Jérôme Segura, a senior security researcher for Malwarebytes, explains in a blog post how he came across a fake alert window bearing the following message:
“System Critically Infected. If you are not able to click on this button, Immediately contact Support toll Free Helpline 1-855-637-1900.”
Coupled with some ominous audio warnings from a robotic female narrator, the alert message would be enough to scare many ordinary users into calling the helpline.
So that’s exactly what Segura did. Upon connecting to the support number, he was directed to fastsupport.com, where he was required to grant a technician remote access so that they could perform a diagnostic of his computer.
Segura explained what was happening:
“This process is a core part of the scam because it allows crooks to tighten their hold on potential victims. With remote access, scammers can literally do whatever they want on the user’s machine including stealing documents to installing (real) malware.”
On this particular call, the technician did neither. Instead he used Windows EventViewer to make the case that Segura’s computer had been infected with viruses. To support his case, he opened up TaskManager and pointed out “csrss.exe,” a core Windows registry scanner whose name attackers sometimes use to conceal their malicious programs. The technician did not bother to verify whether the process was legitimate.
After a five-minute diagnostic, the technician offered two different support plans that both involved installing Norton Antivirus. The cheapest of these options totaled $199.99. (As a frame of reference, users can normally order one year of Norton Security Premium, which protects up to 10 devices, for $89.99.)
But the researcher was already one step ahead of the technician. After investigating the tech support scam’s website, Segura found the name of an employee who was also employed at Silurian Tech Support (a fact confirmed through a LinkedIn search), reports Doug Olenick of SC Magazine.
The fake website also contained a number of Silurian documents, including a letter formalizing the company’s reseller partnership with Symantec:
Segura reported his discovery to Symantec. A spokesman for the security giant has since released a statement on the matter.
“While we can’t say conclusively who was behind this particular scam, we can confirm that this particular site has been taken down and that we are also in the process of terminating our partner agreement with Silurian. After identifying any abuse of the Norton or Symantec brand, we pursue our rights and defend our intellectual property, and where necessary will work with law enforcement.”
As this case clearly illustrates, tech support scammers are scums of the earth that prey upon unsuspecting users and extort massive amounts of money from them in exchange (perhaps) for anti-virus software that they could purchase at a fraction of the cost.
Fortunately, we can help in the fight against these scams.
If you come across a fake anti-virus alert, collect screenshots, audio, and whatever other data you can document about the messages, and then post those files on the affected anti-virus firm’s forum. Those companies will take no greater pleasure than in shutting down someone exploiting their potential customers.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.