The Rise of Computer Scams Perpetrated Using Remote Control Software

It seems like every day I hear about someone getting scammed by someone pretending to be an agent of a large IT company or the government.  We have seen the resulting payment and ransom requests get into the thousands of dollars.  Over time I have noticed generally the same predictable pattern to the scams with the occasional interesting twist.  It seems it really it boils down to two ways that this type of scam commonly occurs/originates.  The two methods are what I would label “phone initiated” scams and “search engine/Internet browsing initiated” scams.

In the “phone initiated” version of the scam the scammer cold calls the potential victim on the telephone claiming to be someone they are not (generally a Microsoft support technician).  Sometimes the scammers are sophisticated enough to spoof their Caller ID, have professionally recorded messages and may employ other techniques to give a greater impression of legitimacy. The scammer tells the potential victim that their computer is compromised and that they need to follow their instructions or their computer (or specific pieces of it like antivirus) will quit working, that they will be left vulnerable and/or there will be a hefty fine.  The scammer then instructs the victim to get on their computer and go to a web site.  These web sites contain an installer package that once installed gives the scammer permission and ability to control the victim’s computer remotely. From there the scammer simply takes over control of the victim’s keyboard and mouse (as the tools are intended to do).

I think it’s important to note here that the key to this whole scenario is summed up in “…gives the scammer permission and ability…”  The media often portrays these low-brow scammers as though they are talented hackers reaching up from the dark web and grabbing control of user’s systems.  In reality, these scammers didn’t break in, the victim let them in.

The “search engine/Internet browsing” initiated scams are basically the same, but, the original contact between scammer and victim occurs via an interaction on the World Wide Web.  The victim may search a search engine for a search term like “Microsoft Technical Support” or “Why is Internet Explorer crashing?”  In order to prey on the victim’s acknowledged problem (these are the search terms of someone pretty obviously having computer problems) the scammers purchase key word advertising or otherwise optimize their web site ranking to get to the top of the list of search results for those kinds of key word search terms.  The scammer presents a phone number to call for help and the telephone scenario goes as described above for phone initiated scams.  In a bit of good news the search engines and the companies the scammers identify as are clamping down on this technique somewhat.

Scammers also buy pop-up advertising on web sites, so, the phone number may be presented in the form of a pop-up message claiming that the user’s computer is compromised.  Again, the scenario leads to a phone number for the victim to call and the scammer convincing the victim to install a piece of remote access software to facilitate the scam.

The level of sophistication and cruelty of the scammers varies.  Sometimes the scammer does a bunch of nothing (snoops around, opens the Control Panel points out what they claim to be problems, etc).  Eventually the scammer convinces the user that he has saved them from a made up malady, charges them a fee and then moves on. To take it a step further, sometimes the scammers sell a security product or ongoing technical support which they claim will prevent all future malady and give them a foot in the door to contact the victim again at a later time (to renew or update the service they purchased).  Even further yet, sometimes the scammers create a persistent remote connection and will continue to scam the victim peroidically saying something else has happened to the victim’s computer.

Moving to the more nefarios end of the spectrum, some scammers lock the victims out of their computers and/or files with system with encryption, passwords or by simply cripple the operating system (generally by disabling services set to run on Start Up).  These tend to be the scams which lead to the most expensive ransom demands.

Another similarity I see amongst these scams is the evolution in the accepted methods of payment. As these scams have become more and more common scammers have had to evolve their accepted payment methods. Banks, credit card companies, and other financial institutions and brokers are finally starting to watch for and shut down transactions to made to known scammers. In order to circumvent this many scammers have moved to having the victims provide payment in the form of Google, iTunes and other gift cards. These gift cards are considered so liquid that they are basically as good as cash (what can’t you buy from Amazon or Walmart?) As soon as the victim gives the gift card information to the scammer the money changes hands with no recourse.

So how do you protect yourself from these kinds of scams? The best defense here is knowledge. The IRS, Microsoft and other large IT companies and government entities will generally not try to make contact direct with consumers via a phone call.

Never trust incoming contact information like telephone Caller ID or a sender’s email address.  Just like outgoing postal (snail) mail, there is little that can be done to authenticate the sender’s claimed credentials.  Instead, if for instance your bank calls you on the phone, hang up and call the phone number you know to be the bank to ask if they are trying to get in touch with you.

As noted, another big red flag in these situations is the scammer’s insistence on the victim going to a web site and downloading and installing software.  Once this software is installed the scammer is in the driver’s seat.  Given the variations in the remote access tools that the scammers use, at the point that they have control, the best thing to do is shut the computer off.

If you have a computer that has been remotely accessed the best course of action is to take it to a trusted computer professional to have them check for backdoors which may allow the scammers future opportunity to get back on the computer and to check the machine for malware/spyware.

Share this information with your friends and family, especially the elderly and/or vulnerable. Encourage them to contact you or another trusted resource if they are ever unsure about someone who has contacted them by phone, email or via a website they have visited.