Technical Support Scams – What to look out for

Read Time:8 Minute, 35 Second

Authored by Oliver Devane

Technical Support Scams have been targeting computer users for many years. Their goal is to make victims believe they have issues needing to be fixed, and then charge exorbitant fees, which unfortunately some victims pay. This blog post covers a number of example actions, that scammers will go through when they are performing their scams. Our goal is to educate consumers on the signs to look out for, and what to do if they believe they are being scammed.

Advertising – The Lure

For a tech support scammer to reach their victims, they need to first find them (or be found by them). One technique we see includes scammers creating Twitter or other social media accounts that post messages claiming to be from the official technical support site. For example, a Twitter account will post a tweet with the hashtags #McAfee and #McAfeeLogin to drive traffic to the tweet and make victims believe the links are legitimate and safe to click.

Scammers behind tech support scams can create very convincing websites which mimic the official ones.

Some fraudulent websites use the McAfee logo or other company logos to try trick individuals. They often invite clicking on a ‘LOGIN’ or ‘ACTIVATE’ link with a similar color scheme to official sites to appear legitimate.

These sites may then ask the victim to enter their real username, password, and phone number. Upon entering these details, websites will usually show an error message to make the victim believe there is an issue with their account.

 

The error message will usually contain a link that upon clicking will load a chat box where the scammers will initiate a conversation with the victim. At this point, the scammers will have the phone number and email address associated with the victim. They will use this to contact them and make them believe they are an official technical support employee.

Gaining Access

The scammer’s next objective is often to gain access to the victim’s computer. They do this so that they can trick the victim into believing there is an issue with their computer and that they need their support services to fix it.

The scammers will do this by either asking the victim to enter a URL that will result in the download of a remote access tool or by providing them with a link in the chat window if they are still speaking to them on the fake support website.

A remote access tool will enable the scammer to take complete control of the victim’s machine. With this, they will be able to remove or install software, access personal data such as documents and cryptocurrency wallets as well as dump passwords from the web browsers so they can then access all the victim’s accounts.

It is vital to not provide remote access to your computer to unknown and unverified individuals, as there could be a big risk to your personal data. Some examples of remote access tools that have legitimate uses but are often used to perpetrate fraud are:

TeamViewer
LogMeIn
AnyDesk
Aweray (Awesun)

Activity once the connection is established

If the scammers are given access to the victim’s machine, they will often make use of the command filename cmd.exe to perform some visual activity on the computer screen which is done to attempt to trick the individual into believing that some malicious activity is occurring on their computer or network. Most people will be unaware of the filename cmd.exe and the actions being used,and thus will be none the wiser to the scammer’s actions.

Here are some examples we have seen scammers use:

Title

Changing the title of cmd.exe to ‘network scanner’ or ‘file scanner’ to make the victim believe they are running a security tool on their machine.

Directory enumeration

Scammers will make use of standard functions within the cmd.exe file, to make their victims believe they are performing lots of activity. One of these functions is ‘dir’ which will  display  all the files for a specific directory. For example, if you have a folder called ‘school work’ and have 2 word documents in there, a ‘dir’ query of that folder will appear like this:

What the scammers will do is make use of ‘dir’ and the title function to make you believe they are scanning your machine. Here is an example of running ‘dir’ on the all the files on a machine with the cmd.exe title set to ‘File Scanner’:

Tree

A similar function to ‘dir’ called ‘tree’ may also be used. The ‘tree’ function will display directory paths and will generate lots of events on the screen:

Tech Support Phone Number

Some scammers will also add their phone number to the taskbar of the victim’s machine. They do this by creating a new folder with the phone number as the name and adding it as a toolbar. This is shown in the image below

Software Installation

Scammers may install other software on the victim’s machine or make them believe that they have installed additional software which they will then be charged for.

For example, some scammers may add programs to the desktop of victims which have no purpose, but the scammers insist they are legitimate security tools such as firewalls or network scanners.

Some example filenames are:

Firewall security.exe
Network firewall.exe
Network security.exe
Email security.exe
Banking security.exe

Payment

The scammers will usually perform some activity on your machine before asking for payment. This is done to build confidence in their work and make you believe they have done some activity and therefore deserve some sort of payment. Do not be fooled by scammers who have not performed any useful activity.  As detailed in the previous sections, be careful not to fall victim to fake social media accounts or websites.

Signs to look out for

This section contains a few signs to look out for which may indicate that you are interacting with a scammer.

Rude/Short

Some scammers will become rude and very short with you if you start questioning what they are doing. They may say that you are not technical and do not understand what is occurring. This would not be the behavior of a legitimate technical support operative.

Leave the computer on

Scammers will encourage you to leave the machine and remote connection on even if you need to go out and leave it unattended. Do not under any circumstances do this as they would then be free to do any activity they wish on your machine and network.

Created files being detected

Some files added to your machine by the scammer may be detected by the AV security software. They may act like this is an error and the file is innocent. If you have initiated a remote connection and the controller creates a file on your machine which is detected by the security software, we recommend ceasing the interaction as detailed below.

What to do

The following steps should be performed if you believe you are being scammed as part of a tech support scam.

Disconnect the machine from the internet

If the machine is connected via a network cable, the easiest way is to unplug it. If the machine is connected via Wi-Fi, there may be a physical switch that can be used to disconnect it. If there is no physical switch, turn off Wi-Fi through the settings or the computer. It  can be powered down by pressing the power button.

Hang up

Hang up the phone (or end the chat) and do not answer any more calls from that number. The scammer will try to make you believe that the call is legitimate and ask you to reconnect the remote-control software.

Remove the remote-control software

If the scammer was controlling your machine, the remote-control software will need to be removed. If the computer was powered down, it can be powered back up, but if a popup is shown asking for permission to allow remote access, do not grant it.

The remote software can usually be removed by using the control panel and add/remove programs. To do this, press the Windows key and then perform a search for ‘remove’ and click on ‘Add or remove programs’.

Sort the programs by install date as shown below and then remove the remote software by clicking on the ‘Uninstall’ button.  Keep in mind that the software installed on your computer may appear by a different name, but if you look at what was installed on the same day as the scammer initiated the remote control session, you should be able to identify it.

Check the Antivirus Software for any exclusions

Some scammers may add exclusions for the files they create on your computer so that they are not detected by the security software. We recommend checking the exclusions and if any are present which were not added by yourself to remove them.

A guide for McAfee customers is available here

Update Antivirus Software and perform a full scan

After removing any software which was installed, we recommend updating your security software and performing a full scan. This will identify any malicious files created by the scammer such as password stealers and keyloggers.

Change passwords

After performing a full scan, we recommend changing all of your passwords as the scammer may have gathered your credentials while they had access to your computer. It is recommended to do this after performing a full scan as the scammers may have placed a password stealer on the computer and any new passwords you enter may also be stolen.

Conclusion

This blog post contains a number of examples that scammers may use to trick consumers into believing that they may have issues with their devices. If you are experiencing issues with your computer and want to speak to official McAfee support, please reach out via the official channel which is https://service.mcafee.com/.

The McAfee support pages can also be accessed directly via the McAfee Total Protection screen as shown below:

McAfee customers utilizing web protection (including McAfee Web Advisor) are protected from known malicious sites.

The post Technical Support Scams – What to look out for appeared first on McAfee Blog.

Read More

No SOCKS, No Shoes, No Malware Proxy Services!

Read Time:8 Minute, 16 Second

With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.

The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.

“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”

NEW SOCKS, SAME OLD SHOES

Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:

“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”

According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.

Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.

Image: Spur.us

SocksEscort is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source.

The disruption at 911[.]re came days after KrebsOnSecurity published an in-depth look at the long-running proxy service, which showed that 911 had a history of incentivizing the installation of its proxy software without user notice or consent, and that it actually ran some of these “pay-per-install” schemes on its own to guarantee a steady supply of freshly-hacked PCs.

That story also showed once again that the people who are building and leasing these botnets are surprisingly easy to identify in real life, particularly given that they operate malware-based anonymity services that enable a great deal of cybercrime activity.

Such was the case again with SocksEscort. Hilariously, the common link that exposed the real-life identities of the people running this SOCKS service was that they all worked for the same online shoe store.

ANGRY CODERS

SocksEscort[.]com was originally registered to the email address “michdomain@gmail.com,” which according to DomainTools.com was used to register a handful of related domains, including its previous incarnation — super-socks[.]biz. Cached versions of the site show that in 2010 the software which powers the network was produced with a copyright of “Escort Software.”

Super-socks[.]biz came online around the same time as another domain registered to that “michdomain” email: ip-score[.]com, which soon became shorthand on several cybercrime forums for a service that could tell visitors whether their Internet address  — or more precisely, the proxy they were using —  was flagged by any security software or services as compromised or malicious.

IP-score offered a revenue sharing program for websites that chose to embed its IP-scoring code, and the copyright on that userbar program was “Angry Coders.”

A review of the Internet addresses historically used by Super-socks[.]biz and SocksEscort[.]com reveals that these domains at various times over the years shared an Internet address with a small of other domains, including angrycoders[.]net, iskusnyh[.]pro, and kc-shoes[.]ru.

Cached copies of angrycoders[.]net from the Wayback Machine don’t reveal much about this particular group of irate programmers, but a search on the domain brings up several now-dormant listings for an Angry Coders based in Omsk, a large city in the Siberian region of Russia. The domain was registered in 2010 to an Oleg Iskushnykh from Omsk, who used the email address iboss32@ro.ru.

According to Constella Intelligence [currently an advertiser on KrebsOnSecurity], Oleg used the same password from his iboss32@ro.ru account for a slew of other “iboss” themed email addresses, one of which is tied to a LinkedIn profile for an Oleg Iskhusnyh, who describes himself as a senior web developer living in Nur-Sultan, Kazakhstan.

Iskusnyh’s Github profile shows he has contributed code to a number of online payment-related technologies and services, including Ingenico ePayments, Swedbank WooCommerce, Mondido Payments, and Reepay.

DON’T JUDGE A MAN UNTIL YOU’VE WALKED A MILE IN HIS SOCKS

The various “iboss” email accounts appear to have been shared by multiple parties. A search in Constella’s database of breached entities on “iboss32@gmail.com” reveals someone using the name Oleg Iskusnyh registered an online profile using a phone number in Bronx, New York. Pivoting on that phone number — 17187154415 — reveals a profile exposed in the breach at sales intelligence firm Apollo with the first name “Dmitry” who used the email address chepurko87@gmail.com.

That email is connected to a LinkedIn profile for a Dmitry Chepurko in Pavlodar, Kazakhstan. Chepurko’s resume says he’s a full stack developer, who most recently worked in the Omsk offices of a German shoe company called KC Shoes (the aforementioned kc-shoes.ru]. Chepurko’s resume says before that he worked on his own for a decade using the freelancing platform Upwork.

The Upwork profile listed in Chepurko’s LinkedIn C.V. is no longer active. But that same now-defunct Upwork account link is still listed as the profile of a “Dmitry C.” in an UpWork profile page for the Angry Coders team in Omsk, Russia.

The UpWork profile page for the Angry Coders programming team from Omsk, RU.

Who is the “Alexander S.” listed above under the “Agency members” heading in the Upwork profile for Angry Coders? Historical DNS records from Farsight Security show angrycoders.net formerly included the subdomain “smollalex.angrycoders[.]net”.

A simple Internet search on “kc-shoes” reveals a Github account for a user from Omsk with the first name Alexander and the account name “Smollalex.” Alexander’s Github account indicates he has contributed code to the kc-shoes website as well.

Constella’s service shows that “Smollalex” was a favorite handle chosen by an Alexandr Smolyaninov from Omsk. The Smollalex Github account associates this individual with a company in Omsk that sells parts for oil and gas pipelines.

That shoes are apparently the common link among the Angry Coders responsible for SocksEscort is doubly amusing because — at least according to the posts on some cybercrime forums — one big reason people turn to these proxy services is for “shoe botting” or “sneaker bots,” which refers to the use of automated bot programs and services that aid in the rapid acquisition of limited-release, highly-sought-after designer athletic shoes that can then be resold at huge markups on secondary markets.

It’s not clear if the Angry Coders team members remain affiliated with SocksEscort; none of them responded to requests for comment. There were certain connections made clear throughout the research mentioned above that the Angry Coders outsourced much of the promotion and support of their proxy service to programmers based in India and Indonesia, where apparently a large chunk of its customers currently reside.

Further reading:

July 29, 2022: 911 Proxy Service Implodes After Disclosing Breach

July 28, 2022: Breach Exposes Users of Microleaves Proxy Service

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’

June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet

June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet

Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark

Read More

CVE-2022-31656: VMware Patches Several Vulnerabilities in Multiple Products (VMSA-2022-0021)

Read Time:3 Minute, 32 Second

CVE-2022-31656: VMware Patches Several Vulnerabilities in Multiple Products (VMSA-2022-0021)

VMware has patched another set of serious vulnerabilities across multiple products including VMware Workspace ONE Access. Organizations should patch urgently given past activity targeting vulnerabilities in VMware products.

Background

On August 2, VMware issued an advisory (VMSA-2022-0021) for ten vulnerabilities across several of its products.

CVE
Description
CVSSv3

CVE-2022-31656
Authentication bypass
9.8

CVE-2022-31657
URL injection
5.9

CVE-2022-31658
Remote code execution
8.0

CVE-2022-31659
Remote code execution
8.0

CVE-2022-31660
Local privilege escalation
7.8

CVE-2022-31661
Local privilege escalation
7.8

CVE-2022-31662
Path traversal
5.3

CVE-2022-31663
Cross-site scripting
4.7

CVE-2022-31664
Local privilege escalation
7.8

CVE-2022-31665
Remote code execution
7.6

Affected products include:

VMware Workspace ONE Access and Access Connector (Access)
VMware Identity Manager and Identity Manager Connector (vIDM)
vRealize Lifecycle Manager
VMware vRealize Automation (vRA)
VMware Cloud Foundation

This may seem familiar, as this is the third similar release from VMware so far in 2022. The pattern started with VMSA-2022-0011 in April and continued in May with VMSA-2022-0014. Both of these releases are mentioned in the FAQ blog post released alongside VMSA-2022-0021. Early reports indicate that CVE-2022-31656 is actually a variant or patch bypass of CVE-2022-22972 which was patched in VMSA-2022-0014.

As we said in May, given the history of attacks targeting VMware Workspace ONE instances, organizations should apply these patches immediately. This urgency is compounded by the fact that a proof-of-concept is forthcoming from the researcher who discovered the flaw.

Analysis

CVE-2022-31656 is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users and was assigned a CVSSv3 score of 9.8. A remote attacker must have network access to a vulnerable user interface and could use this flaw to bypass authentication and gain administrative access. This vulnerability was credited to security researcher Petrus Viet of VNG Security.

It is crucial to note that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit the authenticated remote code execution flaws addressed in this release (CVE-2022-31658, CVE-2022-31659, CVE-2022-31659). The Cybersecurity and Infrastructure Security Agency published an advisory in May following the release of VMSA-2022-0014 warning of attack chains being leveraged against VMware targets.

Proof-of-Concept

At the time of publication, there is no PoC available specifically for CVE-2022-31656. It’s unclear whether the PoC for CVE-2022-22972 could be easily modified to exploit this vulnerability. However, the researcher who discovered CVE-2022-31656 tweeted that a PoC is “soon to follow.”

I have found vulnerabilities CVE-2022-31656 and CVE-2022-31659 leading to unauthenticated remote code execution affecting many #VMware products, such as Workspace ONE. Technical writeup and POC soon to follow.

Recommend to patch or mitigate immediately.https://t.co/DnknXFieY3 pic.twitter.com/Uu1LQmb0fQ

— Petrus Viet (@VietPetrus) August 2, 2022

Solution

Organizations should patch these vulnerabilities as soon as possible. A full breakdown of vulnerable and patched versions of all products can be found on the advisory page. VMware also notes that these releases are cumulative and applying these updates will address the flaws covered in prior VMSAs like VMSA-2022-0011 and VMSA-2022-0014.

VMware has also provided workaround information for CVE-2022-31656. The workaround could affect some functionality and should be treated as a temporary step. There are no workarounds for the other vulnerabilities addressed in this release.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear.

Get more information

VMware Security Advisory VMSA-2022-0021
VMware FAQ for CVE-2022-31656
Knowledgebase article for workaround

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Axis adds automation, onboarding features to Atmos ZTNA network access software

Read Time:21 Second

Axis Security, a provider of cybersecurity services focused on zero trust, has announced a set of new features on Atmos ZTNA (zero trust network access), the software-defined network access module within its cloud-native SSE (security service edge) platform, Atmos.

Additionally, the company has revealed a suite of tools to help companies migrate from traditional ZTNA to Atmos’ ZTNA service.

To read this article in full, please click here

Read More

CVE-2021-23385

Read Time:24 Second

This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using ‘autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore.

Read More