Posted by David Harley on November 6, 2015.
Threat Intelligence Service Talos, which describes itself as ‘the primary member of the Cisco’s Collective Security Intelligence (CSI) ecosystem’, has turned its attention to tech support scams in a blog called Reverse Social Engineering Tech Support Scammers, by Jaime Filson and Dave Liebenberg. (As an aside, it’s not unknown for support scammers to claim to be representing Cisco, though Microsoft is often still their fake affiliation of choice.)
In this instance, Talos followed up on a fake ‘Safari SYSTEM WARNING’ by calling the number given in the fake alert as ‘emergency Apple Support‘. Amusingly, in a sour sort of way, the fake alert claims to have spotted 35 ‘infections’ including multiple fake AV downloads.
Unfortunately, the Talos analyst used a Toshiba rather than a Macbook: it would have been interesting to see how the scammer proceeded in the course of the phone call where the caller was a Mac user, as there is no shortage of Windows-oriented video and audio recordings of the scammers at work. Still, you may find some of the tricks used in this case of interest.
The ‘victim’ was directed to a TinyURL-shortened URL to download TeamViewer, a legitimate remote access application. I’m pleased to note that TeamViewer apparently advises people who download it that they may have been targeted for a scam, but in this case the scammer told Talos to ignore it. Note that some security programs and browsers will also flag sites and apps like TeamViewer and Ammyy as ‘potentially unsafe’, meaning that they’re legitimate but could be misused by scammers or other criminals.
Having connected to the Talos machine, the scammer ran netstat and claimed that IP addresses listed in its output belonged to remote hackers. (Pot, kettle…) She also ran a recursive directory listing – presumably betting on the fact that an awful lot of today’s computer users have never seen an MS-DOS DIR listing – and typed in the words ‘Trojan Virus’ at the command prompt in order to ‘prove’ that she’d found an infection, and directed Talos to a Wikipedia definition of ‘trojan’ to demonstrate how much trouble her victim was(n’t!) in.
None of this is new to me, but it’s very typical, and if you’re not conversant with the details of the scam, you’ll certainly get a flavour of how its carried out from the Talos article, audio, and video. I’ve written in some detail about other ploys used in this sort of scam to convince the victim that their machine is infected. For example:
Interestingly, the scammers were prepared to accept a cheque when Talos claimed that was the only way in which they could pay, and proceeded to make changes to the system. ‘Kelly’ even rang back next day to check payment details and offer a computer warranty.
The Talos article goes on to give details of the company concerned, some registered sites, and details of individuals apparently associated with the scam in this instance. All in all, a useful addition to the corpus of tech support scam information, and I’ve already added a link to the AVIEN tech support page.
David HarleySubmitted in: David Harley |