A new type of technical support scam is mimicking ransomware and locking users out of their computers.
Jérôme Segura, a senior security researcher at Malwarebytes, explains these “tech support lockers” are much more sophisticated than the browser locks and fake anti-virus alerts we have seen in the past:
“This is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it.”
These lockers start when a user clicks on a fake PC optimizer or bogus Adobe Flash update.
One such sample detected by security researcher @TheWack0lian installs without any fanfare and waits until the user restarts their computer. At that time, it will take on the guise of a fake Windows update screen:
The scam will then load up another screen warning the user that they cannot access their computer due to an expired license key.
“Windows Update can not continue as your Software copy is Expired/Corrupt. Please enter a Valid Product key to continue.”
This screen locks a user out of their computer.
As with many tech support scams, the lock screen comes with a phone number that encourages users to call if they require additional support. Calling the number connects the user with a technician, who says they can remotely connect to the user’s computer via TeamViewer and fix the issue (i.e. uninstall the locker trojan). But it’ll cost them $250.
Fortunately, there’s hope for users.
TheWack0lian notes that users can hold Ctrl+Shift and press the “S” key. Doing so will disable the locker but will not restore access to the computer.
In some instances, however, users can enter in one of three hardcoded values for the “product key”: “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w”. Those values might not work in every infection, but they have worked some of the time.
These lockers mark a new phase in the evolution of tech support scams, as Segura observes:
“Needless to say this is a worrying trend because in comparison to fake (but mostly harmless) browser alerts, these Windows lockers are a real pain to get rid of and until you do so, your computer is completely unusable.… This increased sophistication means that people can no simply rely on common sense or avoid the typical cold calls from ‘Microsoft’. Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone.”
Indeed, people are already peddling these types of lockers on Facebook, which means we are bound to see more of them in the future:
With that in mind, users should maintain an updated anti-virus solution on their computers, avoid clicking on suspicious links, and considering installing an adblocker on their computers. Each of these preventive measures will help to block the fake software updates whose form many fake support scams like to assume.