Tech support scammers are using this new trick to bypass security software

Attackers demanding money to rid your system of a false 'problem' are learning from cyber espionage groups
Written by Danny Palmer, Senior Writer

Tech support scammers are deploying a new tactic to avoid detection by anti-virus software in order to con money out of users around the world.

Detailed by researchers at Symantec, the techniques used in the newly discovered campaign are similar to those deployed by advanced hacking and espionage groups, allowing attackers to prevent their activity being detected as malicious.

Tech support scams commonly begin when an unsuspecting user visits a malicious website -- either by choice, or after being redirected by malvertising.

There are many groups who operate in this area of cybercrime, but the basic tactic remains the same: the user is told that their PC is infected with malware and it needs to be fixed, or they're told that their computer has been blocked by law enforcement.

In both cases, the user is told they need to hand over a payment to 'fix' a problem.

The scheme detailed by Symantec falls into the latter category and targeted Italian users during November. The message claims to be from the Ministero Della Difesa -- the Italian Ministry of Defence -- and tells users that their computer has been blocked due to "display and dissemination of materials prohibited by Italian law".

This is an old trick used by cyber criminals, but it works: by convincing users they've done something wrong, criminals are more likely to shame the victim into following instructions.


This scam claims to be a message from the Italian Ministry of Defence.

Image: Symantec

In this instance, the crooks hope to get their victims to pay an 'administrative penalty' of 500 Euros using an iTunes gift card. The government would never ask for payment in the form of a gift card, of course, but the attackers are relying on fear -- and the desire of the user to get their computer back to make them pay.

But this particular scam is different to others, with researchers observing large chunks of obfuscated content in the source code. Examination of this shows that only a small number of these strings are used in the tech support scams, with layers of content hidden behind AES encryption. Studying the code also revealed a second layer of AES obfuscation.

Code obfuscation is known to be used in these scams, but the use of multiple-level encoding is not common. But by employing this method, the attackers can trick many forms of security software into not spotting the malicious activity, therefore enabling the scam to strike users.

SEE: How to train your employees to avoid online scams: 5 tips TechRepublic

Symantec describes this kind of attack technique as 'living off the land', whereby attackers exploit legitimate features in systems to hide malicious activity. In of itself obfuscation isn't malicious, but it can be used for malicious purposes.

"There are many open source tools to obfuscate code as developers don't want their code to be seen by the users of their software. Similar is the case with encryption algorithms like AES. Such algorithms have wide usage and implementations in the field of data security," said Siddhesh Chandrayan, threat analysis engineer at Symantec.

"Both these mechanisms, by themselves, may not generate an alarm as they are legitimate tools. However, as outlined in the blog, scammers are now using these mechanisms to show fake alerts to the victims. Thus, scammers are 'living off the land' by using 'inherently non-malicious' technology in a malicious way," he added.

Tech support scams are a common form of cyber attack; Symantec says it detected and blocked more than 37 million between July and October 2018 alone. Scammers target victims around the world, with Symantec's telemetry suggesting that the United States is the most targeted.

While the techniques behind the attacks are getting increasingly complex, users can go a long way to protecting themselves by being careful while using the web -- especially when it comes to pop-ups on unfamiliar websites. Users should also be aware that government agencies and the police won't ask them for payment -- especially in iTunes giftcards or cryptocurrency.


Editorial standards