malware

What I Learned Playing Prey to Windows (Mac) Scammers

This article is a little long but it is quite informative and entertaining. It's written for Windows but the information is relevant for Mac users. At Capitol Macintosh our customers are reporting/seeing these exact problems.

The following is an article By Fahmida Y. Rashid of INFOWORLD

Three months of phone calls prove Windows/Mac scammers are more skilled at social engineering than you think:

“I am calling you from Windows.”

So goes the opening line of the well-known phone scam, where a person calls purporting to be a help desk technician reaching out to resolve your computer problems. These Windows scammers feed off people’s concerns about data breaches and identity theft to trick them into installing malware onto their machines. The scam has been netting victims for years, despite the fact that none of what the callers say makes sense.

I recently received such a call and decided to play along, to see how the scam evolves and who the players might be. Over a period of three months, I received calls on average of four times a week, from various people, all intent on proving that my computer had been hacked and that they were calling to save the day. I had multiple opportunities to try a variety of conversational gambits and to ask questions of my own. Here is what I found out about the Windows scammer underworld via conversations with “Jake,” “Mary,” “Nancy,” “Greg,” “William,” and others.

The scam’s success hinges on being helpful

The callers are polite, and they sound very earnest, explaining in great detail how hackers can loot your bank accounts, steal your identity, and compromise passwords. They are intent on convincing you the threat is not only real but hackers are already in your system performing all manner of nefarious activities. Your computer has been slow, they say. Or they explain that they have detected suspicious activity emanating from your PC.
“Whenever there is any negative activity going on with your computer, right? We get notified from the license ID of your computer,” said “Nancy.”

The scammers don’t expect you to take it at their word; they are willing to show proof that your computer has been hacked. They instruct you to press the Windows key and R to bring up the Run box on your system, and to enter commands to open Windows Event Viewer. The caller notes how many errors are listed (most of which are harmless) and uses the list as proof the computer is compromised. "Jake" walked me through finding my unique computer ID using the command line.

“Rachel” sounded genuinely horrified when I told her how many errors were in Windows Event Viewer: “This is the worst I’ve ever seen!” I burst out laughing. Needless to say, she hung up immediately.

Once the victim has been convinced there is a problem, the hard part is done. Depending on the scam, the caller tries to talk you into installing remote software, such as TeamViewer or AMMYY, onto your computer, or they direct you to a website to download software that would supposedly fix the problems. The remote control software can be used by the attacker to steal data, download malware, and further compromise the system. To avail myself of their help, I would have to hand over my credit card number and pay anywhere from $49 to $500. I never got past this step, though.

It doesn’t matter who the victim is

Scammers get phone numbers from myriad places: marketing lists sold between telemarketers, the phone book, personal records of criminal forums from data breaches. Some scammers used my married name, which isn’t listed anywhere. Because our phone is listed in my husband’s name, scammers working off public phone records probably switched to Mrs. when I answered the phone instead.

Most of the time, scammers don’t bother with names. They start off with a polite, “Good afternoon, ma’am.” I infuriated “Greg” by claiming he must be talking about someone else’s computer as it couldn’t be my computer that was infected. When “Greg” retorted that he knew everything about me and rattled off my name and the city I lived in, it made me think he was working off a list obtained from a data breach dump. That scared me a bit, knowing that these callers could possibly know where I lived, so I ended that call in a hurry.

It doesn’t matter in the end because the scammers will talk to anyone. My child answered the phone once, and instead of asking to speak with an adult in the house like any proper (and scrupulous) telemarketer would, the caller went through the explanation of how the computer was infected and needed to be dealt with immediately. My child, wanting to be helpful, scrambled to follow the instructions. Luckily, my child stopped to ask me which computer to turn on, at which point I took away the phone.

Considering kids don’t often have a credit card for the final payoff, it’s perplexing what scammers hope to gain by proceeding with calls involving minors. When asked, “Jake” huffed a bit, then ignored the question.
That was an eye-opening moment, and we immediately had a family meeting to explain these calls and emphasizing that no one should be calling and asking us to do anything on the computer. We had the same conversation with the grandparents.

On another call, I tried convincing “William” that I didn’t have a credit card, at which point he suggested I borrow a card from someone else. The implication was that if I really wanted to stop the hackers, borrowing a card wasn’t a big deal.

They will stick to the script, no matter what

Callers stick to a script, rarely veering off what they are supposed to say, even to the point of repeating the same keywords over and over. Take the exchange I had with “Nancy.”

“What I am trying to say is when you bought your computer, a technician installed the operating system, you know that? The Windows operating system,” said “Nancy.” I noted there was no such thing as the Windows company because it was an operating system. “That’s what I am saying. I am calling from the Windows Service Center. Windows is the operating system you are using, right? And this is a service center for Windows. There are 700 service centers for Windows, you know that?”

"Nancy" claimed later in the call that my Windows license would be canceled if I didn’t fix the issues on my computer. “You have been provided with the license for the operating system of your computer. Right? If we find that someone is misusing the computer for any reason or there is something going wrong, what we do first is that we cancel the license of the computer, which means that you won’t be able to use this computer, all right?”

I argued back, “Why not?”

“You are using the Windows operating system,” she repeated patiently. I hoped I was annoying her at this point. “If we cancel the license of the Windows operating system from our end, then your operating system gets locked.”
Way to spook victims with the idea of ransomware, “Nancy.”

“Being a Windows user, I believe you know that all Windows computers are connected to the same Windows Global Router in Virginia,” “Nancy” said.

Even conspiracy theorists can’t make up this stuff. All Windows users connecting to a massive network that monitors all their activity? The sad thing is I can see how people wouldn’t know how preposterous the idea sounds.

When “Rachel” told me she was calling because the technician had detected malicious activity from hackers on my computer at 5 a.m., I told her she was mistaken as my computer was always off at night. She ignored me and proceeded to the next part of her spiel where she asked me to open up Windows Event Viewer.

After a while, even the most curious recipient will give up asking questions, since the answers don’t make sense. I told “Nancy” so. “At this point you are saying a lot of things that make no sense, because they are not logical, but OK, go on.”
I was startled that she continued regardless. “If you do not remove the hacking file from this computer, then unfortunately, we will have to cancel the license of your computer so that there is no misuse of your personal information.”
“Nancy” really wanted that payout. Why not? I was making her work for it.

Each team operates differently

The Windows scam doesn’t appear to be the work of a single group. Toward the end of the observation period, callers were exclusively women, some with strong Eastern European accents and others with strong Indian accents. Earlier calls, in contrast, had been exclusively from males with Indian accents, except for “Steve,” who sounded American. Possibly Pennsylvania or Maryland. Not the Northeast, the South, or the Midwest. Definitely not Texas.

I am almost certain that I spoke with “Jake” at least seven times, but he was “Mike” and “William” at least once during those calls. It would have been smart for “Jake” and his team to take notes when victims didn’t pay, so they could spare themselves the effort of repeatedly calling to try to hook me. It’s pretty clear these folks aren’t using CRM software to track interactions with their “customers.” This wasn’t a highly professional criminal organization.

Despite these hints of amateurism, they were still getting the handful of victims necessary each day to make the operation worthwhile.

A few times throughout my experience with my various Windows scammers the thought crossed my mind that the callers themselves may be unwitting dupes for the actual criminals. Perhaps, like call center workers in the movie "Outsourced," these folks know nothing about the “company” they work for and are simply doing their jobs following the script. Perhaps they themselves are convinced they are actually being helpful.

I told “Frank” I had a really poor connection and I kept hanging up the phone. But he called back each time and remained very polite and eager to help. The dropped calls had to be tremendously annoying for him, but he never broke character. Maybe it wasn’t an act for him, and he genuinely believed in his purpose, unaware that the script was a scam. I finally disconnected the phone for the day to get him to go away.

When I asked “Jake” why he scammed people, he got angry and denied it, but “Mary” tried to convince me I was mistaken. She didn’t break character and assured me she’d helped many people in the time she’d been working there. She made me hesitate, and I am still not sure if she was simply skillful, or if she was the victim in this situation, manipulated by a criminal syndicate.

“Mary” was also the only one who remained polite when I accused her of taking part in the scam. All the others issued threats before hanging up, although “Nancy” did say, “Thank you,” before disconnecting.

Ask a lot of questions

The devil is in the details, and the more you ask questions instead of swallowing whatever the callers say, the more likely you will uncover inconsistencies or problems. The moment you suspect a scam, hang up.

Many of the callers don't take into consideration that you may have multiple computers. When I asked “Mike” which computer he wanted me to turn on, at first he didn’t understand what I was asking. “I am talking about your Windows computer,” he said.

I explained I didn’t know which of my seven computers had problems. I half-expected him to tell me any would do, but he went through the pretense of looking at his logs and telling me to turn on the one that had been on at noon the day before. I wonder if he would have tried again later with my other computers, but I didn't let him stick around long enough to find out.

My questions must have rattled “Nancy” from “Windows Technical Services,” a bit, since she switched the company name a few times during the course of the call. From “Windows Technical Services,” she switched to “Windows Security Services,” “the Windows Company,” and “Windows Service Center.”

Later on in that call, “Nancy” made another goof. “All I am trying to say, to do, is to explain that your computer is getting hacked by foreign IP addresses, from Texas and from California.”

Yes, Texas was once an independent republic, but come on, “Nancy.” You can do better.

Do not engage the scammer

Never, ever share any personal information. Don’t provide your name. Don’t talk about anything specific to you -- the caller wants to gain your trust and will engage in small talk while waiting for the computer to execute the commands you typed. Don’t go to any website the scammer tells you to visit, don’t accept emails, and most of all, don’t download any software during the call.

A recent variation of the scam depends on victims making the initial phone call. While browsing online, the victim comes across a browser pop-up stating the computer is infected and to call technical support at the listed number for instructions on how to fix it. The message is frequently served up via a malicious advertisement. Don’t call the number. Instead, close the browser and move on. It’s easier to never, ever engage the scammer.

If there really is a problem, you won’t find out over the phone. Microsoft doesn’t have the phone numbers of every user who owns a Windows computer, and the company definitely doesn’t call individuals if something goes wrong. If a problem exists -- say, the ISP thinks your computer is infected and spreading malware to other computers -- the notification will not come via a phone call. More important, there is no such thing as a Windows Global Router monitoring your computer activity.

If you suspect a problem with your computer, go to Best Buy (for Windows) and Capitol Macintosh (for MacOS).

Once you realize it’s a scam, hang up. There is no benefit in stringing them along, and these callers can get very angry. I usually was shaking after each of these encounters and frequently had to go outside for a walk to calm down.

One of the many calls from “Jake” ended with him screaming, “You think this is a scam? I will show you! I will show you hackers have control, because I am going to be the one taking over in 48 hours. Watch out!” I was rattled enough to keep all computers (even the Linux and Mac systems) in the house off for three days after, just in case.

“Nancy” threatened legal action. “Listen, I am telling you one last time, whatever information you have in your computer save it, because in the next 24 hours, we are going to cancel the license of your computer. And we will send you a legalized document, all right? At your doorstep. At that time, you can have a talk with the lawyers.”
It’s been a few weeks. No lawyers yet, whew.

What if you fell for the scam?

If you installed software, uninstall the software and run a security scan to remove it. If you gave remote access, reboot the computer to force-end the session. Uninstall the software. If the scammer got a chance to look through your files, as part of the remote access session or through the downloaded software, then assume they have copied your files and may have access to your passwords. Change your passwords after running the security scan and verifying no keylogger was left behind.

At this point, it may be better to disconnect your computer from the Internet, back up the specific files you need (if they already weren’t backed up over fears of ransomware), and wipe the machine to start over. There is no point in risking that the malware has enough hooks into the system that the security software is unable to eradicate it completely.

If you paid the scammer, call the credit card company right away to report the incident and cancel the transaction. Cancel the card, too. If the attacker has the information, they can use it again later or sell the number to someone else.

U.S. victims should report the scam to the Federal Trade Commission and provide the name of the scammer, as well as the originating phone number of the call. I don’t have Caller ID, so I couldn’t track the number, and in several cases, when I tried to dial back to track the last incoming call, I got the message that the number was blocked. The sheer number of calls I fielded made me question the wisdom of maintaining a landline -- at least if the calls had been going to my cellphone, I could potentially block calls. Alternately, I couuld whitelist calls I recognized and ignore the rest.

They know which buttons to push

In the past, I’d dismissed these scammers as bumbling criminals preying on clueless and naive computer users, but after 60 or so conversations, I’ve revised my assessment: They're skillful social engineers. At one point, when I’d managed to irritate “Nancy” enough, she asked, “Do you know who you are talking to? Do you know I have the authorization to cancel the license key for your computer?”

I stopped for a half-second to remind myself that she couldn’t do that. It helped that at the time of the call I was working on a Mac, but I sympathize with the victims who don’t want to take the risk. These scams are effective because they’re utterly convincing to nontechnical users. Even someone who has been reading about the latest news and staying well-informed can be tricked because the callers are good at hinting at all the things that can happen. The people making these calls are polite and charming -- unless, like me, you’ve been annoying them for 15 minutes with questions. They are confident and sound like they know what they are doing, which is why they are successful.

“We are calling you to find out why your computer is downloading all this hacking software and who are the persons who are trying to get into your computer to steal your personal information. That is illegal. That is against [sic] cybercrime.”
That’s the only point I agreed with from those calls. What they are doing is illegal. If you get the call, hang up. Don’t engage, and we will eventually starve the scamming beast into ceasing operations.

Do You Have Malware?

The Malware/Adware “Manual”

If you have any of the following “programs” on your Mac then you have Malware and we have the solution:

Spigot
Spigot is an adware company responsible for a number of different adware programs.

Crossrider
Crossrideris a very suspicious search engine, which has been accused for continuous redirects to unknown websites, altered search results, tracking of people's search sessions and similar problems that can't be ignored.

Genieo
Genieo is still pulling many ofthe same tricks – changing the search engine to Bing, and installing all kinds of junk that runs in the background and modifies browser behavior.

iLivid
iLivid takes over websites and automatically downloads unless you kill the browser window. It seems to like sites where you're expecting a download and exploits your expectation that you're getting the download you want.

OperatorMac
This adware will redirect you to different pages and inject content, such as an odd set of navigation controls floating over the page, into pages in your web browser.

WalletBee
WalletBee is promoted as a useful tool that’s supposed to help people save time and money. However, security experts have already attributed it to an adware or potentially unwanted program, which may initiate various undesirable operations, such as redirects, ads, and other things. In addition, it may also record your browsing activities and collect various information.

OneSearch
Onesearch is a program that’s bundled with other free software downloaded off of the Internet. Once installed it will set the homepage and search engine for any installed browsers to search.onesearch.org without your permission.

JDI Backup
just read this: http://www.backupreview.com/mypcbackup-justcloud-zipcloud/

Mac Keeper
MacKeeper provides questionable value to most users, can destabilize an otherwise stable Mac, and embeds itself so thoroughly into the operating system that removing it is an uncomfortable and weird process.

MegaBackup
MegaBackup exemplifies misleading software that attempts to convince Mac users to purchase the license under false pretenses.

Advanced Mac Cleaner
Advanced Mac Cleaner floods the victim’s experience with annoying warning messages. It dupes the user into thinking that their machine has got numerous problems hindering normal performance.

Shoppy
Shoppy is an adware program, that displays pop-up ads and advertisements on web pages that you visit. These advertisements will be shown as boxes containing various coupons that are available, as underlined keywords, pop-up ads or advertising banners.

ZipCloud
is some sort of cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with the "SearchProtect" malware. Although ZipCloud may not be malicious itself, it should be deemed suspect by virtue of the company it keeps.

Please note the above is NOT a complete list - just a few of the bad guys we’ve come across. The list does continue to grow though and we will stay on top of it. How can you tell if you have any of these? Use Spotlight - that's the "magnifying glass" top right hand corner of your Mac - click on it and type in any of these bad guys name. If you get a hit on your computer than you have it.

Adware was unheard of on the Mac just a couple years ago. It’s now so prevalent that we install our CapMac Health Check, which detects Mal/Adware, on almost every computer that comes in for service.

Adware comes from bad download sites, however, the vast majority of adware seems to come from torrents, sites offering “free” video streaming, or pop ups (Flash Player). Why is the problem getting worse?

Obviously, the people behind all this are having success making money from it. Advertisers are spending lots of money to put ads on your computer screen, and often they don’t understand exactly who they’re doing business with or how their online advertising is going to work. Unethical hackers also frequently take advantage of advertising networks, using tricks to put ads in front of users’ eyes in such a way that they get paid for it. Worst of all are the advertisers who don’t care how they advertise, like the makers of certain junk Mac utility apps which are often promoted through adware.

What should I do in the meantime?

Avoiding adware is quite easy, if you’re careful about what you download.

  • Have us install our HealthCheck program
  • Never download anything from any third-party download site, because there may be an adware payload.
  • Avoid “impulse downloads” - don’t download some cool-sounding app without doing a little research first.
  • Only download apps directly from the developer’s site - do not click on the "Install Flash" pop-up!
  • Neverengage in software or media piracy.
  • Some torrents may be used for legitimate purposes, but I recommend avoiding torrents in general, since their primary use these days is piracy.
  • Don’t go to questionable video streaming sites – get your video fix only from legit sources, such as iTunes, Amazon, Netflix, Hulu or the websites of the various TV networks and movie studios.
  • Read the license agreement in any installer you run, and pay close attention to any mention of special offers. Even if there’s a check box to allow you to opt out of a special offer, quit the installer immediately and throw it away such check boxes are not always respected, and you may get the adware or other junk software installed regardless of what the check box says.

Installing anti-virus software won’t help as it doesn’t detect most adware, and if it does, it won’t be able to properly remove it. I’ve seen plenty of people who have gotten adware despite having anti-virus software installed, and I’ve also seen plenty of people whose anti-virus software completely failed to remove the adware. In fact, in at least one recent case, the anti-virus software screwed up the removal so badly that the Mac wasn’t able to start up any longer.

 

Say Goodbye to Malware!

Malware, malware, malware with every link you click the potential for trouble exists: Mackeeper, Shoopy, Advanced Mac cleaner, Megabackup, Zip Cloud …

None of these programs do you any good and in most cases get in the way of your Macs performance. How do they get on your computer? We don’t know the definitive answer - you may have asked to have Mackeeper installed under the impression that it does help. In most instances though they enter your world via some pop up from the Internet such as “Your Flash Player is out of date - click here to update now”. It looks real but you’ve no way to tell - so DON’T click on it.

Though these pests are good for our business they’re bad for you. To help combat this irritant we’ve rolled out CapMac Health Care. This is a piece of software we install on your computer that will alert us if you have Malware. At the same time we’ll install a program, Malwarebytes, that will clean up any nefarious programs that might have been installed. Cost to do this? The install is free, and only $5/month to have us alert you if there's an issue found. For business customers there’s a $20 monthly minimum for up to 4 computers and $5.00/month for each additional computer.

Our Health Care program also checks the following:

• Hard Drive Space
• Hard Drive Errors
• RAM issues
• Time Machine failures
• Missing Hardware
• Failing Batteries
• RAID issues
• and a whole lot more

To date, the software runs more than 75 checks on your Mac. Find out before it’s too late that your hard drive is failing, you need more RAM or you haven’t backed up to Time Machine in awhile.

I WANT IT! How do I get it? For individuals bring your computer in and we’ll install CapMac Health Care and Malwarebytes, it's a same day installation. For the business customer, give us a call or drop Dave an email, and we’ll schedule a time to install CapMac Health Care - your first 30 days are free, if you stay with the program we’ll bill you, at an annual rate after the free trial period.

Privacy & other fine print
• CapMac Health Care does NOT have access to personal information such as files stored on your computer’s hard drive(s).
• CapMac Health Careoperates 24/7/365 – alerts will be sent to Capitol Macintosh 24/7/365 but will only be acted upon during normal business hours.
• CapMac Health Careoffers no guarantees as to anticipation of or limiting liability of computer downtime. CapMac Health Care should be considered an extra tool in the IT toolbox to assist the client and Capitol Macintosh at providing improved, proactive service and response.

Adware

Adware is a rapidly-growing menace on the Mac. Adware programs are multiplying like the proverbial rabbits. Worse, most of them aren’t detected in any way by any anti-virus software, including Apple’s built-in anti-malware protection. Even when one is detected by anti-virus software, allowing that software to remove the detected files often won’t fully remove the adware.

The best way to avoid adware is to pay close attention to what you’re downloading. Adware typically comes attached to (or in place of) junk software offered by bad sites, or sometimes a bad site will wrap legitimate software in an adware installer. Obviously, you need to avoid such untrustworthy downloads.

However, there is one thing that adware almost always does that will help you identify it: present a license agreement! License agreements are often displayed by installers, requiring the user to click an “Agree” button or something similar, and people typically just click whatever button they need to to make this go away and get on with the installation. Don’t do that! Get in the habit of at least skimming those license agreements, and if you’re being asked for permission to install something other than the software you intended to download, quit the installer and trash it.

If you think you might be infected with some kind of adware bring your computer in and we’ll thoroughly check it out.

No, No, NO Don't Call!

Please help your fellow Mac users and forward this message to anyone you know who has an Apple computer. Every day, a computer comes in that's allegedly has been infected with all kinds of "bad" stuff.

Though your warning may look different than the above image, the modus operandi is exactly the same:

• stubborn pop-ups that make it almost impossible to close the browser

• urgent warning to call a toll-free number

• a screen “showing” all types of “infections” on your computer

Do NOT call the number provided! The very people you're calling (unless you’ve requested help Apple will NEVER call you), and want your money, are the people who caused the problem to begin with.

We’ve written about this issue several times, posted on Facebook, Tweeted, but folks come in every day that did call the number and did pay an exorbitant fee to have the “problem” fixed.

If you see the pop-up message (it takes many different forms) don’t worry your computer has not been infected; your data has NOT been breached. In some cases, you can close the pages normally but other times you can’t. That’s because these crooks use JavaScript code to push a new alert window so quickly after you’ve clicked ‘OK’ that you cannot normally exit by closing the window or tab.

For the people who do give remote control of their computer, the “technician” will run a scan in the Terminal or perhaps show the Console logs and flag anything in there as a virus or severe infection. Typically they also install malware programs causing you further pain. Yes the people you’re calling AND paying money - we’ve heard from $200 to $1000 - are the very crooks causing the problem. Get your money back!

If you need help getting rid of the installed malware - bring the computer to us. It’ll cost less than what the crooks want.

One more thing: many of the program that claim to prevent malware and other issues actually cause them. Currently your Apple does NOT need any third party help. We'll let you know when you should worry.