Tech support scammers are taking inspiration from ransomware operators and have changed their mode of operation by creating malicious software that blocks the user’s access to the computer until they call a call center for support.
For years, tech support scams have used so-called “scareware” tactics, trying to trick users into thinking they needed technical support from an expert. These tactics often used warnings and popups telling users they had malware on their computer, or a fault on their hard drive, with the computer ready to fail at any moment.
Tech support scammers are borrowing ransomware tricks
In the latest installment of this tech support scam, the crooks have managed to find a way to lock the user’s entire computer, not just his browser.
This trick is reminiscent of the early days of ransomware. Back then, ransomware didn’t encrypt your files, but merely blocked access to your computer with screens overlaid over your desktop, or by disabling keyboard and mouse input.
Security researcher slipstream/RoL discovered one of these tech support scams that locks the user’s entire PC. He and the team at Malwarebytes investigated this problem.
Crooks used adware to infect and lock computers
According to the two, crooks are distributing a trojan bundled as adware with legitimate programs. Once the user installs the desired software, the adware also gets installed, in the form of the trojan.
This trojan waits in hiding until the user restarts their PC. When this happens, it shows a fake Windows update screen, but when it ends, it shows a message telling the user their Windows product key expired and that users should call a phone number to speak to a Microsoft employee.
slipstream/RoL says the call center is located somewhere in India. Malwarebytes say they’ve called the number and the call center operator instructed them to press CTRL+SHIFT+T. This key combo starts a TeamViewer instance, which the call center operator will use to access the victim’s computer, and presumably uninstall the trojan.
At this point, the call center operator refuses to continue the discussion until the victim makes a payment of $250.
By refusing any interaction, the tech support scammers are holding the computer and the user’s data for ransom, making them a “walking & talking ransomware.”
There is a way to get rid of it
that, by pressing CTRL+SHIFT+S, users can shut down the screen lock, but this doesn’t give them access to the computer.
He also discovered some hardcoded serials in the trojan’s source, which he says can be used to start a Windows Explorer window that can be used to navigate the user’s PC and remove the trojan. These codes are: “h7c9-7c67-jb” “g6r-qrp6-h2” “yt-mq-6w”.
This type of tech support variation is not only novel but quite common already, and Malwarebytes has already had at leastcomplain on its forum. Additionally, the researchers found this malware peddled with ads on Facebook, meaning more crooks are bound to buy it and integrate it into their tech support scams.