Tech support scams persist with increasingly crafty techniques


Millions of users continue to encounter technical support scams. Data from Windows Defender SmartScreen (which is used by both Microsoft Edge and Internet Explorer to block malicious sites) and Windows Defender Antivirus show that some three million users are subjected to these threats every month.

In addition to being rampant, technical support scams continue to evolve, employing more and more complex social engineering tactics that can increase panic and create a false sense of legitimacy or urgency in an effort to get more victims.

Given the sheer volume of tech support scams and the pace at which they evolve, here at Microsoft we take a holistic approach to this problem. We monitor the threat landscape for patterns and variations in threat behavior. Using intelligence from sensors, we employ machine learning models to deliver cloud-based protection against the latest tech support scams, whether they take the form of web pages with malicious scripts or Trojans that run on computers.

In 2016, the threat of support scam was most felt in the United States, which saw 58% of encounters. United Kingdom, Canada, and Australia follow, with 13%, 11%, and 8% of encounters, respectively. Notably, significant encounters were also registered in France and Spain, where we saw localized technical support scam attacks.

tech-support-scam-countries

Figure 1. Top counties that saw the most number of tech support scam encounters in 2016

(Note: This blog post is the third in the 2016 threat landscape review series. It follows the review of exploit kits and ransomware. The series looks at how major areas in the threat landscape transformed over the past year.)

The evolution of technical support scam malware

Technical support scams are built on the deception that your computer is somehow broken, and you need to contact technical support to fix it. You may then be asked to pay for support. In some cases, the tech support agent may ask you to install other software or malware disguised as support tools on your computer, bringing in more threats that can cause even more damage.

You may come across these threats while browsing dubious websites, most notably those that host illegal copies of media and software, crack applications, or malware. Links or ads on these sites may lead you to tech support scam websites, which display pages that are designed to look like error messages and serve pop-up messages indicating fictitious errors. Some tech support scam threats take the form of executable programs like other malware.

Although tech support scams have been around for many years, in 2016 we saw the threat evolve by  integrating more scare tactics. At the beginning of the year, the landscape was dominated by threat families with simple techniques and social engineering lures. However, more evolved threat families have since taken over.

tech-support-scam-malware-families

Figure 2. Top support scam families based on encounters in 2016

FakeCall and FakeBSOD: The early types that used one pop-up window and simple messages

Tech support scams are known for their use of pop-up windows to advance their pretense. While most of the scams today abuse pop-up windows to the point of locking the browser, the earlier types relied on just pop-up windows and effective social engineering lures.

FakeCall is a family of malicious scripts hosted in tech support scam sites. It may use messages about virus infection or suspicious activities on your computer. The first sign you have been led to a FakeCall tech support scam site is a pop-up message that tries to create an impression that it’s a system pop-up and usually describes a fake problem and contains instruction to contact fake technical support.

tech-support-scam-fakecall-pop-up

Figure 3. A sample pop-up message from FakeCall

If you click OK, the website loads a page giving more details about the supposed problem, and more instructions to call the technical support number. It may spoof security products and list malware that have purportedly been found on your computer. The goal is to convince you to call the support number.

tech-support-scam-fakecall-webpage

Figure 4. Sample FakeCall support scam website, which asks potential victims to call 8554003930

On the other hand, FakeBSOD is a very similar threat but instead pretends to be a system error, like Blue Screen of Death (BSOD), where it got its name.

tech-support-scam-fakebsod

Figure 5. Sample FakeBSOD site that pretends to look like system errors, such as BSOD, and asks to call 18443307888

FakeBSOD sites usually force the browser to go on full-screen mode to simulate the BSOD experience. Just like FakeCall, it also has a pop-up message detailing the fake problem and a number to call fake technical support.

Both FakeCall and FakeBSOD heavily rely on social engineering lures to get you to take action, and don’t have much in terms of technical complexity. Simply closing the browser will work in most cases.

TechBrolo: Support scam malware on steroids

TechBrolo takes on characteristics of both FakeCall and FakeBSOD, but integrates technical enhancements that not only makes the pretense more believable but can also adversely affect your overall computing experience.

For instance, TechBrolo employs the dialogue loop technique. When you visit the TechBrolo site, you get a pop-up message that won’t go away, no matter how many times you click OK. This method effectively locks your browser; you must manually terminate the process via Task Manager in order to close your browser.

tech-support-scam-techbrolo-1

Figure 6. Sample TechBrolo site with dialogue loop and fake support number 18662190211; some tech support scam sites use other phone numbers like 8774747124, 1846514111, 11800941045, 18448096665, 18882414464, 18442413997, 448000903858, 18447672832, 8008021491, 18442839572, 8000465712, 0345404950, 0345791995, 0345404951, 34932200207, 33186265239, 34932200211, 34932200207, 5541708902, 18442090189, 18442432457, 18886054764

Most variants of TechBrolo also play an audio describing the problem, adding a sense of urgency. For example, one recent variant mimics Windows Defender Antivirus, and when the website loads, it plays an audio with the following message:

“Critical alert from Microsoft. Your computer has alerted us that it is infected with a virus and spyware. This virus is sending your credit card details, Facebook login, and personal emails to hackers remotely. Please call us immediately at the toll-free number listed, so that our support engineers can walk you through the removal process over the phone. If you close this page before calling us, we will be forced to disable your computer to prevent further damage to our network. Error #268D3.”  It is important to note that Windows Defender Antivirus does not act this way.

tech-support-scam-techbrolo

Figure 7. Sample TechBrolo site that spoofs Windows Defender Antivirus, plays an audio message, and uses fake support number 0754059588; some tech support scam sites use other phone numbers like 1800874943, 0481681015, 1800954279, 08000465706, 33186265253, 0186265264, 18772114524, 18448161643, 78481267, 1800875382, 1800958212, 1800958217, 08000465254, 08000465706, 08000465024, 8552061675, 8552490763, 33186265266, 611800941045

Recently, we also spotted a TechBrolo variant that uses website elements to spoof the Microsoft support site and fake the pop-up dialogue box. It does this by loading a page that looks like a browser and then going to full screen. If you are not too paying attention, you might think Microsoft is giving you a warning. Microsoft does not deliver warning messages like this via the browser.

tech-support-scam-escape-from-fullscreen-1

Figure 8. One TechBrolo site uses website elements to achieve a browser in a browser effect and asks target victims to call 18443137003

Non-English support scam websites

Consistent with our findings that some of the countries most affected by tech support scam are non-English speaking countries (see Figure 1), we have seen some localized tech support scam malware.

These sites employ a combination of the techniques discussed in this blog, only presented in non-English websites, images, or pop-up messages.

tech-support-scam-french

Figure 9. French tech support scam website that uses fake support number 0186264266

tech-support-scam-spanish

Figure 10. Spanish tech support scam website that uses fake support number 900839260

tech-support-scam-german

Figure 11. German tech support scam website that uses fake support number 08001838114

tech-support-scam-techbrolo-japanese

Figure 12. Japanese tech support scam website that uses fake support number 0345789419

Cusax, Hicurdismos, and Monitnev: Support scam Trojans

Apart from scripts hosted on websites, we have also seen tech support scam malware in the form of executable files. They may be installed on your computer by other malware or downloaded from drive-by sites.

These malware have the same goal as their script counterparts: to get you to call the technical support number. However, the difference is that their malicious behaviors are not limited to the browser.

For instance, Cusax is a tech support scam malware that makes system changes, including registry modifications that ensure it runs every time your computer starts. It then forces a reboot, further reinforcing the scam that there is a problem with your computer.

As soon as your computer boots, it opens a window that asks for your Windows activation key as well as the technical support number.

tech-support-scam-cusax

Figure 13. Cusax uses the lure that you need to enter your activation key and asks to call the number 18772563313

Hicurdismos, on the other hand, displays an image that looks like the BSOD. However, this fake BSOD screen has instructions to call a technical support number, something that the real error doesn’t have.

In order to further its pretense, Hicurdismos hides the mouse cursor, disables Task Manager, and makes sure the fake BSOD image occupies the entire screen and is always on top of other windows.

tech-support-scam-hicurdismos

Figure 14. The fake BSOD screen displayed by Hicurdismos contains the number 18004184202

More recently, Monitnev was discovered to monitor event logs. It then displays fake error notifications every time an application crashes. This can appear more convincing because the pop-up messages are timed with legitimate computing behavior.

Cusax, Hicurdismos, Monitnev and other tech support scam malware can be more complex than scripts. Because they make system changes, they can inflict more damage and can be trickier to remove. However, we’re seeing significantly fewer of these types of tech support scam threats because they are more difficult to distribute than their script counterparts. Despite that, they pose threats that you need protection from.

Protection against tech support scams

Tech support scams take different forms and are known to take on more characteristics over time. Get the protection against the latest tech support scams by upgrading to Windows 10. The Windows 10 Creators Update brings in additional security features and will start rolling out on April 11, 2017. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigation from Microsoft.

A majority of these threats, like TechBrolo, FakeCall, and FakeBSOD, are scripts hosted on websites where you are led to by malicious ads on dubious sites. To avoid tech support scam websites, use Microsoft Edge. Enable Windows Defender SmartScreen (also used by Internet Explorer) to block known malicious websites, such as tech support scam websites.

tech-support-scam-microsoft-edge-blocked-twitter

Figure 15. Microsoft Smart Screen blocks techs support scam websites

In addition, Microsoft Edge provides a way to close dialogue loops, which are used by support scam sites to keep on delivering pop-ups even after you close them. At the bottom of pop-up dialogue messages, you have an option to tick the checkbox Don’t let this page create more messages, which will stop the recurring messages.

tech-support-scammicrosoft-edge-protection-against-dialogue-loops

Figure 16. Dialogue loop protection for Microsoft Edge

Enable Windows Defender Antivirus to remove tech support scam Trojans, such as Cusax and Hicurdismos. Windows Defender AV uses cloud-based protection, which helps make sure you are protected from the latest threats.

Tech support scams employ varying social engineering techniques to get you to call the support hotline. Do not call the number in pop-up messages. Microsoft’s error and warning messages never include a phone number.

Some scammers can also contact you directly and claim to be from Microsoft. Remember, Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you. Reach out directly to one of our technical support experts at the Microsoft Answer Desk.

For more help, read our page on avoiding technical support scams.

 

Jonathan San Jose, Alden Pornasdoro, Francis Tan Seng
Microsoft Malware Protection Center

 

Note: We have seen the following tech support scam numbers used by scammers. Don’t call or accept calls from these numbers:

0108885568 01183151059 01183151070 01473378290 01473378309 015480144
01732608058 0176340476 0176340480 0176340483 0176340552 0182880192
0182883964 0182883995 0184883714 0184883910 0184884596 0186264782
0186264802 0186265235 0186265236 0186265237 0186265239 0186265241
0186265242 0186265246 0186265247 0186265248 0186265249 0186265264
0186265265 0186265266 0186265282 0186265869 02038088361 02038088451
02038686686 02038688005 0240581022 0261300983 0261891710 0285994333
0345208193 0345404950 0345404951 0345791995 0345889107 0345889131
036684120 036684144 0481681015 0730630999 0755888574 0768889314
0768889315 08000148211 08000329936 08000465024 08000465254 08000465280
08000465281 08000465701 08000465706 08000465710 08000465713 08000465832
08000903219 08000903251 08000903273 08000903274 08000903281 08000903862
08000903877 08000988835 08004655706 0852086011 0858883326 0858883451
0862441200 0975184827 0975184914 0975185435 0975186763 0975186770
0975188223 0977554913 0977558328 098011055 098011068 098011271
098011380 098011387 098877999 098889002 098889037 099849408
1283107912 15612209765 15612209782 1800015972 1800018656 1800018716
18003083006 18003083006 1800619520 18006700515 1800678329 1800682351
1800817695 1800874943 1800875272 1800875382 1800919620 1800922390
1800941024 1800941032 1800953452 1800954264 1800954279 1800954395
1800958212 1800958217 1800958218 1800958219 1800958220 18035673051
18182934517 18182934518 18442042440 18442440719 18442874025 18442877142
18442914319 18443055027 18443133367 18443242964 18443463716 1844347925
18444618945 18444618947 18445454506 18445901084 18446088791 18446138256
18446170614 18446378831 18446668616 18446671499 18446752560 18446999129
18447066632 18447128376 18447183990 18447392013 18447446789 18447922896
18447959598 18448003656 18448016772 18448016772 18448037529 18448118786
18448161625 18448161641 18448161643 18448168120 18448215790 18448282272
18448704033 18448743456 18448839715 18448928934 18552854254 18554098222
18555118200 18555770078 18556873999 18559233274 18559306668 18559769572
18583712909 18662454827 18663507173 18665844453 18772114524 18773910688
18775965246 18776496196 18778051029 18778379791 18882391364 18882629697
18882745369 18883265882 18884021829 18884036846 18884109490 18884413217
18884435007 18884464022 18884471211 18884546370 18885406195 18885596597
18885701451 18885928805 18885947318 18886069374 18886111391 18886148680
18886191685 18886927195 18887014987 18887086744 18887169943 18887271407
18887364980 18887380112 18887430653 18887431129 18887482090 18887916366
18888119594 18888506923 18888508578 18888509581 18888694393 18889782804
23965149 23965150 31582482 31637237 31638048 317770043
33186265235 33186265239 33186265248 33186265249 33186265253 33186265266
33186265290 33186265307 33975185435 34911236077 34911236151 34911236154
34911236155 34911829975 34911829975 34911875508 34911875520 34911875520
3491187558 34911982427 34931816787 3493181686 34931816930 34931816930
34932200211 3493220113 34932201708 34932201725 3493220178 3493220211
34932202413 3493220246 3493220247 349322027 34932202883 34932202883
34932202884 34932204896 34932204965 3494458176 349545128 435084616
44800903840 44800903846 5541708902 5541708974 5584210766 5584210769
7770044 78481267 78793185 78793186 8442715399 8447033412
8447672832 8448261198 8448295569 852503136 8553267020 8556470600
855941708902 8664504099 8775952025 8882804009 8884444791 8884705610
8885002058 8885143660 8885394588 8887113352 8887146522 8887208075
8887250742 8887266050 89873103 89873105 932204963

 

 

 

Comments (15)

  1. Carolyn Britton says:

    I think my Windows 10 account has been hijacked. What do I do?

  2. Dawn Iler says:

    1-844-806-4300
    Is a number that called my home. If called back it is a non working number. please check it for the fake calls. I have had one before. “Paul” from windows who said my pc was sending info that it was infected. It certainly was and I lost that computer. I personally have thought it was you as I had emailed the disability desk the day before the call with a complaint/question. I felt forced to upgrade when I couldn’t afford it nor did I want to. I was forced into a new/used pc and I thought I needed to upgrade even though I was very happy with the OS I was running. But you blocked my internet and email. I did have virus protection running but was hacked. everything was hacked, email, printer all files, Everything. I did find it on my pc and right now I don’t recall what I read in it that kinda confirmed my suspicions of it being Microsoft. I can get you the photos of what I found if you want? If I voiced my thoughts about not wanting to change or purchase a new pc something would go wrong with my pc. Almost immediately. Coincident’s do happen I suppose. And another thing, why don’t spell checker give me the correct spelling of coincident?S If it is misspelled already how am I to know which of your suggestions is right when it gives three or more spellings? The plural option was not offered just now.
    Back to Win 10, I hate it. Switching was the worst mistake in my entire life. I can not hi lite and print the hi lited part, I can’t blow up or shrink things to the size I want. I find 10 to be irritating and prevents me from doing things I used to be able to do. I LOST YEARS & YEARS OF EMAILS! IMPORTANT SAVED EMAILS THAT WERE JUST GONE. POOF GONE. I STILL NEED SOME OF THOSE EMAILS. INFO I CAN’T FIND IS IN THEM…. OK I AM DONE

  3. adwbust says:

    Hey MMPC.

    I think Office 2010 Pro Plus is broken on Win10 Pro 1703.
    I set Word to Autorecover every 10 mins and to keep last autosave when file isnt saved.
    Theres no asd file being saved! There are folders named like the files’ names but theyre empty!
    The files being worked on are on a usb storage.
    I have Officetab free edition 9.51 addin.

    All was well with Win10 version 1607 since there are asd files in Recycle bin; asd files are created and they were moved to Recycle bin after 4 (?) days I think.

  4. adwbust says:

    Pls help MMPC. Pls tell the team responsible that Win10 version 1703 update broke Autorecover of Office 2010 Pro Plus x86. I have Win10 Pro x64.

  5. adwbust says:

    Settings, Acer care center and Edge crash after upgrade from 1607 to 1703.

    1703 broke Autorecover of Office 2010. No Asd files are created.

    On one laptop, WD security center always shows 0 files scanned.

    Health report doesnt work on one laptop and sometimes works on another.

    Onedrive pops up when you go to Word 2010 > File > Recents > Recover unsaved.

    File explorer icon pinned in taskbar looks active when you get Low battey pop up (< 10%). Left clicking icon wont open file explorer.

    Bluetooth on one laptop doesnt work since 1607. Probably drivers. But no new drivers available.

    After upgrade to 1703, wallpaper changed to default!

    Check box for "Send info to MS on how I type and write" removed in 1703. Full diagnostic should have tree view so we can uncheck items like typing/writing! MS did this so we have no full choice and control over what's sent!

    But of course 1703 brought positives too. Windows store check for updates, download updates and install updates are more faster and smoother. Same with Windows updates. Perhaps since not much on 1703 yet?

    Please relay to team(s) responsible.

  6. adwbust says:

    WD security center lacks Quarantine, Allowed and Detection present in WD on 1607!

    Will WD on 1703 have ATP for Win10 Home/Pro and PUA detections?

  7. adwbust says:

    I’m disappointed you just remotely turned off MSE (non-functional) on Vista on April 12. You couldve have just continued providing engine/signature updates until support for version 4 branch is discontinued.

    Oh well, I just switched to another AV. Life continues.

  8. adwbust says:

    Let apps run in background enabled. WD security center enabled. Why isnt WD updating on its own when wifi is set as metered then? Background apps keep themselves up to date right?

    April 12 Patch day for Win10 version 1703 still didnt fix broken Autorecover of Office 2010 (tested Word)! Word doesnt create Asd files as intented! Set it to autorecover every 1 min but no Asd files!

    1. msft-mmpc says:

      @adwbust — Thank you so much for providing valuable feedback. We have forwarded your concerns to the right channels.

      For future feedback about any Microsoft product or service, please consider using the Feedback Hub.

      https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n

      Using the hub helps ensure that your concerns are forwarded to the correct teams and are tracked properly.

      1. adwbust says:

        Thank you! If I log in on Feedback hub using my MS account, will I be auto logged in to (1) Settings > Accounts and (2) Windows apps on PC? I will report on Feedback hub if log in will only work in-app not OS-wide. I dont want stuff on PC synced to my account and vice-versa.

        I tried on Office 2016 and Word still creates Asd files. Probably an Office 2010 only issue or caused by Office tabs free 9.51 addin, a recent Office 2010 patch or Win10 version 1703 upgrade. Last auto-deleted Asd file in Recycle bin was from March.

        WD security center lacks Scheduled scans, Quarantine, Allowed/Detected logs, Recommended actions for detections, ATP and PUA opt in.

      2. adwbust says:

        When will Office 2016 get native tabbed window support? Adobe Reader DC already added it. Pls tell Office 2016 developers to add it in next update.

  9. adwbust says:

    The sample form still times out! 🙁 I tried to submit a 3,715,193 bytes 7z archive. My upload speed is only 800 kbps. 🙁 I have no access to fiber dsl yet. I have no issue with Avira’s or Bitdefender’s sample form. I think the implementation is at fault. After I browse for sample, start to upload it. Currently, your site will only upload sample when I click Submit button. Not everyone has fast upload speed to keep up with your site’s demands/expectations. 🙁

    I got this:

    The server timed out while waiting for the browser’s request.

    Reference #2.776b473a.1492673644.2c39ccf

  10. adwbust says:

    I removed MSE on Vista since it was deactivated. But I re-enabled WD. So far, WD doesnt seem to detect Software bundlers and Monitor tools (keylogger, spyware) caught by MSE. Those are grey threats so why doesnt WD catch them too?

    1. adwbust says:

      Hacktools arent detected by WD on Vista as well. :/

Skip to main content