Windows security: New BSOD scam emerges from fake tech-support swamp

Scam uploads shot of victim's screen and tries to sell 'Windows Defender Essentials' for $25 via PayPal.
Written by Liam Tung, Contributing Writer

Video: New tech-support scam hijacks your phone to call bogus hotline

Tech-support scammers are using fake blue screen of death (BSOD) messages and a bogus 'Troubleshooter for Windows' application to dupe victims into paying $25 for security software they don't need.

In this case, the scammers are attempting to sell a supposed Microsoft security product called 'Windows Defender Essentials'. The scam combines the names of two real anti-malware applications from Microsoft: Windows Defender and Security Essentials.

According to Malwarebytes researcher Pieter Arntz, the Troubleshooter app is being distributed through a cracked software installer.

Rather than troubleshooting, the application displays a lie that, "Windows has encountered an unexpected error" and claims the computer is "missing .dll registry files resulting in computer failure". It urges victims to "Click Next" to diagnose and troubleshoot the problem.

Clicking next presents a screen with a list of contrived problems and a claim that the troubleshoot couldn't fix the problem, which can be resolved by clicking a "Recommended" link to "Buy Windows Defender Essentials". Hitting this option leads victims to a page encouraging users to send $25 to the scammer's PayPal account.

As BleepingComputer notes, the false information is enabled by a number of executables that are downloaded if the cracked installer is run. These executables include BSOD.exe for the fake BSOD warning, and Troubleshoot.exe, the fake troubleshooting tool.

Curiously, a third executable Scshtrv.exe will upload a shot of the victim's current screen. Another called adwizz.exe displays unwanted ads.

The use of a screenshot and the absence of any attempt to convince victims to call a hotline show some innovation on the part of scammers, given that most scams today still rely on staff in call centers.

Hotline scams are also evolving. Microsoft warned last week that a new tech-support scam operation has embedded click-to-call functionality in a website, allowing scammers to do away with scary security alerts and simply encourage victims to click the number presented.

The Troubleshooter scam relies on traditional scare tactics and a browser-based screen locker that goes away once $25 is paid to the PayPal account.

BleepingComputer notes that there is a simple way to "trick" the program into unlocking itself. Once the victim reaches the PayPal purchase screen, they can type Ctrl+O to open a dialogue box and enter the address http://hitechnovation.com/thankyou.txt, which makes the program think the victim has paid. It then shuts down.

Malwarebytes has provided removal instructions.


You can trick this screen locker into unlocking itself.

Image: Malwarebytes

Previous and related coverage

Microsoft warns: Bogus Apple, Windows tech support sites open your phone app

Tech-support scam sites now contain click-to-call to "help" victims more easily contact their sham hotlines.

Microsoft: Beware this fake Windows BSOD from tech support scammers' malware

Microsoft is warning Windows users over a fake Microsoft security product that locks an infected computer and tries to trick victims into calling a support hotline.

Government cracks down on tech support scam [CNET]

The scams tricked people into thinking they had viruses and malware, and charged them for unnecessary repairs.

IoT security: Keeping users on their toes means staying on yours [Tech Pro Research]

IoT has introduced new vulnerabilities that can put your network at risk. Providing users with ongoing security training--and examples that relate to their work--will help keep your data safe.

Editorial standards