Skip to content
Naked Security Naked Security

ISP customer data breach could turn into supercharged tech support scams

The concept of helping people via a support line has been poisoned by scammers using leaked customer data to target victims

As Naked Security readers will be aware, tech support fraudsters have recently taken a real shine to customers of TalkTalk, a British internet service provider.

As many attest, they just won’t leave TalkTalk customers alone, cold-calling them on a scale the BBC recently described as “industrial”. Needless to say, this is not good.

The phone spiel always unfolds in the same way. The caller claims to be a TalkTalk engineer and to have detected a router or malware issue on the user’s computer that requires immediate intervention.

The customer is persuaded to turn on their computer and run the Windows Event Viewer to perform bogus diagnostics before being asked to install one of a range of remote desktop support tools.

This type of application gives the scammers complete remote control over the victim’s PC, at which point they are free to steal data, install malware and, in some cases, engineer the user into logging into online banking or transferring money.

A popular choice with the fraudsters since at least 2015 has been TeamViewer, so much so that on March 8, TalkTalk abruptly started blocking the application from functioning on its network in a desperate effort to stem a tide of abuse customers had started complaining about.

TeamViewer’s block was removed on Thursday after complaints by the company, but that didn’t stop TalkTalk  from quietly blocking equivalents such as AnyDesk, whose users started noticing unexpected connection issues around the same time.

Tech support fraud, or “vishing”, has been around for years, so is there much new to be worried about here?

The unsettling aspect of the TalkTalk attacks is that the fraudsters allegedly accessed stolen data, which means they immediately sounded more convincing to their victims. If confirmed, this means that fraudsters have been able to synthesise old-fashioned tech support social engineering with data breach cybercrime to create something novel and perhaps unstoppable.

It also seems to be easy to abuse remote support applications, which have flourished on the back of untraceable freemium accounts. It’s not clear how these companies detect misuse but clearly more needs to be done. In other cases, genuine accounts have also been hijacked to execute remote fraud.

Clearly, nobody should hand over a full password, bank details or agree to transfer money on the basis of a cold call but the fact that people are still doing this suggests the message is not being heard.

The traditional advice for dealing with cold calls runs as follows:

  • Hang up and dial that company’s advertised number to check its authenticity.
  • Never respond to a web pop-up asking you to call a number or visit a website
  • Never install a remote support application on the basis of a cold call
  • Report all tech support cold calls to Action Fraud, where it stands a chance of becoming useful intelligence.
  • TalkTalk offers a way for customers to report fraud direct

Rejecting all cold calls would be a simpler option but that might be hard to keep to as occasionally companies do need to call their customers out of the blue often, ironically, because they’ve detected fraud.

This is a bit of a mess. Cold calling, once a useful marketing tool for industries keen to make use of their databases, has been turned against them. Companies could introduce better authentication but this wouldn’t easily defend against fraudsters armed with personal data from a breach.

We urgently need to know more about what has happened at TalkTalk because this could be the tech support scam on steroids, a poisoning of the well that has done long-term damage to the whole concept of helping people down a phone line.  It would be a shame if this marks the moment a once-useful facility started to wither for good.


4 Comments

I’m a Talk Talk customer and have looked up ‘Who Calls me’ and left notes there. I been called everyday at 7.30am (sick off work, not nice that early) for over 2 weeks now by ‘Talk Talk engineers’. I know Sophos doesn’t condone scambaiters, but they teach you how to get rid of these scum, oops sorry scam callers. I answer saying ‘are you sure you don’t mean my Sky box or Bosch washing machine, they say no we’re from talk Talk. I say, OK, let me boot my virtual machine and get the remote access program so I can syskey you… click.. they soon leave you alone. I found that’s the only way to get rid of them, and if no one has seen the guy that cold calls a person who then talks the cold caller through syskeying his own domain and crying his eyes out about he’s going to get sacked it’s worth watching. I make no apologies.. I laughed at that til I cried. The so called engineer was getting technical help from the customer in locking his own domain up.. come on that’s funny :-) Gotta love Karma

Reply

I was a customer of Talk Talk and have been getting phone calls constantly from their so called Tech Support trying to con me. Is there any way I can take Talk Talk to task for losing my data and leaving me open to these scammers? As soon as I hear the words Talk Talk I put the phone down.

Reply

My sister in law in Truro had a similar call about a month ago where she was asked to turn on her computer because there were faults on the line. Luckily she didn’t and told my brother when he returned home.

(edited to redact name)

Reply

I love these calls…have gotten the scammers info and address in the past. No longer with talk talk as their speeds are slow but I still enjoy the calls…They are pulling their call centres out of India later this year so if you get a call from India from say July you know its not genuine. Now if you get one from Durban…will that be a genuine call?

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!