New tech support scams mimic ransomware, lock users' computers

Beware if you’re asked to pay $250 for a product key to unlock your PC.

New tech support scams mimic ransomware, lock users' computers

A new type of technical support scam is mimicking ransomware and locking users out of their computers.

Jérôme Segura, a senior security researcher at Malwarebytes, explains these "tech support lockers" are much more sophisticated than the browser locks and fake anti-virus alerts we have seen in the past:

"This is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it."

These lockers start when a user clicks on a fake PC optimizer or bogus Adobe Flash update.

One such sample detected by security researcher @TheWack0lian installs without any fanfare and waits until the user restarts their computer. At that time, it will take on the guise of a fake Windows update screen:

Fake updates

The scam will then load up another screen warning the user that they cannot access their computer due to an expired license key.

"Windows Update can not continue as your Software copy is Expired/Corrupt. Please enter a Valid Product key to continue."

This screen locks a user out of their computer.

Key

As with many tech support scams, the lock screen comes with a phone number that encourages users to call if they require additional support. Calling the number connects the user with a technician, who says they can remotely connect to the user's computer via TeamViewer and fix the issue (i.e. uninstall the locker trojan). But it'll cost them $250.

Fortunately, there's hope for users.

TheWack0lian notes that users can hold Ctrl+Shift and press the "S" key. Doing so will disable the locker but will not restore access to the computer.

In some instances, however, users can enter in one of three hardcoded values for the "product key": “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w”. Those values might not work in every infection, but they have worked some of the time.

Product key

These lockers mark a new phase in the evolution of tech support scams, as Segura observes:

"Needless to say this is a worrying trend because in comparison to fake (but mostly harmless) browser alerts, these Windows lockers are a real pain to get rid of and until you do so, your computer is completely unusable.... This increased sophistication means that people can no simply rely on common sense or avoid the typical cold calls from 'Microsoft'. Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone."

Indeed, people are already peddling these types of lockers on Facebook, which means we are bound to see more of them in the future:

Tech support scam blurs the line with ransomware locks users computers

With that in mind, users should maintain an updated anti-virus solution on their computers, avoid clicking on suspicious links, and considering installing an adblocker on their computers. Each of these preventive measures will help to block the fake software updates whose form many fake support scams like to assume.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

7 Responses

  1. Mike from LA

    May 20, 2016 at 11:29 am #

    I'd like to know why authorities can't track down these thugs by the phone number you have to call??

  2. splatt

    May 20, 2016 at 12:52 pm #

    1) Shut off computer.
    2) Remove system hard drive.
    3) Install different hard drive.
    4) Turn on computer and install operating system.
    5) Turn off PC install original hard drive.
    6) Turn on PC and set Bios to boot with non infected HD.
    7) Transfer any needed files from old hard drive.
    8) Wipe infected hard drive.
    9) Problem solved.

    • Jim S in reply to splatt.

      May 21, 2016 at 4:45 pm #

      A friend gave me the laptop to fix. This ransomware is a real nightmare. I created an Windows 10 install/repair disk but I can on get the laptop to boot from anything but it's hard drive. Going down into the BIOS changing the boot order does not work. I've tried both a DVD drive and a USB stick. Bummer,

  3. clancy

    May 20, 2016 at 2:08 pm #

    Or, you could boot in safe mood and run a malware removal tool.

  4. osh

    May 20, 2016 at 5:51 pm #

    buy a mac, and have 90% less issues.

    • Dj in reply to osh.

      May 20, 2016 at 7:33 pm #

      Sure. But only because you're oblivious to them because now you're a mac user that thinks macs don't get malware. Too funny.

  5. Zyx

    September 18, 2016 at 5:00 am #

    Use Linux, an actual OS with user and basic security built in instead of an after thought add on. (I admit I have a non-networked install of windows to play games, but never for internet or actual work).

Leave a Reply