|
There are isolated problems with current patches, but they are well-known and documented on this site. |
You know the scam: A web page tries to convince you (sometimes forcefully) that your system is infected. Getting away from that site can be very difficult. The scammers feed on naive users, frequently swindling them out of hundreds of dollars.
[See the full post at: Fascinating detailed study of tech support scammers]
In case readers are wondering, the term “telecommunication providers” as used in this paper, does not refer to the consumer-level US or international Telecos, but to business telecom services providers. So we don’t have any basis to look at our own phone plans and switch providers because we disapprove of their use by scammers. Some US businesses may have this option, based on the names included in the report.
One type of tech support scam not really covered by this paper is where a company poses as a Tech Support company for people with any computer problems. These web sites operate without any malware or malicious web pages popping up dangerous-looking messages. They often claim to be Microsoft Partners, or claim to be associated with AT&T or Best Buy or other legitimate companies. They use legitimate logos and names of Windows, Microsoft and various Cable Internet companies.
These sites are not affiliated with the companies or products whose names and logos they splash all over their sites. They are preying on people who see their service or product providers listed, and don’t take the time to read the fine print (if any is present). Then they go straight to the phone and call the number listed at the site, thinking they are calling legitimate and official Tech Support. Which they are not!
If you are having an issue with a product or service, go to the official company web pages, and for Internet, TV and other Cable or Teleco services, refer to the numbers you were given when the services were installed. For Microsoft, use their official support pages and phone numbers.
Google is not your friend. The pages look very slick, and very professional. The grammar and spelling are perfect. There is no way to tell they are scams until you actually have someone on the phone and they request that you allow Remote Access to your computer. And by then it’s GAME OVER!
-- rc primak
I am curious. How do these things work? A person just using a browser and suddenly a window pops up with all that scary misinformation.
I counsel my clients to Right click on the task bar, choose Task Manager, then click on the item in the list that represents the threatening window and choose End task.
But they ask me, how did this happen? Where did this come from?
CT
There are two types: browser/web based and telemarketing. The first relies on a dodgy message saying the computer has some horrific malware that can only be fixed by clicking the link. Naive users will click on the link which connects them to the scammers. The telemarketing scammers actual call users using a faked phone number so it is not obvious it is from offshore. Again they try to panic naive users into granting them control. With both, they will demand a pay of a couple of hundred dollars to perform their “services”. There are many Youtube videos were the recipient of the call recording the entire phone conversation including the swearing when the scammer realized they just got had.
It is only a regular web site (with malicious intent) using well-known JavaScript programming techniques.
The intent is malicious and the outcome depends on the end-user’s actions.
Such sites do not plant malware (they might try) in particular if the end-user is patched up to date for Windows and the browser used.
Preferably all browsers installed on the system should be fully patched, which is a generic recommendation and best practice.
Unfortunately, as the paper reveals, no current browser has an absolute “kill switch”. The best I’ve managed to do is to kill my WiFi in Hardware Settings from my keyboard function keys. If done quickly enough, the browser process disconnects, freeing me to close the browser manually. Simply hitting the Restart Button leaves most browsers in a state where upon restarting, they try to restore the session, resulting in being locked onto the offending page all over again.
Linux has a “killall” function which can be invoked in the Command Line Terminal. This is nearly as effective as killing WiFi using a hardware switch. But it does not always clear up a locked browser state. Not even after a complete shutdown and restart.
-- rc primak
There is a simpler solution that seems to work for me and my clients.
Right-click on the taskbar
Choose Task Manager
Click once on the offending item in the list
Click End task
CT
On Linux Mint 17.3, if hit with tech support scam popups while web-browsing(which rarely occurs), go to Administration > System Monitor > Processes, and click “End Process” for the browser. Then restart the browser.
https://blog.malwarebytes.com/threat-analysis/2014/11/psa-tech-support-scams-pop-ups-on-the-rise/
A significant part of my own security environment is a substantial and continuously updated DNS blacklisting policy, and I’ve got to say, I just don’t run across scam sites.
My experience with this strategy implies you should not believe the linked article that many/most scams can’t be avoided via blacklisting. One need only keep one’s blacklists up to date and a VERY substantial number of bad sites on the web – even newly created parts – are simply avoided.
I can’t stress enough how well this works.
I remember seeing a couple of scam sites 4 or 5 years ago, before I had an extensive DNS blacklisting policy in place – something like computer-virus-warning.com or similar – and that’s one of the incentives that spurred me to develop my current strategy.
The key is this: There are currently a number of sites on the web that publish to the public well-managed blacklists of adware/malware/scamware/tracking site names (and domain names), and I see updates to these lists come in daily that imply that scams and new malware sites are being detected and blacklisted all the time. For example, just today, I saw these domains added:
*.13×38390-virus.info=0.0.0.0
*.com-store.store=0.0.0.0
*.misshal.com=0.0.0.0
*.srnartevent-lb.com=0.0.0.0
*.zavia.nl=0.0.0.0
Looking back in my logs a bit, I see that since last week there have been literally hundreds of sites and domains added (and some deleted, implying their problems have been eliminated).
My point is that these online lists are not stagnant, they’re managed by people with hearts of gold! My hat’s off to the maintainers of those sites (listed below).
My compiled blacklists as of today have these quantities of entries:
I have it set up to work like this:
Result:
For what it’s worth, here are the specific sources for blacklist data that I am currently using:
http://winhelp2002.mvps.org/hosts.txt
http://malware-domains.com/files/domains.zip
http://www.malwaredomainlist.com/hostslist/hosts.txt
https://adaway.org/hosts.txt
http://someonewhocares.org/hosts/hosts
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext”
http://www.quero.at/download/adblock-hosts.zip
http://sysctl.org/cameleon/hosts.win
Most of the above are set up for people to use their data as a local hosts file – which can be effective, but is really not the best way. I’m repurposing the lists via the script I have created to feed my Dual DHCP DNS Server software, which I’ve slightly modified to handle bigger lists.
FYI, the OpenDNS / Cisco Umbrella DNS servers online are at: 208.67.222.222 and 208.67.220.220. There are also servers that automatically exclude adult sites. For more see:
https://www.opendns.com/home-internet-security/
Remember that blacklisting is just one part of my own multi-layer security strategy. Other parts include reconfiguring my browser not to run ActiveX from sites on the wild internet, not installing extras, carefully vetting any downloaded software, MalwareBytes AntiMalware scans, a deny-by-default firewall configuration, and a number of other things.
Bottom line: No matter what the article that started this thread says, if you want to get a bit geeky you CAN pre-emptively protect your systems via site blacklisting. It’s a GREAT DEAL more effective than doing nothing at all. I have been doing it for years now, and I can promise you it really works.
-Noel
I appreciate the feedback, though I suspect the number of Windows users who are savvy enough to do something like what I’ve done is rather larger than 0.01%. My guess would be more like a few percent of them at least (e.g., a few tens of millions of tech-savvy people worldwide, many of whom are undoubtedly reading Woody’s site), and with a UI that could provide an easy way to set up and manage such a system, a much larger percentage of Windows users could get benefit out of managed blacklisting. I’ve just been thinking of doing up such a UI and turning this scheme into a “donationware” type product.
For what it’s worth I started out responding to this thread with a simple “uh, no, not really” to the article’s assertion that “every uploaded scam page gets its own random-string-including URL which can not be guessed and thus cannot be preemptively blacklisted”, then I imagined b or someone saying “you need to reveal how you do it”. It snowballed from there.
Lastly, I honestly don’t believe in “protecting the masses” from knowledge, because “they won’t know how to use it”. I’d say it’s better to enlighten some people with things they don’t know are possible and have them go off and make themselves more tech savvy because their curiosity and interest have been piqued. I know *I* really like it when people post about things I don’t yet know about!
I will not accept that using Windows has to be a messy, iffy process fraught with peril. I prove every day that it can be tight and slick and just work.
-Noel
Well……. Noel I would be on that list if you ever did a UI
I’ve just been thinking of doing up such a UI and turning this scheme into a “donationware” type product.
I have already saved a copy of your extensive detailed information……….. although sadly I would probably not be able to do something myself with it……….. but who knows maybe I might someday, or more possibly with the help of one of my able bodied sons/daughter or grandsons!!
But I was so interested to learn and read all about it………. so thank you Noel for taking the time to write it all down in such detail! LT
Hi Noel, that blacklisting method is a good approach for those inclined to configure their systems.
But there is another way to get many blacklists that automatically update, with just one click!
Check out uBlock Origin, the free browser plugin for Chrome & Firefox, as well as a beta for Microsoft Edge. It is much more than an ad blocker, and you can select the block lists that it uses from a config panel. Just check or uncheck them. You want ads? Just uncheck those and leave the malware sites checked …
https://github.com/gorhill/uBlock
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
And that OpenDNS … highly recommended!!!
Noel,
Remember when you said maybe we were some kind of brothers? I read what you wrote and it reminds me of when I was using Zone Alarm in the early days and was mad each time Microsoft used a process I didn’t know to access the Internet without telling me. I believed it was rude and invasive to access the outside without my permission, I hated thst they baked IE in 98 and had no idea how much worse it would get. At some point, I had to realize Zone Alarm wasn’t able to prevent leaking from programs using IE components to phone home then I tried Comodo and got all sorts of issues and then I gave up on this idea of two-way firewall because anyway, once something is inside, it is a bit late. I liked the idea to be warned about it though but at some point I felt it just wasn’t that good at that either and I focused on preventing issues in the first place and giving up on trying to prevent MS from doing what they want.
It is like a lot of inspections engine I initially turned on on my professional firewall that ended up creating issues with VoIp, slowing down total output, blocking lots of badly written software we have to use because that is what the freight company uses for example…
You remind me of that ideal I had earlier that got crushed by the day to day of my business. I admire your courage and the dedication you put to do what you want and not let yourself be dictated what happens with your computer, but wow, I must say like ch100 that it seems not trivial to go that route and maybe impractical for lots of people. A service that would automate all this would surely be a great thing to many but as I experienced myself in business with some blacklists, it can be very bad when that billion dollar company of a client you have have you blacklisted by their third-party filtering for the wrong reason and suddenly you can’t exchange emails for many hours.
Still, you have all my regards for doing all that and continuing to believe it is possible to do what you want and making it happen.
Livin’ the dream, baby! 🙂
Alex, you mentioned a professional firewall… Check out the Sphinx Firewall Control product some time. Fully name-based management with the product itself resolving the names into addresses in an ongoing way. Virtually all other firewalls work on addresses, and with today’s CDNs and server banks it becomes unmanageable in a hurry. Sphinx yields an almost “set it and forget it” operation. I haven’t fooled with my firewall config at all on any of my systems literally in 3 weeks, and the firewall is doing its job.
And for what it’s worth, beyond a little setup my DNS-based blacklisting strategy is almost “set it and forget it” as well. I couldn’t believe how well-aligned my goals and those of the list maintainers are. I’ve only ever had to whitelist a tiny number of sites (e.g., 6) that were inappropriately blacklisted over all the years I’ve used this strategy.
I do understand that setting this stuff up seems very geeky, but I suspect there are a lot of folks who are actually capable and the benefits are not insignificant.
-Noel
This is a great article!
@Noel: Great info and reply. That is a saver for sure.
The use of the link analyses and monitored calls for the study was well constructed and planned, including the IRB review for making the pretextual calls. All it all, a great investigation into the dirty underbelly of the web. I will be forwarding the PDF report to former colleagues. I have known a number of folks who have been called by “Microsoft Technical Support” about a “problem with their computer.” Fortunately, even though neophytes, they did not fall for it.
Rule of thumb if you unwittingly answer an unsolicited phone scams of any type is to feign interest, but ignorance and try to get a call back number. If the caller is unwilling to supply contact info, it is a scam or dicey charity no matter how sincere they sound. If it is the IRS caller scam always ask if you can call them back. I do find they are almost always trackable on caller ID.
However, the best tactic is to ALWAYS screen calls. Most robo-calls will disconnect after 3 rings if you do not pick up.
Only once have I gotten a virus pop-up as described. It was allegedly from McAfee. It looked pretty authentic, but at that time I had a McAfee subscription and that was being silent, so I knew it was bogus.
Rule of thumb if you unwittingly answer an unsolicited phone scams of any type is to feign interest, but ignorance and try to get a call back number.
That may be a palatable way for many folks to dodge the scam, but a more direct way that works with unwanted phone calls is to just hang up. You really don’t owe the people on the line anything.
-Noel
A good LOUD whistle works wonders too!
I am curious. How do these things work? A person just using a browser and suddenly a window pops up with all that scary misinformation.
One way it could happen – I’m not saying the only or even most prevalent way – is that they’re using a browser with the ability to run ActiveX and/or have unrestricted scripting, have not reconfigured it to limit the operation of same, are not blocking ads, and the scamware/malware is delivered through adware running in an iFrame.
People don’t expect ad content to take over their systems, but there are always new ways to “bust out” of what should be a restrictive, protective iFrame on a web page. Do you know of any pop-up blocker that’s ever been 100% effective? Malware authors are continually trying to find new ways to take over, and maintaining a successful balancing act between providing browser features that deliver acceptably active web content and that don’t deliver maliciously active web content is no small feat.
I imagine another way could be that a legitimate site simply gets hacked – i.e., an attacker gains access to the administrative interface of someone’s website and replaces or augments their content with scamware. Not everyone chooses hard-to-guess passwords.
-Noel
? says:
thank you posters!
I used to have a land line…
one day I got a fake antivirus pop up, so I froze it. I think it came through the page on Flash. I back traced the ns and it was hosted on ICG in Nevada. They took It down for me while I was on the phone with them…
keep looking up!
Most businesses now provide an online presence where visitors can browse their products and services. Many of them trust a service to setup and manage their site. They are aware of exploits in ads, but it appears that not too many realize that their content can also be exploited.
As an example, my sister-in-law has reserved a camper trailer online from a local business several times and recently she went online to select a unit for a road trip. She clicked on an image for more details and the browser was immediately locked with the scammer’s pop-up … a full page scare message and in large print was that telephone number to call. Fortunately she called me and not the number. She thought her laptop was toast and she was very shaken.
The web sysadmin. was not aware that some of the images on the camper website had embedded malware. He did scrub the site and issue an apology. My sister-in-law took her business elsewhere as she lost trust in them and she was still angry about it. The businessman’s reputation had been dinged and it cost him a long time customer. He was a victim too. It should be understood that these scams cause a lot of collateral damage. It is not just about the extortion.
There are ways to protect a web site. I use Wordfence. Wordfence is a free app that is a kind of protection suite. There is version that has a cost with a much broader set of functions. Not trying to promote anything, but I have a website and it was recently tagged, and the installation of Wordfence was my response. I get weekly reports that show an unbelievable number of attacks.
CT
Another pretty straightforward way to protect a web site is to keep a well-protected copy of all the files locally, and use a good comparison tool (something like Beyond Compare, that knows how to do sftp) to occasionally check and ensure that what you have in the files locally is EXACTLY what you have on the site.
Beyond the above, a professional organization should keep their web site contents under strict control and be using a version management system to ensure they know what’s changed, by whom, and why.
And of course: Backups, backups, and more backups!
-Noel
Some great thoughts shared ……. some already I’ve known about, and others new to me! But thought it worth mentioning scams/phishing methods used in emails. Something I’ve done for a long, long time now is to NOT have the PREVIEW pane open. This way I can glance at the list of new mails and if I don’t recognise the sender I can then view the mail through SOURCE or PROPERTIES and read the message and see who the sender is. If in the negative I can then BLACKLIST them, and then completely delete them on my computer and also delete the copy on the server. That way I am NOT opening the email (which some scammers use to identify that the email is active/live) nor am I putting my machine/myself at risk of allowing malware/viruses to download/install. I know there are programmes to also prevent this………. and I do have Norton Security watching my back, but this is also another layer of protection. Also when sending to multiple recipients I will always use BCC thus hopefully limiting the ever growing list of email addresses that are harvested. I try to share this with others on line…………. hopefully to save them from alot of angst, frustration, time and money. Just my 2 bits! LT
I stayed up all night to see where the sun went. Then it dawned on me.
In my Yahoo Web Mail account, I don’t care who knows that I have opened their emails, because this is not where I do my financial and sensitive work. But in Fastmail, I do want to know where the email actually traces from, and I use every available technique toward this end. For some unknown reason, it does make a difference that I pay for my Yahoo Account. I get most of the really nasty spam messages in my Spam Folder, where they never, ever get opened unless they are definitely misclassified and are from known senders with all the details in their proper place.
Expanding the header before opening a message is good protection, once you learn how to read some of the details. It just isn’t practical when screening more than about twenty new messages. Or when using an email client, as I often do. Once the client downloads a message with a beacon, it is already known by the sender that it was received.
-- rc primak
Understand what you’re saying @rc primak….. I pop my mail and view it on my computer, so guess the majority of spam is kept away from me in either gmail/yahoo’s spam filter…. but the occasional one is missed now and again…….. but also have found that my isp provider’s email seems to let more through and that’s one that I try and keep ‘private’ by not using it on line. My main object of viewing emails without the preview pane is basically to stop any ‘surprises’ that may eventuate. It really doesn’t take too much time….. scanning the names…..they are people/groups I know….. and the culprits are usually company names……… like yesterday I had one from Whatsap ….. I knew it was a scam/spam ….. I don’t have an account with them! Fedex is another….. But whatever I’m doing whether it be by blacklisting them/deleting them on the server I don’t appear to have those particular ones revisiting. Thank you for telling us your side of things/thoughts………. everything helps us in these challenging times! LT
I always left the preview pane in Thunderbird but I don’t show images from emails I am not sure and deactivates all add-ons, which i find was a very weird decision to add in the first place in Thunderbird and fortunately after a while they made a switch to deactivate them all. I liked thst Thunderbird wasn’t a browser and was less capable than a browser, for security reasons.
If you don’t show images (the default setting) and deactivates plugins, lots if not all of the tracking is off.
I teach users to hover their mouse over links to see if the address linked that appears in the status bar at the bottom below matches what they see and if it makes sense. We received a few very well-made scams over the years and we even got a call of the president very targeted phone scam where they knew the important people at our place by name and they faked emails from the president while calling us and interactively adjusting communication accordingly in real time (those guys are very good) but the users have always been quite good and when they are not sure they asks us. Never had an issue.
Maybe it is not good enough to do just that and I should disallow preview pane, but I am not sure it is worth it in terms of risks vs functionality. In my experience, asking people to look at sources has never been very successful when I tried to have them do it for other issues. Any sysadmin has an opinion? Of course, it is great if you find your method simple and you are comfortable with it.
Found your ‘take’ on all this v. interesting, @AlexEiffel….. it’s one thing I guess working things out for yourself, but to have to organise it in an easy way for others is no mean task! Yes I agree blocking images would be a good thing, but unfortunately I dabble in graphics so that’s sort of necessary………. although Norton is there in the background ready to pounce (I hope – usually does) Of course without the preview pane open one can see the whole list rather than piecemeal so that to me is a ‘selling’ point! And of course breaking one’s older habits is not an easy task is it….. LT
I used to think I was indecisive, but now I’m not so sure.
ps…. although I correctly spelt your name………. it appeared that WP didn’t like a capital letter in an @ word (for want of a better description) so I went into edit this and found what I had written was correct! LT
This is the 3rd time I’ve tried to write something. Just wanted to say @AlexEiffel I found your input on all this so interesting….. and of course it’s easy for someone to organise and change things for oneself……….. but to have to do it for others is no mean task! Yes blocking graphics would be a good thing…….. for me however, I dabble in graphics and it’s sort of necessary! When not having the preview pane checked to be open one can see a longer list …….. so that to me is a selling point. Of course after checking that the mail is ok…… and one clicks on it, the preview pane would then open! (maybe I’m stating the obvious here…… ) But of course changing previous habits is a big ask………… specially of others! LT
I thought I was indecisive, but now I’m not so sure!
An excellent read:
“You took so much time to joke me”—two hours trolling a Windows support scammer
The critical comments below the “Can You Hear Me” scam article make a lot of sense, at least in the UK – I can’t speak for the US.
Nonetheless, it’s never advisable to engage in an unsolicited phone call from a complete stranger, regardless of the circumstances. Just hang up and avoid the telephone equivalent of opening an unexpected email attachment!
“Verbal Contracts” are not legally binding in Illinois and many other US States. But it does vary by State.
-- rc primak
Witnessed or recorded “oral contracts” are enforceable in US courts, likely if there is no element of fraud/scam. There are some exceptions to such oral contracts,
http://blogs.findlaw.com/law_and_life/2011/10/are-oral-contracts-enforceable.html
Yes, the ‘Can You Hear Me?’ Scam is an urban myth even in the US:
http://www.snopes.com/can-you-hear-me-scam
The Welsh company who dragged it across the pond is trying to sell its $100 call-blocking devices by means of a press release about this “scam”:
https://www.cprcallblocker.com/blogs/news
There are certainly common robocalls which start with “Can you hear me?” to give the impression that you’re listening to a live human, but no one has been able to provide a single instance of a fraud victim where the “Yes” answer was recorded.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
