Fake support scams aren’t new – they’ve been plaguing our phones, our ears and our wallets for years.
They generally follow one of two main patterns: active or reactive.
Active support scams rely on unlawfully acquired lists of phone numbers – the scammers call you, in blind disregard of any Do Not Call list in your country, and pressurise you into accepting technical support you don’t need for a problem you don’t have.
The crooks then {cajole, pester, badger, trick, frighten, threaten, extort} you into giving them remote access to your computer and charge you a stiff fee for pretending to fix your non-existent problems.
Reactive scams hit you up by email, or through poisoned websites, and harrass you with scary warnings and popups that urge you to call a local toll free “support” number to get your “problem” looked at.
Given that you initiate the call, and it’s free, a reactive scam seems on the surface like a low-risk proposition.
It won’t cost you anything but time; you can withhold your number so you won’t get called back unless you want to be; and, as the maker of the call, you probably feel in control because you can hang up any time you like.
But the risk of talking to cybercrooks about your own security arrangements, no matter how briefly, is obvious: if you lie down with dogs, you get up with fleas.
Every little bit you give away by mistake, even if you’ve already figured out it’s a scam and are being careful, is data that you’ll later wish you’d kept to yourself.
If you’ve ever had the misfortune to be browbeaten over the phone in this sort of scam, you’ll know that the script is usually about Windows.
But some of these scammers do use Apple-flavoured playbooks, hoping to tap into the huge market of Apple hardware owners out there.
Indeed, security spelunker Sean Gallagher at Ars Technica just wrote about an intriguing support scam that selectively steers users of Apple devices towards a fake “Apple Care” call centre.
The emails that start this scam look something like this:
That’s a well-known formula we’ve seen over many months, with email subject lines typically looking like one of these:
Critical alert for your account Critical alert for your account ID nnnn Yourname, Critical alert for your account #nnnn Yourname, Critical alert for your account ID nnnnn
Handily, Gallagher, who goes by the amusing nickname of packetrat
on Github, has kept copies of the various web redirects and malicious JavaScript in this “Apple Care” attack.
When we tried to reproduce the attack today, we were either at the wrong geolocation, in the wrong timezone, or simply not cool enough to be identified as Mac users.
The crooks redirected us repeatedly between servers before falling back on an old favourite of the spam world, cheap meds:
But that’s not where Gallagher ended up.
He was pushed through a series of website redirections before running into JavaScript that included this very simple test against his UserAgent
string:
userAgent = window.navigator.userAgent.toLowerCase(), ios = /iphone|ipod|ipad/.test(userAgent);
Don’t worry if you aren’t fluent in JavaScript – this code extracts the UserAgent
string, set by your browser when it makes a web request, gets rid of any capital letters, and checks whether you’re announcing yourself as an iphone
, ipod
or ipad
.
Your browser’s UserAgent
string is transmitted in each web request as an HTTP header called User-Agent
, and is typically quite detailed. For example, Firefox on a Mac identifies itself along these lines: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13) Gecko/20100101 Firefox/61.0. Edge on Windows 10 gives out an extensive and all-embracing string of: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134.
If you’d arrived at the scam page from a list of 11 different porn sites stored in the malicious JavaScript, you’d see a warning like this:
Your |%model%| has been locked due to detected illegal activity on |%ref%|! Immediately call Apple Support to unlock it!
The placeholder text |%model%|
is automatically replaced with iPhone
, iPad
or iPod
, depending on how yourUserAgent
string denoted your hardware.
The text |%ref%|
is replaced by the one of the porn domains from the JavaScript list.
If you arrive at the scam page by inadvertently clicking the CHECK ACTIVITY button in a spam sample like the one shown above, you’ll see a similar warning, but with no site name in it.
By using a tel:
web link in the scam page, rather than a more usual http://
or https://
link, the crooks then urge you to dial their bogus tech support centre:
Gallagher reports that his scammer identified himself as “Lance Roger from Apple Care”, but hung up when he realised Gallagher was himself fishing for information about the innards of the scam.
What to do?
- Don’t click on security warning links in messages. If there’s a genuine security alert on your webmail account, and you need to login to investigate, then follow your usual procedure for logging in. Why trust a follow-up link that could have come from anywhere, and probably did?
- Don’t click through to phone numbers you don’t know. At the very best, you’ll give nothing away about yourself, assuming you remember to suppress your own number and don’t say a word. Why take the risk of letting anything slip?
- Don’t stay on the line if you ever end up talking to a call centre you don’t trust. Some people pride themselves on winding up spammers as a joke, or deliberately trying to waste the time of scammers by talking nonsense. The best you can do if you indulge in so-called “spambaiting” is to reveal nothing about yourself, but a single incautious remark might let slip something you later regret.
If in doubt, don’t give it out…
Wilbur
One comment – unless things have changed in the US recently, the outbound number cannot be blocked when calling a toll free phone number. The number called is billed for the call and is provided the number that called them. Returning a call from a scammer using a toll-free number automatically puts the calling number on a sucker list.
Spryte
“It won’t cost you anything but time; you can withhold your number so you won’t get called back unless you want to be; and, as the maker of the call, you probably feel in control because you can hang up any time you like.
Don’t even get on the phone!!
Many of these 1-80xx-xxxx numbers will actually call forward the target to a 1-9xx-xxxx number which may cost him/her a bundle.
You have ***no control*** of where that “free” call will take you and although the phone company **may** reimburse you, it may only be a portion of the charge.
Brian T. Nakamoto
We need a sort of Safe Browsing or SmartScreen for smartphone dialers.
s31064
No, we need a sort of Safe Browsing or SmartScreen for humans.