Posted by David Harley on November 24, 2016.
Every so often I get requests for help from people with a computer problem that may or may not be malware-related. Usually I’m unable to help directly because they don’t give me enough information to identify the problem accurately, and I’m not in a position to offer worldwide one-to-one help in person, and anyway my helpdesk/support engineer days are long behind me. I don’t have that range of expertise any more.
When I have to refuse help, I try to refer the people concerned to a more appropriate person or forum, and to suggest they do what they can to ensure that the advice is from a reputable and competent source. I’m more cautious about recommending specific resources, even well-known commercial organizations, unless I’m in a position to confirm their competence and bona fides.
Sadly, this reluctance has been reinforced by accusations against Office Depot, which is alleged to have tricked customers into paying for unnecessary repairs to their systems. According to SC Magazine former technician employee Shane Barnett claims that:
‘When computers were brought to Office Depot, staff were required to run ‘PC Health Check’, a diagnostics scan which showed malware infections nearly every time.’
According to Bleeping Computer:
‘KIRO 7 reporters tested the whistleblower’s claims by taking six out-of-the-box computers to Office Depot centers in both Washington and Oregon. Office Depot employees diagnosed four of the six laptops with a malware infection and offered the reporter to fix it for an extra charge.’
As it happens, I remember back in the 90s checking two out-the-box laptops that arrived in my office and discovering that both were infected with the Michelangelo boot sector virus, so I’m not about to assume that brand-new systems could not have been compromised by malware further back along the supply chain. However, the reporters had the KIRO 7 machines checked by security company IOActive, who were unable to find the merest sniff of malicious code.
Barnett claims that when running the software, sales people were required to ask the customer if they’d experienced ‘strange popups, slow operating speeds, virus warnings and random shutdowns.’ Well, popups and virus warnings could certainly signify a malcode problem, though they’re not necessarily conclusive evidence. While below-par performance and random shutdowns can sometimes be associated with certain malicious programs, they may also arise from entirely different causes. However, Bleeping Computer asserts that:
Barnett said that if the user answers positively to any of the questions, the scan would show a positive result.
That, says an IT specialist at IOActive, is because the sales person is prompted to check a box within the program in that event, and if any one or more boxes are checked, the presence of malware is flagged.
This has been likened by several commentators to the classic tech support scam. It’s possible that the software is simply ‘over-sensitive’, assuming that those four symptoms are conclusive proof of the presence of malware. Frankly, I suspect that a lot of technicians who aren’t necessarily security experts might jump to the same conclusion. I don’t think that necessarily indicates deliberate deception, but it doesn’t indicate competence, either. Hence my caution when it comes to making specific recommendations. However, it turns out that the software was developed by support.com. According to Graham Cluley’s post for Hot for Security blog, that’s the company which:
‘…was ordered, with partner AOL, to pay US $8.5 million in 2013 after being accused of using free malware scans to trick consumers into believing their PCs were infected.’
Which is disturbing. And, if the description of how the scans were used is accurate, far too close for comfort to the way that tech support scams work.
I think there’s a question mark here, though. While the questions posed by Office Depot and the PC Health Check service don’t constitute proof positive of the existence of malware, they do suggest the possibility of malware. Apart from that, they suggest some sort of problem with the system being checked. Did the reporters answer yes to any of those questions? If not, what reasons did they give for asking for the machines in question to be checked? What was the wording of the alert/warning?
You don’t have to be faced with a problem with your system before you give it some sort of health check, but I suspect that most people only take their systems out for a check if they do have a problem. If one of those check boxes also gets ticked, it’s not unreasonable for the software, or salesman, to think that there’s a possible problem, even if assuming a ‘virus’ is not a conclusion I’d leap to personally. (I’d need a lot of persuading to pay $180 for a solution, too.)
Perhaps this isn’t quite the same as a support scam. There’s a significant difference between old-school tech support scams and the newer model. The classic old-school approach – still happening! – is to ring people more or less at random and claim to be ringing about a problem the owner doesn’t know about, but the scammer somehow (magically) does. Many reports I see nowadays are designed to lure the victim into ringing a fake helpline to get help with an issue the scammers have actually engineered by generating fake alerts.
Sometimes, however, a victim has a problem and goes looking for a solution, but finishes up at a call centre where he gets bad advice, based on deceptive ‘diagnostic information’, and a big bill. In the latter case, the scammer might argue that the victim is getting a solution to a genuine problem, just as Office Depot might be able to claim. However, if that solution is based on the same snake oil that the old-school scammers use to ‘prove’ that a system is compromised (misrepresentation of CLSID, EventViewer and ASSOC output, and so on), that defence falls apart.
Hopefully, Office Depot isn’t using deliberate deception to extort money for fake services, though some of the claims made have suggested that it could be. If it isn’t, but its own investigation of the software and the way in which it’s used indicates bad/incompetent practice, I hope it will amend its practices accordingly, as good ethics would demand.
David HarleySubmitted in: David Harley |