Link to Main Site

Click here to visit our main site

Wednesday, 23 February 2011

Scam virus warnings

Computer viruses - we all loathe them.  Some are designed to steal our bank details, some are designed to damage our systems others are just a plain nuisance.

One thing in common is that we all want to get rid of them if we are unfortunate to fall victim.

And that opens a door for social engineering that is being actively exploited by scammers and virus writers.

Standing back for one moment, there are two variants of scam virus warning circulating at present the first based on fake pop-up messages warning you of an infection, the second and even more brazen, is cold calling from the scammers informing you that you are infected.

Lets take each variant on its own for now:

The fake phone call


"Hello, this is Bob from Microsoft.  Your registration number is 123/864/3EF.  I'm calling today to let you know that your computer has been reporting a virus infection to our central monitoring servers.  I can help clean your PC and prevent future infections!"

Should you receive a call like this, just hang up.  It's fake, it's fraud and it's dangerous.

If you continue, the scammer will ask you to log into a website such as Logmein, TeamViewer or similar .  By doing so, you will give full remote access to the scammer who will be able to control you computer, move your mouse and do anything you can while you site in front of the screen.


It should at this point be noted that most of these remote access sites are completely legitimate offering genuine remote access services  The scammer is simply exploiting these companies to gain access to your PC.


Once the scammer has gained access to your PC, they run through a script with you to further prove their credentials.  This usually involves showing you some Windows Logs know as the Event Viewer.  The Event Viewer records all program and system activity on the PC.  It will show which services have started and crucially if there are any errors.  There will always be errors in your Event Viewer - every computer will encounter some issue which will be flagged as Red in the Event Viewer.  The key thing is to put into context those errors.  The scammer will tell you that the errors indicate a virus infection that is endangering your data.

If you get this far with the scammer, turn off the computer and put the phone down.  Then call a reputable IT service company (Tinto PC's comes to mind!) to remove any infection that the scammer has already loaded onto your machine.

If you choose to continue, the scammer will take you to a fake antivirus website where he will ask you to submit your credit or debit card details to pay for a one off fix and a subscription to an ongoing service plan.  This really should be sounding alarm bells by now.

Should you agree and submit your details, you will have given the crown jewels away.  The scammer will have your name, address, telephone number, bank details and full remote control of your computer.

Job done as far as the scam artist is concerned.

If you are the victim of this fraud, immediately contact your bank who will offer professional advice on preventing any further financial damage.  If advised to do so by your bank, consider contacting your local police.  Although more often than not, the scammer is located in a far away country, there is a small possibility that they may be located where the law can reach and in any case, you are the victim of a crime which should be reported.

Finally, if the police do not require your machine for evidential purposes, get in contact with with a reputable IT service company to clean any back doors or infections loaded during the scam.

Now let's turn to the other variant.



The fake virus alert.

You are browsing the web, perhaps using Facebook, or clicking through emails, reading pdf documents or your children are playing online games.

All of a sudden, you see a pop-up message saying your computer is infected with dozens of viruses.  The screen shows a scan running which confirms the message and indicates that you should clean the machine immediately for fear of loosing bank details and passwords.

Firstly, you should confirm which antivirus program you use.  It may be Macafee, Norton, AVG, Avast, NOD32 or others, but take 5 minutes to check which one, because the fake alert will not be one of those.  Most likely, it will be a variant on Windows Antivirus Pro, or System Cleaner 2011, or Advanced Antivrus or some other overly officious sounding name.  All of these and similar names are fake.  They can however be very convincing which is why you should be clear which antivirus program is installed on your PC.

Second, you should understand a short technical difference between a Virus and a Trojan Horse.  A Virus will attempt to self replicate, a Trojan will open a door to let in bad things.  Both are dangerous, but in this case you have been infected by a drive by Trojan Horse, which has delivered a payload designed to trick you into thinking you are infected by lots of nasties.

The language used by the fake alert is alarming enough to convince some people to follow the instructions.  In the industry, such fake alerts are often known as scareware.

If you do follow the on screen instructions, you are taken to a fake website similar to the fake phone call above, you pay your money to be cleaned, but unfortunately, it's not you PC that is cleaned, much more likely your bank account.

If you fall victim of this fraud and follow the instructions - giving the scammers your bank details, follow the advice above for the fake phone call: contact your bank, the police and a reputable IT services company to remove the infections.

Many people ask why they get these pop-ups, if they have pop-up blocking software.  Good question - the answer lies in terminology.  Technically these "pop-ups" are dialog boxes.  Dialog boxes are not blocked by your pop-up blockers because they are system messages that provide system information and prompts.  Examples of genuine dialog boxes are messages asking for permission to install something or messages informing you that your antivirus has been updated etc.  So dialog boxes are not blocked and the virus writers target these to inject their own messages.

"OK, I get it" you say, "my pop-up blocker won't stop the messages. So how did it get in past my own antivirus?"  Unfortunately, there are many routes for infection.  Currently the most prevalent route is through exploiting security weaknesses in third party software such as Java (for online games), Flash (for online animations and video, PDF readers used to read online documents.  All of these technologies have been and are currently being exploited to infect PC's.  It is always recommended to update to the latest versions of these technologies to protect yourself from threats.  Similarly, always update Windows when offered, many holes and weaknesses are patched each month.

Now for the hard part - cleaning it up.  Many of these fake antivirus alerts are injected via a device known as a rootkit.  A rootkit is techno-babble for something that can install itself without your permission and run with full access to the PC even if you ask it not to.  That makes it very difficult to remove.  Often the rootkit and Trojan Horse will offer up sacrificial lambs that can be found by your genuine antivirus software.  Even more devious the names of these offerings match the names flagged by the scareware.

There are many different routes to cleaning up a scareware infection.  I recommend you call a reputable IT services company in your area (like this one!) to ask for assistance.

1 comment:

  1. wow i didnt know about any of that!

    ReplyDelete