Tech support scams remain one of the major and evolving forces in the computer security landscape.
Between January 1 and April 30 this year, the Internet Crime Complaint Center (IC3) received 3,668 complaints related to tech support scams, which amounted to adjusted losses of almost US$2.27m.
Recently, Symantec has observed a new feature in the tech support scams it is detecting – the use of code obfuscators.
When tech support scams appeared on the horizon, code obfuscation techniques were not used. The entire malicious code was clearly visible. Now, however, code obfuscation, which up to now was primarily seen with exploit kits, has made its way to tech support scams.
Evolution of tech support scams
Tech support scams evolve continuously in order to look more realistic and avoid detection by security vendors. The addition of code obfuscators in tech support scams bears a resemblance to the evolution of exploit kits. When exploit kits first arrived on the threat landscape, all of the malicious code was visible as it was in plain text, however, as exploit kits evolved, code obfuscators became an integral part of them.
A similar trend may now be observed with tech support scams.
Initiation of the scam
The scam Symantec has observed is initiated when an unsuspecting user visits a malicious website. The victim is shown a fake warning in a pop-up window in their browser.
Figure 1. Fake warning displayed by tech support scam
The scam tries to lure the user into calling the given phone number by saying that their system is infected. To further scare the user, the web page displays a fake ‘hard drive delete timer’ that warns the user that their hard drive will be deleted within five minutes. A warning audio tone is also played in the background, which again warns the user that their system is infected.
Behind the scam
Analyzing the web page of the scam gives an obfuscated JavaScript. Decoding the script further leads to another script, which is also obfuscated.
Figure 2. Obfuscated code used in tech support scam
Decoding this script gives us the actual contents of the web page on which the scam is shown. The scam is triggered by the following script:
Figure 3. Code used to trigger tech support scam
Moving further through the page, we come to the part that displays the fake pop-up window to the user.
Figure 4. Code used to display a fake pop-up warning
The page also has scripts to check for the OS version of the user’s PC.
Figure 5. Code used to check OS of victim's computer
This code addresses a potential major flaw in the scam. Usually, tech support scams come with hardcoded strings such as “Windows detected infection”. For a user redirected to the web page from an Apple Mac, it is clear they are being tricked into something fake. The scammer avoids this scenario by tailoring their code appropriately and showing the fake alerts relevant to the specific victim.
The page also has code to maintain cookies, possibly to avoid the same scam being shown multiple times.
Figure 6. Code used to maintain cookies used by tech support scammers
In the computer security field it is often said that the weakest link in the security chain is the end user. Tech support scams make use of this weakness to infect users and earn revenue without actually exploiting the user’s system in the majority of cases.
Protection
At Symantec, we provide a variety of products to protect our customers. Our Intrusion Prevention System (IPS) security component proactively protects customers from tech support scams by blocking the malicious network activity associated with such scams using a wide variety of detections. The scam is thus blocked even before it reaches the end user.
From January 1 2016 through October, Symantec’s IPS blocked more than 157 million tech support scams. Our figures also showed that the countries targeted the most by tech support scams were the US, UK and Canada.
Figure 7. Heat map of Symantec's findings shows the regions affected by tech support scams
Mitigation
Norton Security, Symantec Endpoint Protection, and many other Symantec security products have comprehensive network-based protection features such as firewall and IPS built in. To protect yourself from scams, ensure that none of these are turned off.
Also make sure you visit legitimate websites when you need support for any product.
If you notice any piracy related to our products, please feel free to contact us here. Last but not the least, make sure your antivirus product is updated regularly. More information on tech support scams is available here.