Like many of you, I am the IT support for family and friends. As such, I get lots of calls concerning slow browsers, printers that won’t work, and questions that take me a few seconds to Google the answer to.
However, in the last few weeks, I’ve gotten a few calls with a similar story. Someone was having Internet issues and wanted to call their ISP. They didn’t know the number, so they searched for it in Google and called up the first number that popped up. This is all good, except when I hear the words “…and after they connected to my computer, they told me it was infected and could sell me a security plan,” I get very nervous. BIG. RED. FLAG. They had stumbled into a tech support scam.
Victims are typically drawn into tech support scams through one of two ways. The first is the victim gets cold-called from “Microsoft” and told their computer is showing signs of compromise. The second occurs when a user clicks on the wrong link or ad, often when searching for something like “tech support,” as in the case above. The page they land on displays flashy pop-up windows, often with accompanying blaring sounds, stating multiple computer viruses have been detected and they need to call the number on the screen immediately.
Once on the phone, the scammer plies their scam. They convince the victim to download remote access software to allow the scammer access to the computer. Next, the scammer runs meaningless commands or downloads fake anti-virus software, stating the results mean the victim’s computer is infected with computer viruses. To fix this, the victim only has to pay a one-time fee to have them removed or can pay even more to be protected from here on out.
Obviously, this scam targets naive computer users and, on the surface, appears to be a home user problem. But should this be a concern for businesses too? Absolutely.
Let’s assume a user in your organization falls for this and examine the scam from its various steps.
User clicks on malicious link.
A user able to click on a malicious link, no matter how they came upon it, brings up many questions. Why were they able to click on the link? Why didn’t your proxy server block access to it? What else will the user click on? The answers to these questions may shed light on protections that are needed, or end-user education that needs to be performed.
Remote access software is downloaded, and an unauthorized third party connects to your system.
An unauthorized third party connecting to one of your systems should be considered an incident. The act of doing so hopefully violates one of your security policies, as the remote access software is bypassing your firewalls and VPNs, the scammer does not have permission to be on the computer, and the integrity of any information on the computer screen has been violated.
Think of it like this. If you work in healthcare and have protected health information (PHI) on the screen when the scammer connects, HIPAA may have been violated.
Commands are run, or programs are downloaded and executed.
While the modus operandi of scammers is to run commands like netstat, or to download and install fake anti-virus software, that doesn’t mean that’s all they ever do. Imagine if a scammer decided that it would be more beneficial to install a Monero miner onto the computer and tell the user the high CPU usage was related to the malware? What if they installed ransomware or a backdoor?
If this does happen, what should you do? Perform an incident investigation, or if you are concerned enough and don’t have the in-house skills, hire someone to do it for you. Here are some tips for the investigation:
- Treat the user as a victim. They got scammed and made a mistake. Do not threaten them with any type of corrective action, as that will only lead to other users becoming hesitant to report future compromises.
- Talk to the user and ask what the scammer did. This will help point your investigation down the right avenues.
- The scammer likely did not do anything to hide their activity, so forensic artifacts may be intact. Focus your analysis on browser history, file system timelines, event logs, and registry analysis to determine what occurred.
- Scam websites are often on unusual top-level domains (TLDs) such as .online, .support, .help, .top, or .xyz. Search for any activity with these or other odd domains and block them in your proxy server or firewall, or block them entirely on your DNS server. How much legitimate business do you do with .xyz domains?
- Use the incident as a stepping stone for user education. Informing your users of these scams will not only help them become more secure at home, it will raise their security awareness at work and keep your systems safe.
- If your policy allows it, report the tech support scam to the FTC at https://www.ftccomplaintassistant.gov/ as this will help get these scammers offline.
Tech support scams are not going away, so the need to understand them, how to respond to them, and why your users should be educated about them is knowledge worth having.
Author: Tyler Hudak
Tyler has over 20 years of real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple organizations. He has spoken and taught at a number of security conferences about topics ranging from incident response to penetration testing techniques.