Cyber-Criminals Cold Calling Users to Distribute Fake Antivirus Services

Cyber-criminals are using call centers to push fake antivirus software and other malware to unsuspecting users under the pretense of offering free customer support.

Cyber-criminals are continuously switching tactics, even going offline to work the phones, to trick users into a scam. Users hand over credit card information or download malware thinking they are actually fixing a security problem, said security researchers.

In the antivirus cold-calling scam, call centers contacted users claiming to be support staff from Microsoft calling to make sure "the system is okay," Graham Cluley, a senior technology consultant at Sophos, told eWEEK. The scam has other variations, with the caller pretending to be from the user's internet service provider or a "security consultant."

Criminals are renting out cheap call centers in India to randomly cold-call users to make sure the latest malware wasn't effecting their computers, said Cluley. The callers follow a script that has users look in the low-level "techy" areas within the Control Panel, Event Viewer, or the registry, with a number of scary-sounding errors, cryptic messages, and warnings, he said. As the user confirms seeing certain messages, or reads back various parts of the screen, the caller explains those are problems, and then springs the trap, he said.

Improved security products are making it harder for Web-based attacks and scams to succeed, but "telephones bypass the technology and go straight to the weakest link in the chain, the user," wrote Fraser Howard, a principal virus researcher in Sophos Labs, in a blog post.

"We are suffering from our success. For 20 years we've been telling people they need to be aware of security," said Cluley. Users have been told repeatedly that they should update their operating system or install patches when prompted, and scammers are now exploiting that awareness to scare users into taking immediate action, he said.

Some calls follow a slightly different script. Instead of claiming a customer service where they are "just checking," the caller may claim to know issues already exist, saying "malicious traffic had been spotted" coming from the user's computer, according to Howard. The script may include other phrases designed to panic the user, such as "junk and infected files," or "destroy software, Windows and important files on my computer," he wrote.

Once the user is convinced there's something wrong with the PC, the user is sold a security software that would clean up the problem, or requests remote access in order to fix the issues. Cyber-criminals later exploits that backdoor, said Cluley. The downloaded file may just be a fake antivirus, or it could be more malicious and allow the criminal to take over the computer, said Cluley.

Even though the caller "just incurred an unexpected support expense," the caller ends up feeling "relieved," wrote Paul Ducklin, the head of technology for Sophos in the Asia/Pacific region.

Fake antivirus and malware distribution is a lucrative business, with security researchers estimating revenues of more than $100 million a year. Considering the "financial rewards," scammers investing in the call center to drive more sales in "clearly justifiable," wrote Howard.

"Use your common sense," said Cluley. Users need to think about why Microsoft or some other big company would bother calling people individually to offer free support, he said. "It would be too expensive."

However, the scam is made more effective by the fact that some companies and ISPs do call users when they notice a problem. Ducklin said users should hang up on these calls, and if they want to verify if they might have been legitimate, they should call back on their own.