Cyber-criminals are using call centers to push fake antivirus software and other malware to unsuspecting users under the pretense of offering free customer support.
Cyber-criminals are continuously switching tactics, even
going offline to work the phones, to trick users into a scam. Users hand over
credit card information or download malware thinking they are actually fixing a
security problem, said security researchers.
In the antivirus cold-calling scam, call centers
contacted users claiming to be support staff
from Microsoft calling to make sure "the system is okay," Graham Cluley,
a senior technology consultant at Sophos, told eWEEK. The scam has other
variations, with the caller pretending to be from the user's internet service
provider or a "security consultant."
Criminals are renting out cheap call centers in India to
randomly cold-call users to make sure the latest malware wasn't effecting their
computers, said Cluley. The callers follow a script that has users look in the low-level
"techy" areas within the Control Panel, Event Viewer, or the registry, with a number
of scary-sounding errors, cryptic messages, and warnings, he said. As the user
confirms seeing certain messages, or reads back various parts of the screen,
the caller explains those are problems, and then springs the trap, he said.
Improved security products are making it harder for
Web-based attacks and scams to succeed,
but "telephones bypass the technology and go straight to the weakest
link in the chain, the user," wrote Fraser Howard
, a principal virus researcher
in Sophos Labs, in a blog post.
"We are suffering from
our success. For 20 years we've been telling people they need to be aware of
security," said Cluley. Users have been told repeatedly that they should update
their operating system or install patches when prompted, and scammers are now
exploiting that awareness to scare users into taking immediate action, he said.
Some calls follow a slightly different script. Instead of
claiming a customer service where they are "just checking," the caller may
claim to know issues already exist, saying "malicious traffic had been spotted"
coming from the user's computer, according to Howard. The script may include
other phrases designed to panic the user, such as "junk and infected files," or
"destroy software, Windows and important files on my computer," he wrote.
Once the user is convinced there's something wrong with
the PC, the user is sold a security software that would clean up the problem,
or requests remote access in order to fix the issues. Cyber-criminals later
exploits that backdoor, said Cluley. The downloaded file may just be a fake
, or it could be more malicious and allow the criminal to take over
the computer, said Cluley.
Even though the caller "just incurred an unexpected
support expense," the caller ends up feeling "relieved," wrote Paul Ducklin
the head of technology for Sophos in the Asia/Pacific region.
Fake antivirus and malware distribution is a lucrative
business, with security researchers estimating revenues of more than $100
million a year. Considering the "financial rewards," scammers investing in the
call center to drive more sales in "clearly justifiable," wrote Howard.
"Use your common sense," said Cluley. Users
need to think about why Microsoft or some other big company would bother
calling people individually to offer free support, he said. "It would be too
However, the scam is made more effective by the fact that
some companies and ISPs do call users when they notice a problem. Ducklin said
users should hang up on these calls, and if they want to verify if they might
have been legitimate, they should call back on their own.