The scary world of Fake Support Calls
We are sure you have received one of these calls. Someone calling your phone saying they have spotted unauthorised people using your internet and it could be a "virus" or someone using your internet without your permission. Now these can be real but most likely a scam to try and gain remote access to your machine. So this article is about how to spot the fake from the genuine.
So just to give you context we have experienced these calls for a while but we finally managed to run through the script used, trying to convince you there are issues with your computer. From doing this we can now expose the things to look out for and the ways they try to confuse you into obtaining access to your computer. We did not let them connect so what they do after this point we are unsure, however we can be sure that it will be to do harm to your machine. Most likely install a crypto virus (To be covered in future articles) to encrypt your files and demand payment to unlock.
How to spot the scam.
Firstly, they will NOT know your details by name. If you challenge them on this, they will either hang up or say for security reason they cannot confirm this. This obviously is wrong, if they called you they would be able to confirm this if they were genuine. Do not let this be the only criteria however as this may be known to a scammer if they have managed to buy a directory listing with names and numbers.
The second thing they will do is ask you what the button is next to the CTRL key. This allows them to work out if you are using a MAC or a PC. Our example will be for a Windows version however we are sure the same approach will be used if on a MAC. They will request to press the Windows and the R key together. This will open a Run box. Then to request you to type cmd. This is a fairly common tool for IP professionals to use as this will open a Command Prompt window. This is something that you will no doubt have seen before in your time. Over the many calls we have received there are a couple of commands that have been used to scare users. Here are the ones we know they use however we are sure there are more. Below are a couple of the commands used and what there are actually telling you against what they say they mean.
Command - Assoc
Scammer – This is showing the connections to files on your computer.
Actual command – This command is used to show the files and the associated program with this file type. This is normal.
Command - Netstat
Scammer – This is showing all the active connections on your computer from foreign addresses. We need to sort this issue now as you are hugely at risk from all these unwanted connections.
Actual command – This shows the connections your machine has with your network. This will show all connections in and out of your machine. This is a common list and although can show unwanted connections, it is likely this is only used to scare you. Your machine will have many of these by default as this is how it communicates internally and externally on the network.
These commands are used purely to scare you to going to a web address. The next command they will ask you to do will be to go to a website. Type www.bit.do/###### I am sure there are many versions of this used hence the #####. www.bit.do is a url masking site and allows the scammer to hide behind a short web address. Others could be www.tinyurl.com, www.tiny.cc, www.is.gd and www.soo.gd this list is not an exclusive list however these are most of the free services offering the same features, these are expressed just for example.
When these links are followed you will be prompted to download a teamviewer application (or other remote access tool). Now these are not bad programs and you may have used them before. This is one of many different remote access tools, this one happens however to be free for personal use. This will show a Personal ID and Password which they will request you give them. This is where we stopped our investigation and I would advise you never take it this far. This is the point that the scammer will gain entry to your machine and "technically" with your permission.
Please don’t take this as a request not to use tools such as teamviewer, these are powerful support tools and will assist support agents to fix problems. The difference should be that this is done at your request and not at theirs. Support agents will not use the above scare tactics to convince you to let them to remote connect.
Tractive Solutions wishes a safe and secure environment for all.
If you wish to have advise on situations detailed in this article please don't hesitate to contact us.