Fraudsters impersonate victims’ ISPs in new tech support scam

Suspicious ads help provide the scammers with all the info they need.

David bisson
David Bisson

Fraudsters impersonate victims' ISPs in new tech support scam

Tech support scams have been around for quite some time. As a result, it’s no surprise these these ruses are growing in number and sophistication.

A tech support scam used to only consist of unknown fraudsters messing around with fake anti-virus alerts, or cold-calling potential victims pretending to be Microsoft and offering to help with a virus infection.

Not anymore.

Sign up to our free newsletter.
Security news, advice, and tips.

Resellers of legitimate computer security software have been getting caught up in the scamming game. Not only that, but some scams are leveraging advanced techniques like computer lock screens to trick unsuspecting users.

Key 768x429

It would now appear scammers have added yet another tactic to get what they want: impersonating a victim’s Internet Service Provider (ISP).

This new tech support scam begins with a pop-up message that interrupts a user’s browsing session. The message appears to come from the victim’s ISP, with Malwarebytes having detected several messages that claimed to originate from several popular U.S., Canadian, and UK Internet Service Providers including AT&T, ComCast, and TalkTalk.

ISP tech support scam

The scam informs the user that their ISP has “detected malware” on their machine and recommends they call a fake customer support number. It is at that stage that a “representative” tricks the user into giving them remote access to their computer and/or paying hundreds of dollars for fake technical support.

Jérôme Segura, a senior malware intelligence analyst at Malwarebytes who has seen other tech support scammers impersonate victims’ ISPs, feels this latest ruse represents the next phase in tech support scams.

As he told the BBC:

“It caught me by surprise and I almost thought that it was real. It was a page from my ISP telling me my computer was infected. It was only when I looked in closer detail that I saw it was a scam. Cold calls are very wasteful and after years of being told, people are starting to realise it is a scam so the scammers have to find new ways to make it personalised and legitimate. It is more cost-effective and efficient than cold-calling.”

But just how are scammers finding out a victim’s ISP?

That’s the ingenious part. Using an advert with a single malicious pixel, fraudsters are infecting users who visit legitimate websites with malware. That malware, in turn, redirects the user to a website that looks up their IP address, information which they use to determine their ISP.

Users should always be cautious of unexpected pop-up messages in their browsers. They should also be wary of unsolicited calls and emails offering to fix their computers.

Regardless of who claims to be on the other end of those pieces of correspondence, users should never give out their account numbers. They should always contact a company directly if they are looking for technical support.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

4 comments on “Fraudsters impersonate victims’ ISPs in new tech support scam”

  1. NickD

    Isn't your IP address information available to the owner of a webpage or advert you are viewing even when there is no infection with malware on your computer? This can then be used to lookup your ISP and serve a tailored pop-up.

  2. Elliot Alderson

    if you call the phone listed in any of these Scampaigns, it's always some useless know nothing from india. they're fun to mess with. plus just block their numbers when they try to call back.

    just kill the process or program, reboot and it's gone. these are notorious typo-link-squatters that think they're smart, but they're not. i put them away as fast as they reproduce. usually we have their game with in a few hours of their startup. and they're gone that fast.

    besides, your ISP and any OEM of any electronic device you use personally or professionally don't care if you get infected and their not going to waste valuable resources to call you and point this out. come on people think.

  3. EricM

    Yep, I got a pop up from Cox Communications at home.

  4. drsolly

    "Using an advert with a single malicious pixel"

    I can't help wondering what coour that malicious pixel is.

    But seriously – this is why I run an ad blocker, and will continue to do so until advertisers sort out the problem of malvertising.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.