Dark Reading - NEWS & ANALYSIS
Posted on Thursday May 24th at 10:45am
Fake antivirus scammers recently got more than they bargained for when they unknowingly dialed the home number of a Sourcefire security researcher who then lured them to an impromptu honeypot and recorded their activity on his machine.
Noah Magram, principal software engineer with Sourcefire, says it was about dinner time -- also known as telemarketing time -- last week when he decided to answer what appeared to be a local call according to his caller ID. Magram says he's not sure exactly what compelled him to answer the call during that infamous time of night, but it was his local area code in Oregon and "Borders" showing up on caller ID that tempted him to pick up.
The caller said he was from Microsoft and that Magram's computer had been sending multiple error messages to the software company. "He said they thought I had some viruses and malware," recalls Magram, who immediately knew that it was a scam. "It was surreal."
"I was curious. I wanted to see if they would send me to any websites or get me to download any malware, something that we could analyze. I was really curious about what their script was," Magram says.
Fake antivirus and security software scams are rampant, and typically occur via drive-by Web-borne infections where a user is hit after visiting a compromised site and then sees a pop-up message that his or her machine is infected. The attacker ultimately attempts to basically extort a subscription fee out of the victim to get his or her machine back in working order after locking it down. Most recently, a massive rogue AV scam targeted more than 200,000 Web pages and 30,000 different websites that was detected by Websense.
Others, like the one that Magram stumbled upon, are more direct social engineering scams, either by phone or email.
Patrik Runald, research director at Websense Security Labs, says Websense doesn't see as many of these social engineering-based attacks that mostly go after home users. "My mom and some of my friends did receive a similar phone AV scams and reported it to me," Runald says. "It's really a continuation of the fake/rogue AV scams that gets delivered to users PCs via drive-by's or social engineering. The people operating those scams already have call centers to receive 'support' calls from their 'customers,' so the step to make outbound calls isn't much of a reach."
[Actors looking to monetize from malware infections are continuing to invest in developing increasingly convincing fake software in order to maintain their cover. See Scareware Is Evolving.]
Magram says the agent on other end of the line did not appear to be technically adept and didn't stray much from his script. Magram played along from the comfort of his living room couch, pretending to be pulling up the event viewer on his Windows machine. "I said I saw a couple of warnings and errors in my event viewer, and he said 'that's malware,'" Magram says. Then without any introduction or warning, a new agent came on the phone and basically picked up where the first agent left off. He urged Magram to install a remote administration tool so the agent could get a closer look at the "problem."
So after 30 minutes of dragging out the call, Magram decided that this rare, firsthand look at a fake AV and security software scam was too good not to study up-close and record. So he started up a VMware virtual machine on his Windows PC. "I realized I could give them an environment to bang around in," Magram says. Upon the urging of the scammers, he installed LogMeIn, a legitimate remote access tool, and "Victor" the technician was then inside the machine. Magram recorded every click the scammers made.
At first, Victor tried to remotely bring up a website with information on the subscription options, but apparently fat-fingered the browser button, and the webpage for another legit RAT product, ShowMyPC.com, appeared instead. He eventually got the "company's" webpage to successfully load, and the agent carefully explained to Magram the various services and subscriptions they offer.
Interestingly and suspiciously, they no longer were pretending to be Microsoft at that point. "The website was not Microsoft's. Their story had changed, because initially, they said they were calling from Microsoft," Magram says.
Taking the bait
Magram finally "agreed" to a one-year subscription for a one-time $50 fee, and they pushed him a webpage using a legitimate card processing service. He typed in a test number, which rejected the transaction.
Then Victor systematically began disabling all Windows Services right there on the screen for all to see, while the agent on the voice call told Magram he would need to renew his subscription, noting that the machine was so compromised that they couldn't be "held responsible for what happens next."
"I asked the agent why they were disabling those things, and he said they are a list of malware. But they were obviously a list of standard Windows services," Magram says.
Victor continued the destruction, ultimately disabling VMWare as well. "I even asked what VM services are ... he insists they are malware," Magram recalls.
The scammers didn't give up easily, either. Even with the "rejected" credit card and no payment on the table yet from their mark, Victor rebooted the machine under Safe Mode while the agent on the line warned that there was so much malware on the machine that they wouldn't be responsible for what happened next. Magram knew that Victor's actions would disable the system altogether after a reboot, but the scammers apparently were trying one last-ditch effort to get him to cough up some cash.
He finally admitted to the scammers that they were on a VM, and he was a security expert who had been stringing them along. They quickly hung up.
Magram says he was surprised how low-tech the scammers actually were. Not only were they blatant about deleting the Windows services, but they also didn't realize they were trapped inside a VM, even when the VMware services appeared on the screen. "I had always wondered what their capabilities are" in these scams, he says. "But I was shocked how clueless and clumsy there were. They are placing thousands of these calls and they are not sophisticated."
And they didn't install any malware. "I thought that would be the first thing they would have done. I assume that when they 'fixed' the machine they would install the malware," he says.
Their approach was "so stone age," he says, using legitimate RAT tools and an unprofessional and shaky script by the caller. Even so, it's a social engineering scam, and those are the hardest to defend against, he says. The only real defense is educating users about these types of scams out there.
And catching the culprits behind it is unlikely. Magram was able to root out that their company's physical address, if legit, was in Utah, and that's about it. "It's doubtful they are set up in the U.S.," he says.
Magram said overall, the experience was interesting and kind of fun. "My wife was cracking up [in the background] and first couldn't figure out why I was talking to a telemarketer," he says.
"This is not something you'd expect as a software engineering [pro] at a security firm to have somebody call you who wants to won your box and it falls in your lap," he says.
Websense's Runald says he's scammed a few scammers in his day as well. “It's always interesting to turn the table on scammers. I've played along with the bad guys when it comes to job scams and other social engineering tricks and as soon as they figure out you know more than most they just stop communicating, just like what happened to Noah," Runald says.
Meanwhile, Magram has now posted a video of the scam online, which can be viewed here.