Tech

Tech support scammers take tips from ransomware to make you pay up

They're getting serious by locking your system before demanding a fee.

Written by Charlie Osborne, Contributing Writer May 17, 2016 at 3:30 a.m. PT

Tech support scams are commonplace. You receive a cold call from someone pretending to be from Microsoft, they attempt to convince you that they have "scanned" your computer and there are viruses which need to be removed -- and all they need to do as part of this dedicated customer service is go in there and clean it up for you.

As long as you hand over details of your account and your bank details, of course.

Unfortunately, such scams remain lucrative, especially if some of the older generation or vulnerable people are targeted.

According to researchers from Malwarebytes, however, this is no longer the story -- and now, cyberscammers have taken a tip or two from the rise of ransomware to make their schemes even more profitable.

Tech support scammers have been spotted using fake Blue screens of Death (BSOD) before, but on Tuesday, the security team said in a blog post that lockers are being developed which "tricks users into thinking their Windows license has expired and blocks them from using their computer."

"To be clear, this is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC," Malwarebytes notes. "No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it."

A full criminal ecosystem has grown around such locks, which includes bundling them into the Pay Per Install applications.

In one instance, researcher @TheWack0lian shared a Microsoft Windows-based locker which resembles a true Windows program. Once installed, the malware waits for the user to restart their system before activating during startup.

The malicious code then takes over the desktop -- in the same manner as ransomware -- and displays a fake Windows update screen. Once the "updates" are complete, the user is informed that their license key has expired.

As the screen is now locked, the only way to move any further is to call the "tech support" number posted on the update.

When the researchers called the number, the scammer on the other end of the line would not unlock the system unless a fee of $250 was paid.

Security

The use of lock screens is a disturbing trend and highlights how much more sophisticated scams and malware are becoming over time. It is even more important than ever to keep your system patched and to stay away from any downloads which appear suspicious.

In the case of this particular scam you can use the keyboard combination "Ctrl+Shift and press the S key" to disable the locker, or entering the hardcoded values for the "product key," "h7c9-7c67-jb" or "g6r-qrp6-h2" or "yt-mq-6w" may also work.

"Needless to say this is a worrying trend because in comparison to fake (but mostly harmless) browser alerts, these Windows lockers are a real pain to get rid of and until you do so, your computer is completely unusable," Malwarebytes says.

"This increased sophistication means that people can no simply rely on common sense or avoid the typical cold calls from 'Microsoft'. Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone."