{"id":5879,"date":"2017-01-18T22:53:22","date_gmt":"2017-01-18T22:53:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-84\/"},"modified":"2017-01-18T22:53:22","modified_gmt":"2017-01-18T22:53:22","slug":"news-84","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-84\/","title":{"rendered":"Tech support scams, stolen data, and botnets"},"content":{"rendered":"

NOTE: thanks to the Wack0lian for research contributions<\/em><\/p>\n

 <\/p>\n

It would seem that scams as a service are a growth business model.\u00a0Last time<\/a>, we looked at inboundpopaps[.]info, a slick scam in a box designed to get even the most technically illiterate criminals up and running and stealing from you. Today we\u2019ve found something a little more interesting \u2013 a scam in a box company that also offers intelligence leads. That is, they\u2019ll sell you the scam and point you at the most vulnerable targets first.<\/p>\n

In July of 2014, someone posting under the name BPO Resources posted the following on an outsourced IT services forum.<\/p>\n

\"bpofirstpost\"<\/p>\n

Typically tech support callers are noted for not knowing the slightest thing about the people they call, so targeted leads for specific company customers was interesting. Almost identical verbiage appears on bpoexpertsglobal.blogspot.com.<\/p>\n

\"bpositepost\"<\/p>\n

This time though, the threat actor also has on offer the personal data of elderly customers of ISPs as well. This was less surprising, as scammers of all sorts prefer to victimize the elderly. Given that this guy appears to be diversifying his crime verticals, what might he be offering more recently? Searching for BPO Experts Global provided a Youtube channel<\/a>\u00a0of the same name where the scammer is kind enough to demonstrate his screen locker that\u2019s currently for sale. (We\u2019ve written about these lockers here<\/a>). If you\u2019ve been hit by this sort of thing, be sure to check out our forums for removal guides. Let\u2019s allow the scammer to speak for himself for a minute:<\/p>\n

\"bpolockericon\"<\/p>\n

\u201cthis is the software which I have created\u201d<\/p>\n<\/div>\n

<\/p>\n

“Going now to the secure, bulletproof server”<\/p>\n<\/div>\n

 <\/p>\n

<\/p>\n

Here\u2019s the back end login panel, with a fun graphic when you enter an incorrect password.<\/p>\n

 <\/p>\n

<\/p>\n

 <\/p>\n

And here we have the panel itself, where the author brags about being able to trigger popups, invisible URLS, and download an execute exes on the victim\u2019s machine, all without any UAC alerts on a Windows machine. A botnet, in other words. So we have a threat actor progressing from selling leads, to selling stolen data, to selling screen lockers in support of other scammers. But who is this guy and how does he have Dell customer data? Lets start with where he is.<\/p>\n

<\/p>\n

While infecting himself with his own product, he forgot to blank out his own IP, which is registered to a broadband company in Bangalore. The footnote at the bottom of the panel says \u201cAccelerit Solutions\u201d, which yields a homepage of systemnetworksecure.com.\u00a0 The site and its phone number show up in extensive comment spam and various tech support scam pitches, but does not offer up any personal details. Searching directly on the company name is more interesting.<\/p>\n

<\/p>\n

He apparently also doesn\u2019t play nice with his customers, as we can see in reference to a previous iteration of his site. If you’ll recall, BPOresources was the name of the account that made the original forums posting in 2014.<\/p>\n

<\/p>\n

And lastly, he\u2019s a member of a Facebook group that openly sells pre-fab tech support scam pages.<\/p>\n

\"fb\"<\/p>\n

So we have a pretty good idea of who\u2019s behind BPO Experts Global. But how did they get the Dell customer data? Well, possibly several ways. Back in January, Ars technica<\/a>\u00a0wrote about a wave of tech support scam calls targeting Dell customers with apparently accurate purchase information. That article referenced a vulnerability disclosed 11\/25\/2015 here<\/a>\u00a0(followup here<\/a>)\u00a0involving a vulnerable preinstalled certificate that can be used to leak a Dell owner\u2019s service tag. Brian Krebs followed up <\/a>citing the same vulnerability, and referencing an ongoing Dell investigation.<\/p>\n

Mr. X\u00a0didn\u2019t necessarily have to make use of the vulnerability himself. Tech support scammers are renowned for their quick sharing of TTPs and presumably once one scammer gained access to Dell customer data, he quickly sold and resold it to others. Given that the original forum post was dated 2014, its likely that the data cache is widely available on the underground in India. Although, as we\u2019ve seen above, scammers largely feel free to conduct their business in the open, on US social media and in English.<\/p>\n

Mr. X’s\u00a0tech support botnet is not the first we\u2019ve seen. He falls into a trend we\u2019ve observed recently of the more enterprising scammers adapting to changing search engine policies banning remote tech support listings and upgrading their techniques to more sophisticated, more damaging methods that closely resemble established malware. As the less technically adept criminals get squeezed out, it\u2019s reasonable to expect that we\u2019ll see the remaining scammers improve, adapt, and overcome.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\n\n\n
<\/a><\/td>\n<\/tr>\n
We\u2019ve found a scam in a box company that also offers intelligence leads. That is, they\u2019ll sell you the scam and point you at the most vulnerable targets first.<\/p>\n

Categories: <\/p>\n