When we first heard about the CryptoLocker malware a year ago or so, I thought, as cybercrime goes, that’s about as bad as you can get.
CryptoLocker is a very malicious form of malware: unlike a virus infection, it totally blocks access to your data but leaves your computer and your software running just fine.
Then the demand, “Pay us $300 within three days, and you’ll get your data back. Otherwise… it’s gone forever.” The $300 payment buys you the 2048-bit RSA private key needed to unscramble your encrypted data.
But, as malicious as CryptoLocker and now CryptoWall 2.0 are, there is another contender in this game of hacker warfare.
Fake support calls
Fake support scammers are the people who phone you out of the blue (whether you are on the Do Not Call register or not) and, not to mince words, scare you heck out of you spouting lies about malware on your computer.
For $200 – $300 or so, the same price point as CryptoLocker, the scammers will fix your computer, but any “fix” you get is as bad or worse then the “problem” you didn’t have in the first place.
Many people have reported that these guys don’t just call once if you fail to cough up the $300. They often call again and again, with the calls getting more insistent – outright threatening, by many reports – and with no real hope that they will stop.
Dealing with the scam
It’s easy for us to say, “But all you have to do is hang up, so this scam could never work.” But it’s also easy to see how a well-meaning but not very technically savvy user, especially someone without a network of family or friends to ask for IT help, could be scared into paying up.
Imagine the questions that worried users might ask themselves:
- Didn’t the caller say he was from Microsoft?
- Didn’t he say that a virus on my computer was attacking his company’s servers?
- Didn’t he find evidence of it in my system log, just as he predicted?
- Isn’t most computer support done over the phone and online these days?
- Isn’t this the third time he’s called, with the symptoms getting worse every time?
- Can’t you get sued for a cyberattack because you didn’t have a virus scanner?
- Won’t it end up costing $300 anyway, or even more, if I go to my local shop instead?
Demanding money with threats is what it sounds like to me, amounting to extortion or blackmail. And these guys have your phone number!
FTC takedown
With that in mind, it’s always a good thing when fake support callers get bagged and thanks to the Federal Trade Commission (FTC), Uttam Saha and Tiya Bhattacharya, who ran a company called Pairsys in Albany, New York, have been shut down by court order.
That may not sound like much, as I’m convinced that there are still MANY other individuals and groups perpetrating this scam but in this case, the settlement with the FTC will see the scammers’ operation shuttered and their assets frozen.
Indeed, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said: ”We are pleased that the court has shut down the company for now, and we look forward to getting consumers’ money back in their pockets.”
There’s a lot of money to recover: the FTC claims that the pair have pulled in about $2,500,000 in the past two-and-a-half years.
Is it real punishment?
Of course, just giving the money back isn’t really a punishment for these 2 crooks, because they weren’t supposed to have it in the first place. It’s still a direct result for the FTC’s internet crime fighting efforts, so, “Well done, Bureau of Consumer Protection.”
The next question should be – how do you think the courts should punish fake support scammers?
Dealing with fake support calls
So if you have friends or family who have been pestered to the point of worry by fake support callers, here’s a short podcast you can tell them about. The podcast makes it clear that these guys are scammers (and why), and offers some practical advice on how to deal with them.
Avoiding fake support calls
https://soundcloud.com/sophossecurity/avoiding-fake-support-calls
