Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammy Tech Support Sites Now Serving Up Ransomware (csoonline.com)

Posted by samzenpus on from the from-bad-to-worse dept.

itwbennett writes: One holds your files hostage, the other overcharges to fix nonexistent computer problems. And now they may be working together. On one scammy tech support site seen by Symantec, an iframe hidden on the page redirected to the Nuclear exploit kit, a popular one used to spread malware. What is unclear is whether the people running tech support scams are working with those who create and rent out the use of exploit kits and associated infrastructure or if the tech support websites have been compromised in order to redirect visitors to exploit kits. Either way, it could add up to a very big headache for anyone who falls for the scam.

43 comments

  1. People are people by the_Bionic_lemming · · Score: 1

    People buy alarms for houses and cars and maintain them. People buy dogs and run out and get help training them.

    Then there are the people that don't care about maintenance or learning how to maintain - and that's why a system that just restores factory fresh with the touch of a coupe of buttons is the best option for them.

    Frankly, as having been the "go to" family member to fix this crap - after 20 years, I'm sorta glad that they just reset their stuff and leave me alone.

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  2. Welp by Anonymous Coward · · Score: 0

    time to add fixya and dll-files to my HOSTS file. I might have triggered a certain Bloody Beetle Macbeth mary Juice saying so though. :/

  3. Seen by Symantec by Anonymous Coward · · Score: 0

    Yeah, like I trust anything they have to say. Thanks for eating up all our computers RAM by the way.

    1. Re:Seen by Symantec by Anonymous Coward · · Score: 0

      Yeah, the leading provider of scammy bundleware and issuer of false certificates has the most reliable information on their competitors on scam business.

  4. Not surprising in the least... by Anonymous Coward · · Score: 0

    This is not surprising at all. Scummy site #1 has a dubious product that people buy, so they make a deal with scummy site #2 so there is a percentage chance that their software will grab and install ransomware. Because it is intermittant and not done from the same IP ranges twice, scummy site #1 will never be fingered for the deed.

    There is a solution, next to making all computers locked down like iOS:

    Create a protocol like NDMP, except more generic, where a backup server can not just connect to a SAN or NAS, but individual machines over a specific backup protocol, then slurp the data from that. Never should the client machine be able to affect data on the backup server, unless directed so by a user with the appropriate access permissions.

    This protocol would be both for backups, but restores, where a machine can boot a small OS, and after the backup server is authenticated, allow for the server to push a complete image, the machine gets rebooted, and the bare metal restore is complete.

    Is there anything close to this? Windows Server Essentials comes close. Writing a script from a locked down server to SSH in, do a tar, then stuff it in a zbackup repository is another (although it will save documents, that would be worthless for a bare metal reload.) The key is making sure to have backups that malware can't touch, and have backups for a period of time.

    Maybe a NDMP-like protocol coupled with a NAS might just be the answer. Right now, a QNAP or Synology NAS can do a lot of functions, and having it do a dump of a PC by itself wouldn't be too farfetched.

    For long term backups, what I'd like to see is consumer level tape drives come back. Even though tapes and HDDs are vastly different, the densities used on HDD platters should mostly transfer to tape, and something along the lines of a 4mm tape form factor with 2-4 TB native capacity would be ideal for SOHO/SMB use. Once the tape is done, flip the write protect switch, and the data is pretty much protected. Barring tape, maybe optical drives with a decent capacity and price. The cost of 120GB Blu-Ray drives hasn't budged while every other piece of storage has gone down by a large amount.

    1. Re: Not surprising in the least... by Anonymous Coward · · Score: 0

      And when the malware gets backed up as well? How does the restore program know to restore everything in C:\Windows except malware.DLL?

    2. Re: Not surprising in the least... by Anonymous Coward · · Score: 0

      Found the noob.
      Nothing on the client should be able to overwrite any existing backups.
      It won't matter if you backup a malicious file because the backup server never executes the shit it's backing up.
      You restore it and get reinfected and that is your problem(a very easily mitigated one at that, just reinstall normally then restore your files not the OS) not the backup servers.

    3. Re:Not surprising in the least... by Anonymous Coward · · Score: 0

      Create a protocol like NDMP, except more generic, where a backup server can not just connect to a SAN or NAS, but individual machines over a specific backup protocol, then slurp the data from that. Never should the client machine be able to affect data on the backup server, unless directed so by a user with the appropriate access permissions.

      This mostly describes Arcserve and any number of other enterprise backup solutions. I don't know of one that can push an image back out to a compromised machine, but manually reimaging one and restoring its profile from backup isn't a huge endeavor.

  5. A hidden iframe redirects to the ransomware ... by nickweller · · Score: 1

    "On one scammy tech support site .. an iframe hidden on the page redirected to the Nuclear exploit kit, a popular one used to spread malware"

    Are you not allowed to tell us what Desktop Operating System platform this maware runs on.

    1. Re:A hidden iframe redirects to the ransomware ... by Anonymous Coward · · Score: 0

      Why does it matter? There really isn't any reason why the OS is relevant here. Ransomware can be downloaded by a vulnerable program in userland or by tricking a user, execute in userland, and encrypt files in userland. Nothing here requires root, and so there's really nothing that makes one OS inherently more vulnerable than another. There's ransomware that runs on Linux. I suppose it's not a high priority target simply because there aren't that many desktop users of Linux. A lot of servers and high performance computing systems run Linux, but data on those systems is more likely to be backed up or able to be regenerated, so there's less opportunity to collect ransom. But there's nothing that makes these systems inherently less vulnerable to this type of attack. Please put your hatred of Windows aside and recognize that all users could be infected by ransomware. The solutions are to arrest and prosecute the criminals who are responsible and to encourage users to follow good security and data backup practices.

    2. Re:A hidden iframe redirects to the ransomware ... by Anonymous Coward · · Score: 0

      You conveniently omitted the fact that Linux users are not terribly likely to run random binaries downloaded from questionable websites.

    3. Re:A hidden iframe redirects to the ransomware ... by nukenerd · · Score: 1

      Why does it matter? There really isn't any reason why the OS is relevant here. [blah blah blah etc]

      Calm down. A "Nuclear exploit kit" was mentioned. The GP asked what platform it ran on. Now can we have an answer?

      There's ransomware that runs on Linux.

      All the more reason to answer the question.

    4. Re:A hidden iframe redirects to the ransomware ... by nukenerd · · Score: 1

      You conveniently omitted the fact that Linux users are not terribly likely to run random binaries downloaded from questionable websites.

      In fact I have. A very polite and helpful Indian gentleman phoned me recently and warned me that I had a virus - and kindly offered to remove it. I followed his instructions to the letter, including downloading something called "Team Viewer". I watched with interest as he then opened a command line session and did things I did not understand. I realised why software companies are out-sourcing to India as these guys are obviousy very clever with computers.

      Afterwards I deleted that virtual machine image, which was for sandpit use anyway, and restored an earlier snapshot.

    5. Re:A hidden iframe redirects to the ransomware ... by Anonymous Coward · · Score: 0

      My mother is only lucky that most of the binaries won't run.

      She'd still do it.

      Computer comprehension, general security comprehension, escapes her.

      Fortunately I could at least print her out a page with the pictures of the icons she is supposed to click to do the things she really wants to do.

    6. Re:A hidden iframe redirects to the ransomware ... by Anonymous Coward · · Score: 0

      And neither are windows users*.

      * - For the portion of windows users smart enough not to download random binaries from questionable websites. You know, the same people who happen to be a greater portion or linux users simply because linux has more flexibility but not because linux is exclusively used by those people.

    7. Re:A hidden iframe redirects to the ransomware ... by Anonymous Coward · · Score: 0

      A few seconds on google..

      Nuclear exploit kit: "Flash, Silverlight, PDF, and Internet Explorer exploits to the possibility of launching advanced pieces of malware and ransomware"
      which drops the following (from the symantec article)
      Trojan.Cryptowall:Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, Windows XP
      Trojan.Miuref.B: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

    8. Re:A hidden iframe redirects to the ransomware ... by Anonymous Coward · · Score: 0

      but apparently not smart or flexible enough to write intelligible English

  6. Re:Ban encryption without backdoors by Anonymous Coward · · Score: 1

    It would also make it super easy to check and make sure someone's not being like, a pedo or communist or a Jap sympathizer, and we all know that the only people who would ever encrypt their computers are criminals or enemies of the state.

    Hell, we should just outlaw encryption entirely. It's double plus ungood to prevent law enforcement from looking at whatever they like at any time. Remember, the police are your friend!

    (Offer does not apply to certain socioeconomic classes, void where prohibited, Anonymous Coward Industries claims no warranty in the event that the police turn out to be, in fact, not your friend.)

    And hell, after we've violated your fourth and second amendments enough in this way -- yes, second, because you have the right to defend yourself with arms, not just firearms -- it'll be a simple matter to outlaw outdated concepts such as guns, curtains, or locks. After all, the police are our friends, and they may need to look in at us at any time of the day or night that they want.

  7. Re:Only LUDDITES get ransomware! by Anonymous Coward · · Score: 1

    Applebee's presents APP NIGHT! Get a choice of your favourite app and download our Applebee's app with your app! Choose any app, any app and app away!

  8. Neat... by profke · · Score: 1

    Going to a scamming site for tech support will actually ensure you need some...!

    1. Re:Neat... by Anonymous Coward · · Score: 0

      and even better, once they get you on the hook... if you wise-up and say 'no' after you've already let them into your pc, they might just fuck it up so bad, you need to reinstall (which happened to a friend)

  9. The worthless Symantec link by scdeimos · · Score: 4, Informative

    Loading your Community Experience

    Fuck your community experience, I just want to read the blog entry. Javascript required? No thanks.

    1. Re:The worthless Symantec link by Anonymous Coward · · Score: 0

      Here is a working Symantec link: http://www.theregister.co.uk/2015/10/29/google_symantec_dodgy_certs/

    2. Re:The worthless Symantec link by Anonymous Coward · · Score: 0

      Why even bother? A security firms needs to find something to scare people with, otherwise no one would buy their prevention products. This isn't news, it's scare-ware time.

  10. Re:Ban encryption without backdoors by kubajz · · Score: 1

    It would help law enforcement track criminals such as terrorists and those who orchestrate scams such as ransomware. If they couldn't communicate with unbreakable encryption, it would be much easier to bring these criminals to justice and it would keep all of us safer.

    Yes but please be aware of the fact that so far there have been no cases where weak encryption would help, or strong encryption would hinder the terrorists. And in Paris, they apparently communicated through unencrypted SMS messages.

    Backdoors could also be used to unencrypt data that criminals encrypted with ransomware, allowing victims to recover their data without paying exorbitant prices to criminals.

    Unfortunately this would also allow criminal to unencrypt data that banks encrypted for their customers, or sensitive personal data that companies or government organizations are storing about people.

    Imagine how bad things would get if terrorists or hostile governments got hold of the backdoor access. How about companies installing backdoors for THEIR governments or just for their own corporation? How about if anyone in law enforcement decides to misuse the backdoors to find dirt on a political opponent? And finally - there is no way to stop unbreakable encryption, as long as one-time coding pads exist; so in each case, determined terrorists are not going to be hurt by this.

    So yes, there may be some reasons in favour, but I feel like more are against.

  11. Re:Ban encryption without backdoors by ElectricHellKnight · · Score: 2

    There are a couple of good reasons why all encryption should have backdoors. It would help law enforcement track criminals such as terrorists and those who orchestrate scams such as ransomware. If they couldn't communicate with unbreakable encryption, it would be much easier to bring these criminals to justice and it would keep all of us safer. Backdoors could also be used to unencrypt data that criminals encrypted with ransomware, allowing victims to recover their data without paying exorbitant prices to criminals. This is yet another good reason why all encryption should have backdoors that are available to the government.

    Most trolling nowadays is just terrible. This one works because it has excellent grammar and is actually semi-believable. My compliments. This is how it's done.

  12. Re:Ban encryption without backdoors by Zontar+The+Mindless · · Score: 1

    Back doors eventually become front doors.

    --
    Il n'y a pas de Planet B.
  13. What?...wait a minute!! by Anonymous Coward · · Score: 0

    You mean sunjit from microshaft is not really my friend helping me with my wirus infrection on my computa???

  14. slashdot with an unsecure SSL CERTIFICATE? by Anonymous Coward · · Score: 0

    Are we posting on one such "scammy tech support site"?

    calling on SLASHDOT SO-CALLED EDITORs and ADMINs! Why am I getting an "unsecured SSL CERTIFICATE" warning from this site? Has our very own slashdot become one of these so-called "scammy tech support sites"? If they are nerds running the site, they SHOULD fix this ASAP! So we won't be getting scammed but instead be getting scientific scoops!! You know, "stuff that really matters!" Not ransomware crap!

    FIX THIS ERROR, MAN! Are you true tekkiis, or mere bloggers? I even despise that word. Get a real job will yaz. Todays captcha:astatine. Yup, trying to use that in a sentence...as in, Astatine time, saves nine. A true editor will recognize that; a red blooded nerd will fix the SSL issue.

    Provocateur (Will no longer be logging in until SSL certificate problem is fixed. No dice, as my hero Dave used to say.)

  15. Surprised? by gsslay · · Score: 1

    Amazing. It's like you imagine the scam tech support criminals would draw the line at ransomware, and the ransomware criminals would find tech support scamming morally beyond the pale. And never the two shall meet!

    They're criminals. Is it really such a surprise they will employ any method available to steal money from their victims?

  16. Better acronym by chris-chittleborough · · Score: 2

    The Symantec article uses the acronym PUA for "potentially unwanted application".
    I wish they had used the word "software" instead of "application".

  17. This is windows calling... by Anonymous Coward · · Score: 0

    Your computer have virus.

  18. Re:How's an alleged android apk analyzer...? by Anonymous Coward · · Score: 0

    Then why are you posting as AC? Post your spam with your real name.

  19. What you can't touch can't hurt you by Anonymous Coward · · Score: 0

    See subject: APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

    ---

    FREE, not 'souled-out' to advertisers + adds speed, security & reliability. Does FAR more w/ FAR less more efficiently vs. redundant browser addons & local DNS servers @ home + fixes DNS' many security issues & it stops a LOT of tracking @ webpage + DNS levels via 1 file you NATIVELY have - firewalls do the rest (on less used IP address trackers vs. host-domain name type).

    ---

    It obtains data vs. threats & for adblocking from 10 reputable security community sites!

    ---

    SPEEDS YOU UP 2 ways (adblocks + local RAM cached favorite sites @ TOP of hosts for fastest resolution speed vs. remote DNS (aids reliability)) vs. other "so-called security 'solutions'" SLOWING YOU!

    ---

    All that via something you natively have vs. "bolting on browser addons 'MOAR'" that's usermode slower & increases messagepassing, cpu + ram overheads!

    ---

    MalwareBytes' hpHosts Admin (MalwareBytes employee who verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

    &

    It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

    +

    In its 32-bit model too https://www.virustotal.com/en/...

    Installer too -> http://f.virscan.org/APKHostsF...

    ---

    * "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

    APK

    P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

    "The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THE WORD = hosts!

    (Accept NO substitutes!)

    ...apkb

  20. How's an alleged android apk analyzer...? by Anonymous Coward · · Score: 0

    See subject: ... outdetect what 60++ reputable sources in antivirus programs & security community can't on a Win32/64 program?

    * They prove it's clean & have even audited its sourcecode - see my last post for proof of it.

    APK

    P.S.=> You unidentifiable ac troll fools will stoop to ANY LOW you can think of, no matter HOW stupid it is, now won't you? Unbelievable, lol... apk

  21. I use my real initials & it's not spam... apk by Anonymous Coward · · Score: 0

    See subject punk - can you read & understand that? Good... my real name's in my program with legit contact information as well.

    I am not 'spamming' (but that's what you're projecting you'd like others to think about my posts) - I merely state facts & provide something that actually works to both protect you AND speed you up online + make your connections more reliable... & I am on topic.

    Are you or DO YOU? Hell no... lol, you're a trolling loser incapable of such things!

    * Keep blowing your "downmod points" chump - I'll burn you completely out of them by just posting again... lol!

    (Piece of cake, as I have NO LIMITS on how much I can post, unlike most ac users here on /. ...!)

    APK

    P.S.=> You wish you were me, now don't you? The trolling "likes of you" can't EVER be - why?? You're a lousy no good "ne'er-do-well" is why... & you KNOW it!

    ... apk

  22. Scammers have day job at symantec by truck_soccer · · Score: 1

    If you've ever had the privilege of talking to one of these ESL scammer techs, you can hear them working in a loud call center. This leads me to believe that there is either a huge office building where people go to work as criminals, or they are actually support technicians working outsourced jobs for Big Software, and are doing the scamming on the side for extra coin. I could just be overthinking this and they're just some guy sitting in a smoky room playing a "call center sounds, compilation 3" cassette through a loudspeaker.

  23. Microsoft Tech Support Scam petition by Anonymous Coward · · Score: 0

    There is a petition on the Whitehouse government website asking for government aid in combatting the well-known Microsoft Windows Tech Support scam, which can involve ransomware or other fishing techniques.

    With 150 signatures, it will go public on the Whitehouse's website. The government is not likely to be able to do anything about it, but all publicity helps reduce the pool of victims. Well worth signing.