You’ve probably heard about tech support scams and ransomware attacks separately, but there’s a new breed of malware that includes elements of both. The latest breed of support scam substitutes a human “support rep” in place of a ransomware bitcoin payment. The current examples don’t seem to employ encryption, but they might be just as effective at extracting money from victims thanks to the seemingly helpful person on the other end of the phone.
As with many malware attacks, the new tech support ransom scams start with the unsuspecting victim downloading the software from a phony Adobe update link or compromised ad. Once installed, the malware automatically starts and runs at each startup, taking over the entire screen with a fake tech support warning. Unlike some similar attacks in the past, these are not simply full-screen browser windows that can be easily dismissed.
While it’s possible for an advanced user to get rid of the malware, less well-versed victims may be fooled by the pop-up. Many of them do look like real Windows system alerts. The user is informed by the malware that something has gone wrong; usually it’s an expired license or system corruption. The only fix is to contact support at an 800 number and get a “new license key,” which security form MalwareBytes did while investigating this new form of malware. The technician on the other end informed the researchers that a built-in TeamViewer feature could be launched by pressing Ctrl + Shift + T.
Getting the TeamViewer window up was as far as MalwareBytes could get the remote tech to go without paying. The going rate for entering the unlock code is $ 250. I suppose that’s a bargain compared with a lot of ransomware attacks that ask several times more to decrypt your files. MalwareBytes also reports it may be possible to disable the software yourself by pressing Ctrl + Shift + S or entering one of several default keys.
This is a clever twist on the classic cold calling support scam, which a lot of consumers have learned to avoid. With those scams, your PC seems to be running fine, but someone is telling you something’s busted and you need to pay to fix it. A random person calling you out of the blue asking for money is much more suspicious than your broken computer telling you to call someone. Of course, they won’t tell you they’re the ones who broke it. MalwareBytes now identifies and blocks this particular software, but more variants are sure to appear.