Blue screen of death with a support number? Beware the malware scam

Tech support scam tricks users into installing malware with fake blue screen of death.

Blue screen of death with a support number? Beware the malware scam

A new tech support scam displays a fake blue screen of death (BSoD) in an effort to trick users into installing malware on their Windows computers.

The threat, which Microsoft calls SupportScam:MSIL/Hicurdismos.A, builds off a long lineage of tech support scams. Some of those ruses have even mimicked other Windows features, including the update process, to try to trick users into purchasing unnecessary software.

In this particular case, Hicurdismos masquerades as Microsoft Security Essentials, the anti-malware product that came pre-installed on all machines with Windows 7 and earlier.

Installers

Can you tell the difference? The real Microsoft Security Essentials installer is on the left. The malicious Hicurdismos installer is on the right. (Source: Microsoft TechNet)

Machines running Windows 8 and 10 now come with the Windows Defender product automatically installed. But that doesn't mean scammers can't try to trick unsuspecting users into thinking their computers aren't protected.

The installer for Hicurdismos arrives via a drive-by download attack and contains an executable called setup.exe. Microsoft's SmartScreen Filter tries to warn users to not run the executable because it's not verified, but they could simply choose to ignore those alerts.

There's something interesting about the malicious file, as Francis Tan Seng and Alden Pornasdoro of Microsoft's Malware Protection Center explain:

"The file setup.exe is a SmartInstaller package, which contains a malicious file that pretends to be Microsoft Security Essentials. Unlike the installer, the malicious file has the same file property information as the legitimate Microsoft Security Essentials executable"

Hic5

Hicurdismos has the same details as Microsoft Security Essentials. (Source: Microsoft TechNet)

Once the malicious file executes, it creates a fake BSoD experience by hiding the cursor and disabling Task Manager, both of which create the impression that the system is not responding.

It also displays a modified BSoD that comes with the following scammy punchline:

"If you would like to resolve the issue over the phone you can call our support at 1-800-418-4202."

Genuine Blue Screens of Death do not contain any such sentence.

As of this writing, no one on the other end of the scam's phone number could be reached. It's safe to assume, however, that the scammers would try to trick users into downloading malware onto their machines that would grant the fraudsters remote control, access which they can abuse at a later point in time to install additional malware.

To protect against this tech support scam, it's important that users know a few things:

  1. Microsoft will NEVER provide a phone number on a BSoD screen. Instead it will give an error code and recovery instructions. That's it.
  2. Systems with either Windows 8 or Windows 10 installed are already protected by Windows Defender. That means there's no reason for users to download Microsoft Security Essentials onto their machines.
  3. Every program produced by Microsoft (including Microsoft Security Essentials) is signed by a Microsoft certificate. Any program that claims to originate from Microsoft but isn't signed is a fake.

Anyone who's fallen victim to a tech support scam should change their passwords, reverse any credit card charges placed to the fraudsters, and patch their systems for vulnerabilities.

Tags: , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

10 Responses

  1. keith

    October 27, 2016 at 1:01 pm #

    you explain all this but am I missing something like, how to stop this happening? I run windows 10 and I get this screen at least 3 times a day, I just let run its course and do nothing and my laptop restarts and alls well until the next time etc etc etc

    • Corey in reply to keith.

      October 27, 2016 at 4:36 pm #

      Do you have any anti-virus software? It sounds like time to run a scan

      • keith in reply to Corey.

        October 27, 2016 at 8:56 pm #

        ive ran windows defender many times but to no avail, it usually happens when I stop using my laptop for a while but not switching it off and when I return and log back on after about 5 mins, up it pops.

    • Melissa in reply to keith.

      October 27, 2016 at 7:22 pm #

      This is criminal activity and yes they are trying to put mal ware on computers. It gets nasty when you click the link or call the number and you do what the criminals tell you to do. If you turn your computer off and do nothing, generally you are OK. There is no way to stop it from happening.

    • ron in reply to keith.

      October 27, 2016 at 7:55 pm #

      Well that depends whether you see such fake MS "support" number or just an error code at bottom of that bsod. Follow the article's advice for the former or look for suggestions on the error code for the latter.

  2. kim

    October 27, 2016 at 2:42 pm #

    Funny. I read this yesterday, and just a few seconds ago I encountered the screen with a 1-800 number at the bottom (with something like 'Kernel Security' following the number.) This happening when I turned on Facebook.

  3. Connie

    October 27, 2016 at 7:17 pm #

    Had this happen to me. Fell for it once–called the number and the "tech" said they'd help for $200!!! I told him never mind–ran Windows Defender-it cleared up!

  4. Melissa

    October 27, 2016 at 7:19 pm #

    This is criminal activity and yes they are trying to put mal ware on computers. It gets nasty when you click the link or call the number and you do what the criminals tell you to do. If you turn your computer off and do nothing, generally you are OK. There is no way to stop it from happening. Hopefully in the future there will be, unfortunately it is probably coming from some overseas idiot who is doing this for the pure hell of it.

  5. Ben

    October 27, 2016 at 10:52 pm #

    my relative got taken for $250 from this scam.

  6. Julian

    October 28, 2016 at 12:03 am #

    I find it interesting to have Microsoft offering products to fight those "Fakes-Alerts" Folks we live in an era that all liars are out to get your money, (And Microsoft isn't excluded)

    This is nothing more than a sale-pitch.

Leave a Reply