bsquared intel was recently brought in by a client to check one of their computers. The purpose of this call was the result of an unknown third party remotely providing tech support. Based on our findings, we are confident this was a tech support scam. This entry will break down some parts of the incident from contact to the steps we took to help the client.
Generally speaking how one gets in contact with tech support scammers is they either click on a link, or download something that contains malicious code, and a fake pop up is displayed instructing the user to call for support. To see some examples, open up Google, go to Google Images and search for “fake virus pop up.” Other than the scareware ads (the fake pop ups), a person may receive an unsolicited phone call from someone claiming they’re from Microsoft, or even Apple, and that the person has a virus on their machine, which is not the case.
Scare tactics to get your money
The tech support scammer, in our case, mentioned they saw a few things on our client’s computer that indicated hackers were in, or attacking, their system. Our client mentioned the words “IP address” and “foreign address.” We asked if we could show our client something because those words were triggering some ideas of what the scammer was doing.
At their machine a terminal window was opened and we ran the network utility “netstat.” netstat shows all the network connections to a computer. We recommend everyone to give this a try. Windows users, open a cmd prompt and type in “netstat” without the quotes. For those using Unix like operating systems such as macOS and Linux, open up terminal or Bash, and enter netstat. After running the utility, you will see headings of various output such as Protocol (either TCP or UDP), Local Address (127.0.0.x) or private address space (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x) and Foreign address is what the machine is connected to on a network.
For example, you might see the IP address 126.96.36.199 in the netstat output under “Foreign address.” If you look it up in a search engine, the IP address belongs to Facebook. To someone who does not understand these command line utilities it can look pretty scary, so this is one scare tactic that tech support scammers use.
Let’s take a look at the results of one of the virus scans.
Under the “Location” portion of the table, we’ve blurred out the paths and left the executable names:
DRIVERTOOLKITINSTALLER.EXE and WINTONIC.EXE are in the same family as far as the function that they perform. These two programs are system optimizers that tell the user that there’s a lot of junk files and other unwanted stuff on their computer. In reality these programs are intentionally providing false positive results to make it look like there’s an issue when there really isn’t. This is a another scare tactic used to sell more products.
AIP.EXE trips off several malware scanners in VirusTotal, 15 to be exact since the file was last analyzed in 2016 at the time of this writing. For those that are curious, the results are in the following link https://www.virustotal.com/en/file/e79c42b1cd5b9f646b1ab9738812ca883c4ed8c954bff9d80de9b5c027e3ddbe/analysis/1468430418/
One user commented that this executable is what causes the fake ad pop up ad, another scare tactic, and that AIP.EXE is also responsible for allowing the scammer remote access to their target’s machine.
With some of the technical aspects of what occurred, let’s shift the focus a little bit into the company that our client was in contact with and what we observed. We aren’t going to be mentioning this organization’s name as we don’t want them to show up in more search engine results. The first thing we were shown was the Terms and Conditions.
Terms and Conditions
The following is a portion of the Terms and Conditions from this tech support company. If you look at the “Description of Service” section, their offerings are not great at all. The software they install is unnecessary as a lot of the functionality can be provided by one piece of software such as antivirus. Other times, the software already exists natively on the operating system. For example, Microsoft Windows has a utility for defragging disk space, which should be plenty for those using traditional hard drives with platters. The disk defrag utility just helps get files back in order so the drive head isn’t taking forever to read it.
When we were brought in to help we provided two different virus scans, looked at network connections to the device, removed unwanted/unknown programs, and checked for any running processes that were out of the ordinary. We also provided reconnaissance on this tech support company. Google searches brought up results pointing to sites, such as ripoff report and other platforms, that share information about scams. What we want to show here is something interesting when all the pieces of the information are put together in the image below.
What you are seeing is the result of using Google Maps to find the location of the tech support business. The area we boxed out is an educated guess of where a building should be, based on the placement of the location pin. With the information our client gave us, which revealed some of the tactics the company used, plus the results of the virus scans, several search engine results claiming the support company is a scam, and some questionable things found on the third party’s web site, the Google Maps finding further provides material that shows things aren’t legitimate.
While the following list is not exhaustive, these are some things you can, and should, do:
Microsoft, or Apple, will not contact you directly to tell you that your computer has a virus. Hang up the phone and don’t engage any further.
Have a couple of anti-virus programs installed. One might find malware that the other doesn’t when a scan is run.
Do not allow an untrusted party to have remote access to your devices.
If you did pay, contact your bank or credit card provider ASAP. Also check your statements for any suspicious transactions.
Report the incident to the FTC (Federal Trade Commission) and the BBB (Better Business Bureau)
Please contact us if you need help or to voice your interest for us to put together a class.