The Internet Crime Complaint Center (IC3) has issued a public service announcement warning about a “new twist to the telephone tech support scam“.

In its message, it advises users to be particularly cautious about fake pop-ups telling them that their computers are infected and urging to call a toll free number for assistance:

IC3

“In a new twist to the tech support scam, cyber criminals attempt to defraud using another avenue. The scam is executed while a user is browsing the Internet. In this scenario, a website being viewed provided a link to articles related to popular topics. The user clicked the link and was redirected to a website which produced a window that advised the user’s computer had been hacked.

Another window was displayed that contained a telephone number to obtain assistance. The user reported all attempts to close the windows were ineffective. Upon calling the number for assistance the user was connected with an individual who spoke with a heavy foreign accent claiming to be an Apple representative. During the process the user’s web browser was hijacked. Restarting the computer in an attempt to regain access to the Web produced another message with a different telephone number to obtain assistance.”

Readers of this blog will remember the various articles we already posted on this topic:

So while this phenomenon is not new there is a good reason why the IC3 is releasing this PSA. We are seeing an increasing number of campaigns pushing these fake tech support warnings:

This slideshow requires JavaScript.

These pages are affiliate driven and in fact can be linked to malvertising as well, since they often piggy back on dubious ads.

Not only are the pop-ups more alarming than ever, many also feature audio voice over that loops indefinitely.

server2

Many of these scam sites are poorly secured, and often times their index is browsable (see picture above). It’s no wonder that they can also infect your computer with a drive-by download as we noted last week.

While technically not very sophisticated, these pages can be a nightmare to close down and therefore lead some desperate users to actually call for help.

The following code snippet is used to prevent you from closing the browser window, and also disables right-clicks:

noexit

Shutting down each of these sites is like a whack-a-mole game: There’s a flurry of new ones constantly popping up:

hxxp://support.windows.com-en-us.website/warning/pcwarning/
hxxp://system-connect.com/popup.php
hxxp://maturegame.net/alert.php
hxxp://ms-malware-support.com/
hxxp://certified-pc-help.com/1/
hxxp://pcsupportwindows.com/zp/al-zp-ca.html
hxxp://www.virusaid.info/norton.html
hxxp://ivuroinfotech.com/
hxxp://alert.browsersecuritynotice.com/a8-500c4-absn1113-222533-index-1m1.html
hxxp://192.3.54.103/f5u3.php
hxxp://www.uscomphelp.com/zeus/
hxxp://customerservice-247.net/index.html
hxxp://systemscheckusa.com/
hxxp://www.email-login-support.com/index-10.html
hxxp://instantsupport.hol.es/viruswarning.html
hxxp://mobile-notification.com/system-alert/
hxxp://www.dream-squad.com/9/campaign1421?s1=09_rr_ppc_skm&s2=us_skm&s3={removed}
hxxp://immediate-responseforcomputer.com/index-10.html
hxxp://www.hostingprivilege.com/virus-found.html
hxxp://bihartechsupport.com
hxxp://tech01geek.com/ms/
hxxp://ibruder.com/services.html#
hxxp://notificationsmanager.com
hxxp://treeforyou.com
hxxp://www.xxxdovideos.com/WARNING%20%20VIRUS%20CHECK.htm
hxxp://fixcomputerissues.com/detect.html
hxxp://www.enortonsupport.com
hxxp://simunexservices.com
hxxp://browseranalystic.info/index.html
hxxp://www.usonlinehelp247.com
hxxp://customer-cares.com
hxxp://tech-suport.com
hxxp://securesystemresource.net/netgear.php
hxxp://systemerror.us
hxxp://v4utechsupport.com/detect.htm
hxxp://shopforless.us
hxxp://www.getlms-online.info/virus-found.html
hxxp://thehelpcomputer.com/pop.htm
hxxp://spitzi.co.uk/support_for_pc_laptop.html
hxxp://fixpc365.com/test.html
hxxp://softhelp-support.com
hxxp://www.pcteckers.com/media.html
hxxps://www.techworldwide.org/
hxxp://fix-max.com/
hxxp://thanksfordownloading.com/site/ad/tryagain2c/
hxxp://publicsafetycheck.com/
hxxp://pcsecurity360.jimdo.com/
hxxp://www.pctools247-support.com/index.html
hxxp://immediateresponseforcomputer.com/index112.htm
hxxp://techsupport113.com/
hxxp://www.driverupdatesupport.com/support/eng/lp1/index_av.php
hxxp://mac.printerhelpandsupport.com/alert/mac-alert.php
hxxp://tradeandme.com/treda&channelfflb&gferdcr&eiGZtrVMrBG9iHvASF-earchqavascriptpopup&ieutf-8&oeutf8&aqt&rlsorg.YCwAwrlsorgmozillaen&channelfflb&qjavascrmozillaen-USofficial&clientfirefox.htm
hxxp://allsolutionshop.com/
hxxp://security-warning.net/warning.html
hxxp://computer-experts.co/D202122014/support-for-malwarebytes.php
hxxp://emailhelp.biz/
hxxp://pchelpdesk.co/cp/support-for-malwarebytes.php?affiliate=46355-7881_74
hxxp://www.publicsafetycheck.com/
hxxp://virus.geeksupport.us/
hxxp://pc-warning.ga/
hxxp://windows-alert.ga/

Most of these domains are set up through some sort of proxy or anonymous registration. They also steal content from each others using web crawlers such as HTTrack Website Copier.

The general piece of advice when seeing fake alerts and warnings is to remain calm and try to close them. Despite the urgency of the messages you should never call the toll free number, let alone give a ‘tech support agent’ remote access to your computer.

To get rid of a nasty pop-up, closing the browser might not be enough since the crooks have put extremely annoying scripts to prevent you from doing that.

Here’s a trick to get rid of them for good. First you need to open the Windows Task Manager (if you are on a Mac, please read this article).

In Windows 7, click on the Start Menu and type ‘task manager’. In Windows 8, right click on the ‘Start icon’ and select ‘Task Manager’

Next thing you’ll want to do is terminate the Internet Explorer process by going under the Processes Tab and right clicking on iexplore.exe. In some cases ‘End process” is enough, in other cases you may have to use ‘End Process Tree‘ to also kill all related instances.

In Windows 8, you can simply click on ‘End task’ once you have highlighted Internet Explorer.

 

This slideshow requires JavaScript.

You can relaunch your browser afterwards to make sure it’s clean, but you will want to opt out of the automatic ‘Restore session’, as it will bring the pop-up right back!

restore

Finally, it is not a bad idea to check your system for malware, with a quick Malwarebytes Anti-Malware scan for example, just in case the fraudulent site also infected your PC.

Tech support scammers are using everything in their toolbox, from cold-calls to upsells from registry cleaners and of course malvertising. This latest wave of attacks is particularly active and most likely much more effective than the classic ‘Microsoft cold call’.

The approach is not terribly new in that it has been used for years by fake AV scanners. In fact, it is fairly likely that we are going to see tech support scams being peddled through malware that locks up your computer (ransomware) or encrypts your files.

For general information about tech support scams and assistance, feel free to check out our resource page here.

@jeromesegura