The classic tech support scam—in which unsuspecting consumers are told that there were issues with their Windows machines that need to be addressed (and paid for)—is getting an overhaul of late. It appears that it’s going multilingual and multichannel.
The original iteration of this scam involved cold calls originating from India. “Tech support” personnel warned PC owners that they were infected and that they could fix it for the low, low price of $10 (or more). Over time, fake websites and pop ups warning of infections for Windows, Mac, Android and even iOS users were created.
The other hallmark of the ongoing classic campaign is the fact that it targets countries where English is the primary language spoken: The UK, the US, Canada, Australia, South Africa and New Zealand.
Malwarebytes Labs is now warning that scammers are tapping into brand new markets in Europe and Japan.
“The first efforts to go after people in non-English countries were quite clumsy,” explained Malwarebytes researcher Jerome Segura, in a blog. “The latest iteration we uncovered is targeting multiple new countries and considerable efforts were spent to make the templates look professional and authentic.”
New targets include France (population 66 million), Spain (population 46 million), Germany (population 81 million) and Japan (population 126 million). And the price has gone up too: One German version asked for $430 to “fix” an “infected” PC.
In this new face, the campaign is now quite sophisticated—and far-flung in terms of its operational base. It starts with fraudulent pages that typically show up via malvertising campaigns or as part of a bundle within potentially unwanted programs (PuPs). They read something like this:
Warning! A virus has been detected on your computer. Please call the number provided immediately to remove adware, spyware and viruses from your computer. Seeing this message means that all your personal information, pictures, passwords and credit card details are at risk and vulnerable to attacks. Do not use the internet, do not connect to any website or make any purchase until you call the phone number provided.
“We called one of the numbers for the French campaign and talked with an agent that spoke fluent French,” Segura said. “He turned out to be working from Québec, Canada…We suspect that one or more organizations are outsourcing dedicated call centres in each country and have given them instructions on how to dupe customers who phone in.”
The other versions of the scam (German, Spanish and Japanese) also featured people speaking the national language, with varying degrees as to how fluent they were. So it appears that several tech support call centers located worldwide are involved in this operation, which means that it will take a concerted effort from multiple parties to take each down. Meanwhile, the rogue actors will continue to defraud thousands of people.
Overall, the multilingual effort is a stealthy and flexible operation. Segura found that all of the domain names registered for this specific campaign were done via a Chinese registrar, while the actual registrant was hiding behind a proxy. The source code for each page also includes a special tag to prevent search engines from crawling or indexing any of the content.
And, the toll free number used in each pop up is dynamically generated using an API, a big change from amateur campaigns where the phone number is hardcoded as text or within an image.
“We cataloged over 400 different phone numbers used in the French version of the scam,” Segura said. “Typically those toll-free numbers are bought in bulk and can be discarded easily. It very much resembles blacklist evasion techniques used by malware authors with domain names.”
The best protection against these scams is awareness, of course.
“This latest twist is without a doubt going to have a serious impact on countries that have never really experienced tech support scams before,” Segura concluded. “Not only are people not prepared for it, but also the fraudster will appear genuine by speaking the local tongue.”