Case Study: Tech Support Scams and the Real Threat of Data Breaches

A data breach that only leaks your email address and phone number might seem trivial. But here’s a look at how hackers can exploit you with even a little bit of your personally identifiable information. In this case, we see how little data you need to pull off Tech Support Scams.

Not all data breaches are created equal. Some leave you with your Social Security number and credit card information exposed for the whole Dark Web to see. Some merely hand over your phone number and email address. When hackers breach a service you use, and the service assures you, “it’s okay, we don’t store your passwords in plaintext or your credit card numbers,” you might breathe a sigh of relief. However, even a fraction of personal information can leave you more vulnerable than you might imagine.

The Real Threat of Data Breaches

So they get your phone number, you might think. A few more annoying calls to deal with. Nothing an anti-spam mobile app like Mr. Number can’t help you cut through. So they get your email address. A few more emails offering “male enhancement” pills in your inbox. Annoying, but harmless.

If you think this way, you’re not thinking like a scammer. You’re not thinking like someone who wants to wring as much out of you as possible and will do so with whatever they have at their disposal and by any means necessary. One of our recent forensic cases here in our lab demonstrates what a group of cons can do to you with just your phone number and your email address.

What Are Tech Support Scams?

You’ve seen this scenario in just about every heist movie ever made:

The plucky gang of thieves needs a way onto their target’s property so they can case the joint. Sneaking into the place in black jumpsuits and ski masks at midnight is out of the question—at least for now. So what are they to do? Disguise themselves, of course—as janitors, exterminators, or if they’re feeling particularly bold, cops or security guards.

Scammers pretending to be authority figures is, of course, nothing new. Fraudulent phone calls allegedly from the IRS pop up around March and April every year like clockwork. Even the classic Nigerian Prince scam falls into this mold… sort of.

When Remote “Helpers” Hinder

One such scam is the technical support scam. For this type of digital heist, the scammers claim to be tech support for well-known, reputable companies such as Microsoft and Apple. They will claim to have detected malware on your computer and offer to fix it for you… but you have to give them remote access to your computer. This request on its own doesn’t sound unreasonable. Legitimate tech support agents from places such as Geek Squad do use remote assistance tools to help people with issues.

Remote support tools like GoToAssist have benevolent uses, and there is no danger in using them with legitimate tech support professionals. However, like any tool, they can be used for ill as well as good.

Remote access is facilitated by software tools such as TeamViewer, Splashtop, FixMe.IT, and GoToAssist. Following the scammers’ instructions to install the software and connect it to their network will let them onto your computer, giving them free rein to run their bogus malware scan (usually planting malware of their own in the process). Once they have gotten what they want out of you, they charge you a hefty fee for their “services.”

As one of our clients learned the hard way, unfortunately, you don’t need much more than a phone number, an email address, and a bit of luck to pull off this kind of scam.

Timeline of a Tech Support Scam

Our client, the victim in this case (we’ll call them Vic for short—obviously not their real name) received several voicemails one day calling about a computer security issue. Vic called back, if only to stop getting the calls, and ended up speaking to someone claiming to be a tech support agent from AppleCare. The alleged technician told Vic they had detected a security breach on their iPhone and laptop due to corruption through their iCloud account. All of this sounded convincing enough to Vic.

But just to seal the deal and make sure the whole tech support thing sounded really legit, the scammer told Vic to check his PayPal. Lo and behold Vic discovered an unauthorized $500 charge! I’ll give you three guesses as to who was responsible for that, and the first two don’t count—this attack was likely facilitated by the attackers having Vic’s email address and Vic having a weak, easily-guessable password and no multi-factor authentication enabled.

The First Attack

.

With Vic assured of the tech support agent’s benevolence now, they agreed to install and run GoToAssist. This application requests an ID for the individual who wishes to access your computer, and upon entering the ID, the corresponding individual (in this case, our scammer) gains full control. Vic could see what the attacker was doing, but the attacker would have made it appear to them that all of their use was legitimate.

While remotely controlling Vic’s computer, the scammer opened Notepad and used it to ask questions and make observations, including claiming that over fifteen hackers from various countries had compromised Vic’s computer and phone.

Before the scammer continued with the “remote support,” they informed Vic that since they were not an AppleCare subscriber, they would have to pay $300 before the scammer could run necessary anti-malware scans to protect the client’s data. Of course, paying with a charge card would be dangerous—after all, with the computer compromised, the “hackers” could intercept the payment! Instead, poor Vic was directed to buy $300 worth of iTunes gift cards and scan them to the scammer.

With the payment taken care of, the scammer began to run an “anti-malware” scan. Vic was instructed to leave the computer alone while the scan ran its course. The scan took about several hours. In total the GoToAssist connection lasted about eight hours. After the scan finished, the client put their computer to sleep as instructed.

The Scammer Strikes Again

The next day, the scammer called back, telling Vic they had to run another scan. Vic began another remote support session which lasted about five hours. Afterward, however, Vic grew suspicious. Calling AppleCare, Vic discovered that the so-called tech support agent who’d been helping them was indeed a fraud. They called Geek Squad, a tech support service they had prior experience with and trusted, and asked them to do a remote check. Geek Squad found no malware on Vic’s computer or phone, which begged the question… what had the scammer been doing for all those hours?

Uncovering Data Theft

Vic came to us to investigate just what was it the scammer had been doing while they had free rein over their computer. We discovered that the attacker had made liberal use of a feature of GoToAssist allowing them to transfer files from one computer to the other.

Forensic artifacts were found showing that the executable files related to this file transfer mechanism had been run. However, GoToAssist left little artifacts behind showing the extent of the breach and how much data the scammers had transferred. Given how long the attacker had access to the victim’s computer, we could make an educated guess that they likely copied over all the sensitive data they could find.

Picking Up the Pieces of a Tech Support Scam Intrusion

If our client Vic (not their real name) hadn’t wised up when they did, the scammers would have simply kept bleeding them dry as long as they could. When you’re willing to sink this low, you have no compunctions about wringing as much as you can from your victims.

We could not undo the damage already done. But we could make a few suggestions for ways our client could prevent themselves from coming to further harm by the people who’d already taken advantage of them:

  1. Change every single one of their passwords and enable two-factor authentication, even the passwords for things not involved in the attack. This grocery list of passwords to mend includes email accounts, Office 365 accounts, banking accounts (including PayPal, Venmo, etc.), social media sites such as Twitter and Facebook, etc. Attackers using these remote support scams often look for and steal saved passwords to wreak further havoc. Use two-factor authentication whenever possible and never reuse passwords.
  2. Reinstall Windows on their laptop. This action removes any chance of a persistent threat that would allow the intruder back into their computer. It would also remove any other nefarious actions by the scammers, such as the intruder setting up an email forwarding rule to gain access to the client’s inbound and outbound emails.
  3. Monitor all online accounts for any further suspicious activity.
  4. Request that Tetra Defense or another security company conduct a security review of any and all cloud storage systems that hold sensitive information, such as Google Drive, Dropbox, Office365, etc. to ensure that there were no file/folder sharing rules set up that would compromise any additional data.

As for how to prevent oneself from being taken advantage of in the first place, tech literacy is a must. A Pew Research Center study in March 2017 showed how few Americans understood basic cybersecurity concepts: out of a survey of 1,000 Internet-using adults, a substantial majority could only answer two out of thirteen questions correctly!

The more you know about cybersecurity, the harder it is to get hoodwinked and the easier it is to spot holes in a scammer’s story. The more you know about making strong passwords and setting up multi-factor authentication, the safer you’ll be.

Discerning Fakes from Real and Scammers from Helpers

Eighteenth-century satirist Jonathan Swift (author of “A Modest Proposal,” one of the world’s seminal works of political satire) once wrote that “Falsehood flies and the truth comes limping after it.” This sentiment feels even truer today than it did in his time with the speed at which false information travels and the distance it covers. We live in a crisis of reality. With the way data—and people—can find themselves manipulated by even the most brazen lies, knowing what’s real and what isn’t has become harder than ever.

And it’s not just that “fake news” you keep hearing so much about. As malicious actors grow bolder and craftier, it grows harder to discern legitimate resources from malevolent copycats. Those emails you get from “PayPal” claiming that there’s an issue with your account are getting progressively harder to see through as scammers get better at digital forgery.

Blurred Lines

For example, let’s take this case. After these malefactors had done their dirty work, our client Vic (not their real name) went to Geek Squad for a remote malware scan before they came to us. Our client actually used Geek Squad and had a relationship with their technicians already, unlike with AppleCare. Geek Squad used its remote tools to access the client’s computer and conducted their scans—legitimately.

When we took a peek at the client’s laptop to see the extent of the damage, we could see the forensic artifacts left behind both by the fraudulent AppleCare reps and the legitimate Geek Squad support team.

They looked very similar.

Geek Squad’s remote assistance tool is just like TeamViewer and GoToAssist, after all, albeit with unique branding. Under the hood, it is more or less the same software. Remote assistance software can and does have legitimate and illegitimate uses alike. But regardless of the motive, the software and the footprints it leaves are the same. What if our client had googled “Geek Squad support phone number” and ended up on a malicious site that gave them a scammer’s phone number instead of finding the legitimate Geek Squad support line?

The good news is that most scammers are still incredibly lazy and their tricks laughably transparent. The bad news is that some of them are getting better—a lot better.

As with navigating the media, you need ever more vigilance even when seeking help and assistance. The answer to avoiding scams is to slow down, take your time, and double-check everything.

Check out some related content on our blog: