beebright - Fotolia

Fake tech support spiders on the world wide web

Fake tech support should be incorporated into security awareness training as it can be a highly effective way to trick employees into granting access to enterprise computer systems

Cyber criminals are always innovating: improving their malware products and “leaning out their processes” to find new ways to take money from unsuspecting users.

To protect against cyber crime, data breaches, and botnets, we train our users to avoid social engineering, phishing, and questionable online content.

For example, many of us are familiar with the cold calls purporting to be from Microsoft, Norton, or some other reputable IT company, telling users that they can see that their computers are infected and they need to go to a uniform resource locator (URL) to get their computer fixed.

These fraudsters make money by infecting, pretending to disinfect, and stealing data from the victims. We also educate users to spot phishing emails by looking for unsolicited attachments, improper grammar, etc.

However, there is another method in use today that circumvents this security education – fake tech support. These malefactors set up sites that look legitimate by stealing trademarked logos from IT suppliers, and by promoting their sites above the actual supplier support sites in search results.

Consider the following incident: a user is having trouble installing printer software. She searches for “brand printer support” (where brand is a popular printer manufacturer), and clicks on the top listed ad, which is deceptively named Browsing through the fake site looking for information, she clicks on the live chat function. The operator suggests a phone call to troubleshoot.

After a few unsuccessful minutes on the phone, the operator asks her to go to to allow him remote access to install the driver. Since this is a normal procedure when she calls the help desk at her office, she assumes it must be fine when talking to supplier support.

Read more about security awareness

After a few minutes of remote access, the technician has fixed the printer issue, but then tells her that her machine is infected. The operator shows her what he claims are event logs with errors.

He runs “netstat–a” in a command prompt to show her PC is connected to botnets. For a mere $300 extra, he can fix this. The user realises at this point that she has been pwned, and declines the offer. The perpetrator, knowing that he will not make a sale, vindictively launches a script to delete all her data files.

What is remarkable about this technique is that it:

  • Does not rely on cold calls
  • Does not rely on phishing
  • Is not addressed in most security training
  • Results in giving the fraudster complete access to the PC, bypassing all security tools

After setting up the fake site and boosting it above legitimate sites in search results, the attacker, like a spider in a web, sits and wait for a victim to come to them. Upon forensic examination, it was learned that the user was logged in as administrator on the PC. The attacker’s script created another admin account, demoted her admin user account, then disabled Windows Defender and other security programs.

The event log displayed to the user was a fake image, but the real event logs were empty. No sensitive data was lost, but time and productivity was lost in flattening, formatting, and reloading Windows, applications and data.

Call the internal help desk first

Though this attack technique is less common than phishing, organisations must incorporate this scenario into their security training for users. Users should always call the internal help desk first.  In small to medium-sized businesses, where support may be outsourced or users may be expected to handle their own technical issues, they should connect directly to supplier sites rather than searching for them.

If searching is necessary, users need to know how to discern real supplier support from the nefarious spiders hiding out under deceiving URLs using stolen logos and fonts. Scrutinising site names, checking for hyper text transfer protocol secure (HTTPS), and even looking for certificate problems in the browser may be useful in warding off the user from bad domains.

On the enterprise side, administrators can use URL filtering on proxies and firewalls to remove malicious links from results and stop users from reaching known bad sites. The remote desktop protocol (RDP) and application sharing protocols should be blocked at the perimeter. Much application sharing happens over HTTPS though, so web application firewalls are needed to constrain traffic to whitelisted domains and shut down malicious sessions.

Internet search providers can improve web hygiene by performing real-time threat analysis on search results and quarantining bad links, particularly for sites that are prone to faking and click-jacking. It is especially important for search providers to ensure that the sites whose operators have paid for elevated positioning are clean.

Read more on Security policy and user awareness