Security firm Malwarebytes has reported an innovative spin on the age-old tech support scam involving an invoice for a non-existent subscription renewal payment and hijacking the victim’s computer.
Scammers trick users into handing control over their computers using remote access software during a support call.
Malwarebytes has been tracking this scamming scheme with fake renewal notifications for several months now. Malwarebytes started looking into this scheme when the fraudsters began using the name of its own malware removal products in the invoices.
Image: Malwarebytes
Victims receive an invoice for an unusually high amount for a product they may or may not have used in the past.
The goal of the attackers is to grab the attention of users and make them call the provided support numbers to dispute the charge. During the call, the attackers ask victims to download remote desktop access apps such as TeamViewer, which they then use to take control over the machine.
“This particular scheme has been very active for the past few months, and it is difficult to estimate how many people fell victim to it,” says Malwarebytes in a blog post.
The bad actors sometimes install another remote access program called SupRemo which allows them to re-establish the remote connection even if the user revoked access in TeamViewer.
Attackers locked victims out of their PCs on numerous occasions by installing the SysKey Windows utility to set a password on the machine.
In some cases, victims are prompted to restart the computer “to finish the update.” After restarting, victims would see an alert dialog about the Windows license being out of date and faked signs of malware infection. The goal is to make the victim to call the provided support number which would end in paying hundreds of dollars to fraudsters to remove the infection.
Malwarebytes revealed the scam by purposely paying into the hands of attackers and engaging in a virtual call with them aimed at scambaiting operators of these scams.
According to Malwarebytes’ analysis, this particular scam is being operated out of New Delhi, India.
The security firm provides instructions for victims of this scam on how to clean their computers of the infection in their report without resorting to calling the rogue support team.