Blue screen of death with a support number? Beware the malware scam

Tech support scam tricks users into installing malware with fake blue screen of death.

David bisson
David Bisson
@
@DMBisson

Blue screen of death with a support number? Beware the malware scam

A new tech support scam displays a fake blue screen of death (BSoD) in an effort to trick users into installing malware on their Windows computers.

The threat, which Microsoft calls SupportScam:MSIL/Hicurdismos.A, builds off a long lineage of tech support scams. Some of those ruses have even mimicked other Windows features, including the update process, to try to trick users into purchasing unnecessary software.

In this particular case, Hicurdismos masquerades as Microsoft Security Essentials, the anti-malware product that came pre-installed on all machines with Windows 7 and earlier.

Installers
Can you tell the difference? The real Microsoft Security Essentials installer is on the left. The malicious Hicurdismos installer is on the right. (Source: Microsoft TechNet)

Machines running Windows 8 and 10 now come with the Windows Defender product automatically installed. But that doesn’t mean scammers can’t try to trick unsuspecting users into thinking their computers aren’t protected.

The installer for Hicurdismos arrives via a drive-by download attack and contains an executable called setup.exe. Microsoft’s SmartScreen Filter tries to warn users to not run the executable because it’s not verified, but they could simply choose to ignore those alerts.

Sign up to our free newsletter.
Security news, advice, and tips.

There’s something interesting about the malicious file, as Francis Tan Seng and Alden Pornasdoro of Microsoft’s Malware Protection Center explain:

“The file setup.exe is a SmartInstaller package, which contains a malicious file that pretends to be Microsoft Security Essentials. Unlike the installer, the malicious file has the same file property information as the legitimate Microsoft Security Essentials executable”

Hic5
Hicurdismos has the same details as Microsoft Security Essentials. (Source: Microsoft TechNet)

Once the malicious file executes, it creates a fake BSoD experience by hiding the cursor and disabling Task Manager, both of which create the impression that the system is not responding.

It also displays a modified BSoD that comes with the following scammy punchline:

“If you would like to resolve the issue over the phone you can call our support at 1-800-418-4202.”

Genuine Blue Screens of Death do not contain any such sentence.

As of this writing, no one on the other end of the scam’s phone number could be reached. It’s safe to assume, however, that the scammers would try to trick users into downloading malware onto their machines that would grant the fraudsters remote control, access which they can abuse at a later point in time to install additional malware.

To protect against this tech support scam, it’s important that users know a few things:

  1. Microsoft will NEVER provide a phone number on a BSoD screen. Instead it will give an error code and recovery instructions. That’s it.
  2. Systems with either Windows 8 or Windows 10 installed are already protected by Windows Defender. That means there’s no reason for users to download Microsoft Security Essentials onto their machines.
  3. Every program produced by Microsoft (including Microsoft Security Essentials) is signed by a Microsoft certificate. Any program that claims to originate from Microsoft but isn’t signed is a fake.

Anyone who’s fallen victim to a tech support scam should change their passwords, reverse any credit card charges placed to the fraudsters, and patch their systems for vulnerabilities.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

10 comments on “Blue screen of death with a support number? Beware the malware scam”

  1. keith

    you explain all this but am I missing something like, how to stop this happening? I run windows 10 and I get this screen at least 3 times a day, I just let run its course and do nothing and my laptop restarts and alls well until the next time etc etc etc

    1. Corey · in reply to keith

      Do you have any anti-virus software? It sounds like time to run a scan

      1. keith · in reply to Corey

        ive ran windows defender many times but to no avail, it usually happens when I stop using my laptop for a while but not switching it off and when I return and log back on after about 5 mins, up it pops.

    2. Melissa · in reply to keith

      This is criminal activity and yes they are trying to put mal ware on computers. It gets nasty when you click the link or call the number and you do what the criminals tell you to do. If you turn your computer off and do nothing, generally you are OK. There is no way to stop it from happening.

    3. ron · in reply to keith

      Well that depends whether you see such fake MS "support" number or just an error code at bottom of that bsod. Follow the article's advice for the former or look for suggestions on the error code for the latter.

  2. kim

    Funny. I read this yesterday, and just a few seconds ago I encountered the screen with a 1-800 number at the bottom (with something like 'Kernel Security' following the number.) This happening when I turned on Facebook.

  3. Connie

    Had this happen to me. Fell for it once–called the number and the "tech" said they'd help for $200!!! I told him never mind–ran Windows Defender-it cleared up!

  4. Melissa

    This is criminal activity and yes they are trying to put mal ware on computers. It gets nasty when you click the link or call the number and you do what the criminals tell you to do. If you turn your computer off and do nothing, generally you are OK. There is no way to stop it from happening. Hopefully in the future there will be, unfortunately it is probably coming from some overseas idiot who is doing this for the pure hell of it.

  5. Ben

    my relative got taken for $250 from this scam.

  6. Julian

    I find it interesting to have Microsoft offering products to fight those "Fakes-Alerts" Folks we live in an era that all liars are out to get your money, (And Microsoft isn't excluded)

    This is nothing more than a sale-pitch.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.