In a world where new cyber threats seem to develop almost daily, it’s easy to forget that some tactics have stood the test of time.
Since mid-May, PhishLabs has been tracking an ongoing consumer-focused email phishing campaign.
And what tactic have they been using? The dreaded tech support scam.
No matter how much technology develops, threat actors will nearly always default to the simplest tactic that still works. And when it comes to consumer-focused phishing, there’s nothing simpler (and more effective) than a well constructed tech support scam.
The Cancellation Scam
This time, Amazon, eBay, and Alibaba customers are being targeted using phishing lures designed to look like cancellation notices. Each email notifies recipients that a recent order has been cancelled, and provides a link to a supposed order summary online.
Utilizing subjects such as “Your order has successfully been cancelled” and “Your cancellation,” the lures are sent from spoofed email addresses, e.g., firstname.lastname@example.org and email@example.com.
And while there is some variation in the quality of lures observed, many are quite convincing. The images below, for example, depict lures professing to be from Amazon and Alibaba:
When a victim clicks on the order number in one of these lures, they’re redirected to a page that is typically filled with pornographic images. At the same time, a fake Windows Defender popup window appears and informs the user that the Zeus virus has been detected on their computer, and that their passwords, browser history, credit card information, and hard disks will be “compromised” if the computer is shut down.
According to the popup, the Zeus virus is typically found by visiting “Adult/Porn sites” and is used to steal personal and financial data. It goes on to tell the victim that their machine may also be used in DDoS attacks, and as a result the machine has been locked and the browser “sandboxed” to prevent further damage.
Fake Windows Defender alert
But here’s the thing: there’s no virus. In fact, the victim’s machine isn’t even locked.
Instead, the scam simply locks the victim’s browser window, making it difficult for them to check the authenticity of the claims being made, and instilling dread in the average non-technical home user.
Finally, victims are told to call “Microsoft” or the “Windows Help Desk” to have their machine unlocked. Naturally, our analysts followed this advice, and immediately called the number provided.
After a few rings, a man with a distinct accent answered with, “Thank you for calling tech support. My name is John. How can I help you?”
Need the low-down on all the latest phishing threats? Download our Q1 2017 Phishing Trends & Intelligence report now for FREE.
So what is the genius process for making money from this scam? Simple: When a victim calls up, inform them there will be a small fee to resolve their issue.
And when they provide their card details to pay? Steal them, and either sell them or commit financial fraud.
This type of scam has been in common use for at least a decade for one simple reason: It works.
Most people are non-technical, and they panic when confronted by the seemingly “real” warnings these scams include. In their haste to resolve the problem facing them, a surprisingly high proportion of people are willing to give their credit card details over to “John from Microsoft.”
And don’t forget, there’s no malware involved. A more tech savvy recipient of these lures could simply force-close their browser window, if they even fell for the lure in the first place.
It’s important to remember that, while new threats are constantly arising, old fashioned social engineering is just as powerful as it’s always been.
So if you, or anyone you know, are faced with popups and warnings similar to those described in this article, it’s vital that you remain calm. Check the validity of any claims being made, and absolutely don’t give out your credit card details under any circumstances.
If you would like to discuss the report or learn more about how PhishLabs helps our customers fight back against threats targeting their organizaton, contact us.