived device, platform, or software problems.
The use of email as an infection vector adds another facet to tech support scams, which are very widespread. Every month, at least three million users of various platforms and software encounter tech support scams. However, tech support scams are not typical email threats:
- Many of these scams start with malicious ads found in dubious web pages—mostly download locations for fake installers and pirated media—that automatically redirect visitors to tech support scam sites where potential victims are tricked into calling hotlines.
- Some tech support scams are carried out with the help of malware like Hicurdismos, which displays a fake BSOD screen, or Monitnev, which monitors event logs and displays fake error notifications every time an application crashes.
- Still other tech support scams use cold calls. Scammers call potential victims and pretend to be from a software company. The scammers then ask victims to install applications that give them remote access to the victim’s devices. Using remote access, the experienced scam telemarketers can misrepresent normal system output as signs of problems. The scammers then offer fake solutions and ask for payment in the form of a one-time fee or subscription to a purported support service.
The recent spam campaigns that spread links to tech support scam websites show that scammers don’t stop looking for ways to perpetrate the scam. While it is unlikely that these cybercriminals will abandon the use of malicious ads, malware, or cold calls, email lets them cast a wider net.
An alternative infection path for tech support scams
The spam emails with links to tech support scam pages look like phishing emails. They pretend to be notifications from online retailers or professional social networking sites. The suspicious links are typically hidden in harmless-looking text.
Figure 1. Sample fake Alibaba order cancellation email. The order number is a suspicious link.
Figure 2. A sample of a fake Amazon order cancellation email. Similarly, the order number is a suspicious link.
Fig 3. Sample fake LinkedIn email of a message notification. The three hyperlinks in the email all lead to the same suspicious link.
The links in the emails point to websites that serve as redirectors. In the samples we analyzed, the links pointed to the following sites, which are most likely compromised:
- hxxp://love.5[redacted]t.com/wordpress/wp-content/themes/acoustician.php
- hxxp://s[redacted]t.com/wp-content/themes/paten.php
- hxxp://k[redacted]g.org/wp-content/categorize.php
Interestingly, the redirector websites contain code that diverts some visitors to pharmaceutical or dating websites.
Fig 4. Redirects to pharmacy sites
In most cases, however, the redirector websites eventually lead to typical support scam pages.
Fig 5. Redirects to support scam site
Landing on typical support scam websites
Tech support scams sites often mimic legitimate sites. They display pop-up messages with fake warnings and customer service hotline numbers. As part of the scam, calls to these phone numbers are answered by agents who trick users into paying for fake technical support.
Fig 6. Tech support scam site with fake warning and support number
The technical support scam websites employ various social engineering techniques to compel users to call the provided hotlines. They warn about malware infection, license expiration, and system problems. Some scams sites display countdown timers to create a false sense of urgency, while others play an audio message describing the supposed problem.
Tech support scam websites are also known to use pop-up or dialog loops. A dialog loop refers to malicious code embedded in sites that causes the browser to present an infinite series of browser alerts containing falsified threatening messages. When the user dismisses an alert, the malicious code invokes another one, ad infinitum, essentially locking the browser session.
More advanced tech support scam sites use web elements to fake pop-up messages. Some of these scam sites open full screen and mimic browser windows, showing spoofed address bars.
Windows 10 protects against tech support scams, no matter the vector
Tech support scams continue to expand and evolve. They are becoming multi-faceted and are arriving via several infection vectors. A multi-layered defense is necessary.
Windows 10 has a comprehensive protection stack that defends against multi-faceted threats. New and updated features in Creators Update provide even more protection for devices against the latest and advanced threats. Upgrade to Windows 10, if you haven’t already, and keep your computers up-to-date.
Microsoft Exchange Online Protection (EOP) has built-in anti-spam filtering capabilities that help protect Office 365 customers from email threats, including tech support scams that arrive via email. Office 365 Advanced Threat Protection helps secure mailboxes against attacks by blocking emails with unsafe attachments and malicious links, including time of click protection. Outlook.com anti-spam filters also provide protection against these scam emails.
Use Microsoft Edge when browsing the Internet. It uses Windows Defender SmartScreen (also used by Internet Explorer), which blocks tech support scam websites and other malicious websites, as well as malicious downloads.
Figure 7. Microsoft Edge blocks known support scam websites using Windows Defender SmartScreen
Microsoft Edge also helps stop pop-up or dialog loops that are often spawned by tech support scam websites. It does this by allowing you to stop web pages from creating any more messages when the first one is dismissed:
Figure 8. Dialog loop protection in Microsoft Edge
When a website serves a dialog loop, you can also try to close the browser window. Alternatively, you can open Task Manager (by pressing CTRL+SHIFT+ESC), select the browser under Apps, and click End task. In future updates, Microsoft Edge will let you close the browser or specific tabs even when there is a pop-up or dialog message.
To report a tech support scam site using Microsoft Edge, select More […] while you are on the site. Select Send feedback > Report unsafe site, and then use the web page that opens to report the website. In Internet Explorer, select the gear icon and then select to Safety > Report unsafe website.
Windows Defender Antivirus detects and blocks tech support scam malware and other threats. It leverages protection from the cloud, helping ensure you are protected from the latest threats.
Tech support scams employ various social engineering techniques to get potential victims to call fake support hotlines. Do not call hotline numbers displayed in pop-up messages. Error and warning messages from Microsoft do not contain support numbers.
Some scammers might contact you directly and claim to be from Microsoft. Microsoft will not proactively reach out to you offering unsolicited technical support. To reach our technical support staff, visit the Microsoft Answer Desk.
For more guidance and a comprehensive list of scam numbers to avoid, read about avoiding technical support scams on Windows Defender Security Intelligence.
Alden Pornasdoro, Jeong Mun, Barak Shein, Eric Avena
Source: Windows security blog