Security Expert Fools, Records Fake Antivirus Scammers

Phony AV scammers posing as Microsoft dialed the wrong number when they inadvertently phoned a security researcher at home -- who exposed their obvious lack of technical know-how

Fake antivirus scammers recently got more than they bargained for when they unknowingly dialed the home number of a Sourcefire security researcher who then lured them to an impromptu honeypot and recorded their activity on his machine.
Noah Magram, principal software engineer with Sourcefire, says it was about dinner time -- also known as telemarketing time -- last week when he decided to answer what appeared to be a local call according to his caller ID. Magram says it was his local area code in Oregon and Borders showing up on caller ID that tempted him to pick up.
The caller said he was from Microsoft and that Magrams computer had been sending multiple error messages to the software company. He said they thought I had some viruses and malware, recalls Magram, who immediately knew it was a scam. It was surreal.
I was curious. I wanted to see if they would send me to any websites or get me to download any malware, something that we could analyze. I was really curious about what their script was, Magram says.
Fake antivirus and security software scams are rampant, and typically occur via drive-by Web-borne infections where a user is hit after visiting a compromised site and then sees a pop-up message that his or her machine is infected. The attacker ultimately attempts to basically extort a subscription fee out of the victim to get his or her machine back in working order after locking it down. Most recently,
a massive rogue AV scam targeted more than 200,000 Web pages
and 30,000 different websites that was detected by Websense.
Others, like the one Magram stumbled on, are more direct social-engineering scams, either by phone or email.
Patrik Runald, research director at Websense Security Labs, says Websense doesnt see as many of these social-engineering-based attacks that mostly go after home users. My mom and some of my friends did receive a similar phone AV scams and reported it to me, Runald says. Its really a continuation of the fake/rogue AV scams that gets delivered to users PCs via drive-bys or social engineering. The people operating those scams already have call centers to receive support calls from their customers, so the step to make outbound calls isnt much of a reach.
[ Actors looking to monetize from malware infections are continuing to invest in developing increasingly convincing fake software in order to maintain their cover. See
Scareware Is Evolving
. ]
Magram says the agent on other end of the line did not appear to be technically adept and didnt stray much from his script. Magram played along from the comfort of his living room couch, pretending to be pulling up the event viewer on his Windows machine. I said I saw a couple of warnings and errors in my event viewer, and he said, Thats malware, Magram says. Then without any introduction or warning, a new agent came on the phone and basically picked up where the first agent left off. He urged Magram to install a remote administration tool so the agent could get a closer look at the problem.
So after 30 minutes of dragging out the call, Magram decided that this rare, firsthand look at a fake AV and security software scam was too good not to study up-close and record. So he started up a VMware virtual machine on his Windows PC. I realized I could give them an environment to bang around in, Magram says. Upon the urging of the scammers, he installed LogMeIn, a legitimate remote access tool, and Victor, the technician, was then inside the machine. Magram recorded every click the scammers made.
At first, Victor tried to remotely bring up a website with information on the subscription options, but apparently fat-fingered the browser button, and the Web page for another legit RAT product, ShowMyPC.com, appeared instead. He eventually got the companys Web page to successfully load, and the agent carefully explained to Magram the various services and subscriptions they offer.
Interestingly and suspiciously, they no longer were pretending to be Microsoft at that point. The website was not Microsofts. Their story had changed because initially they said they were calling from Microsoft, Magram says.
Taking The Bait
Magram finally agreed to a one-year subscription for a one-time $50 fee, and they pushed him to a Web page using a legitimate-card processing service. He typed in a test number, which rejected the transaction.
Then Victor systematically began disabling all Windows Services right there on the screen for all to see, while the agent on the voice call told Magram he would need to renew his subscription, noting that the machine was so compromised that they couldnt be held responsible for what happens next.
I asked the agent why they were disabling those things, and he said they are a list of malware. But they were obviously a list of standard Windows services, Magram says.
Victor continued the destruction, ultimately disabling VMWare as well. I even asked what VM services are ... he insists they are malware, Magram recalls.
The scammers didnt give up easily, either. Even with the rejected credit card and no payment on the table yet from their mark, Victor rebooted the machine under Safe Mode while the agent on the line warned that there was so much malware on the machine that they wouldnt be responsible for what happened next. Magram knew that Victors actions would disable the system altogether after a reboot, but the scammers apparently were trying one last-ditch effort to get him to cough up some cash.
He finally admitted to the scammers that they were on a VM, and he was a security expert who had been stringing them along. They quickly hung up.
Magram says he was surprised how low-tech the scammers actually were. Not only were they blatant about deleting the Windows services, but they also didnt realize they were trapped inside a VM, even when the VMware services appeared on the screen. I had always wondered what their capabilities are in these scams, he says. But I was shocked how clueless and clumsy there were. They are placing thousands of these calls, and they are not sophisticated.
And they didnt install any malware. I thought that would be the first thing they would have done. I assume that when they fixed the machine they would install the malware, he says.
Their approach was so stone age, he says, using legitimate RAT tools and an unprofessional and shaky script by the caller. Even so, its a social-engineering scam, and those are the hardest to defend against, he says. The only real defense is educating users about these types of scams out there.
And catching the culprits behind it is unlikely. Magram was able to root out that their companys physical address, if legit, was in Utah, and thats about it. Its doubtful they are set up in the U.S., he says.
Magram said, overall, the experience was interesting and kind of fun. My wife was cracking up [in the background] and first couldnt figure out why I was talking to a telemarketer, he says.
This is not something youd expect as a software engineering [pro] at a security firm to have somebody call you who wants to won your box and it falls in your lap, he says.
Websenses Runald says he has scammed a few scammers in his day as well. Its always interesting to turn the table on scammers. Ive played along with the bad guys when it comes to job scams and other social-engineering tricks, and as soon as they figure out you know more than most, they just stop communicating, just like what happened to Noah, Runald says.
Meanwhile, Magram has now posted a video of the scam online, which
can be viewed here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Security Expert Fools, Records Fake Antivirus Scammers