Tech support scammers turn to screen locking malware to fleece victims

Attackers have taken it back some ways by using old tactics to pull off new scams

The scam pays homage to ransomware with fake failed Windows Update
The scam pays homage to ransomware with fake failed Windows Update

Scammers who pretend to be tech support from Microsoft are using tips out of the ransomware playbook to fleece people, according to new research.

According to Jerome Segura, lead malware intelligence analyst as Malwarebytes, scammers are now using screen locking malware that fakes a failed update to Windows.

The malware locks not just the victim's browser but also the entire computer, much like the early days of ransomware, where files weren't encrypted but blocked from being accessed by users.

The firm's researchers said that criminals distributed a Trojan bundled with adware and legitimate programs. Once the malware installed itself, it waits until the PC is next rebooted. As it starts up, a fake Windows Update screen appears and ends with a message asking the user to phone a support number as their Windows product key has expired.

The researchers pinpointed the call centre to a location in India and called the number. The malware contains a built-in installer for TeamViewer which can be launched by a combination of the Ctrl+Shift+T keys.

The rogue technician, claiming to be an employee of Microsoft, won't proceed any further until a fee of $250 (£172) is paid. The researcher that initially alerted Malwarebytes to the issue, slipstream/RoL, discovered that, by pressing CTRL+SHIFT+S, users can shut down the screen lock, but this doesn't give them access to the computer.

There are also some serial numbers hardcoded into the trojan's source code, which can be used to start an Explorer windows and remove the Trojan. These codes are: "h7c9-7c67-jb", "g6r-qrp6-h2" "yt-mq-6w".

“This increased sophistication means that people cannot simply rely on common sense or avoid the typical cold calls from ‘Microsoft',” said Segura in a blog post. “Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone.”

Ian Trump, security lead at Logicnow, told SCMagazineUK.com that the fake tech support scam is evolving. “Just like the rest of the cyber-crime underground”, there are “Folks with malicious intent are finding ways to trick users into compromising their systems in any way, shape or form,” he said.

“Prevention of this type of attack is dependent on isolating data using ‘need to know' criteria, controlling administrative access to systems and not using shared credentials. The best approach to take is to never let anyone you don't know/trust onto your computer remotely. If you are unsure; take down the name and number of the person and consult a friend or family member about the issue or problem to have the ‘tech support' person identified.”

Craig Parkin, associate partner at Citihub Consulting told SC that organisations have two choices; to either restrict downloads or allow them with some training and awareness program.

“Ultimately, if a user falls for such an incident and they are not technically capable of recovering their PC themselves, an alarm should be seen by the infrastructure administrator saying that the user will need help in recovering their system; as opposed to the user attempting to fix it themselves. In such situations, it's better to get assistance from a local professional firm rather than pay to the scammers' demands as this will only incentivise further exploits,” he said.

Matt Hampton, chief technical officer at Imerja, told SC that organisations that follow the best practice should be protected, as they will have implemented least privilege, which means normal user accounts can not make changes to the system.

“In addition, implementing different types of antivirus technologies, particularly those which include sandboxing, will allow some of these attacks to be blocked before they reach the users,” he said.