Identifying Pop-up Support Fraud on a PC

Phone Scams Fraud Dishonest Crime Stop Sign

The latest pop-up support scams use remote software to gain desktop access to a victim’s computer. Pop-up support scams are a malicious threat to a PC operating system, stored files, and a victim's PayPal, credit card or bank account.

Third-party Technical Support Advertising Fraud

In 2014, Microsoft filed a lawsuit against a company operating a remote access scam with the software brand’s trademark. Identifying fraudulent pop-up support messages, say consumer advocates, is not always easy. While not all criminals are so brazen as to appropriate trusted software branding as part of a scam, use of a solution product name is often enough to mislead a computer user to respond to a phony technical support prompt.

Most illegitimate, technical support pop-up ads, indicate security services or operating processes have stopped running. The notice of fake security issues in a pop-up ads, instructing victims to contact “technical support”, may also be accompanied by remote installation of malware, infectious virus, or password theft applications, while a victim reaches for their wallet to pay for a fix.

What Happens During a Technical Support Scam?

Pop-up technical support warnings that temporarily interfere with a computer’s functioning, may appear at first to be credible. Rather than removing infectious, temporary files from the ‘Download’ or operating system Windows ‘Temp’ file and restarting a computer, a victim will acknowledge a pop-up warning by proceeding with instructions to call a help desk phone number.

Contact with a technical support scammer generally results in a series of false diagnostic steps. Once a scammer establishes remote desktop access to a victim's computer, there is a request to run a "scan" of the operating system.

A command window displaying a full directory tree structure is typically the starting point in the process, followed by subsequent engagement with other features and tools. Suggestion that paid-for guidance by the technician to guide re-installation of programs and solve the supposed problem, is the end result.

Event Viewer

Mention of Windows Event Viewer is a typical ploy used by scammers. Event Viewer displays “errors/warnings” in an operating system. Event Viewer issues are generally obsolete, bypassed by updates to the computer.

System Configuration

System Configuration (Msconfig) is another Windows tool pulled up to display supposed problems like viruses.  

Command Prompt

The Command Prompt (Cmd) feature offers a scammer the opportunity to run a Tree command displaying directories and files in the computer, and to type in script indicating the computer is at risk of “no network protection”, or an “infection has been found”.

Batch Files

Pre-prepared batch files can deployed by scammers for file transfer to a computer. Much like a Tree command, batch file scams appear as virus or network scans.

Prefetch Folder

The Prefetch folder is targeted by malware scammers. If there is mention of Csrss.exe and Rundll32.exe in a search for “viruses” in the Prefetch folder. The Prefetch folder allows quicker opening of applications not digitally signed by Microsoft, and is not normally a recipient of viruses.

Task Manager

The Task Manager (Taskmgr) enables a scammer to increase CPU speed, making it appear that the computer is infected.

SSL Certificates

If all else fails, a scammer may use the ‘Settings’ tool to access out-of-date SSL Certificates listed as “untrusted publishers”, to convince a victim there is an issue extenuating from an obsolete Verisign authorization.

Delmarva Group is a licensed technology services provider. Contact us for professional IT support services.