Posing as technical support fraudsters borrow equipment from APT-groups
Criminals use two levels of encryption to bypass anti-virus detection.
The fraudsters posing as technical support have adopted a new detection bypass technique with anti-virus products. According to Symantec experts, the techniques used by the attackers during the new, recently discovered operation were borrowed from highly skilled hacker and cyber spy groups. With their help, fraudsters can successfully hide malicious activity.
Fake "tech support" is a very common type of fraud. Many groups work in this area, but they all follow the same scheme. When a victim gets to a malicious website (accidentally or through malicious advertising), a false notification appears about the computer being infected with malware or blocked by law enforcement agencies. To solve the problem, the fraudsters advise the victim to seek help from the “tech support” and extort a fee for unnecessary services from her.
During the campaign described by Symantec, the attackers impersonate the Spanish Ministry of Defense. A message is displayed on the screens that the victim’s computer was blocked by the Ministry for distributing illegal materials. To unlock the computer, the user must pay a fine of 500 euros (in the form of an iTunes gift card).
After analyzing the source code, the researchers found a large number of obfuscated lines. Code obfuscation is very common among fraudsters who pretend to be technical support. However, in this case, the attackers used two levels of AES encryption, which is very rare. Thanks to this, they manage to more efficiently bypass antivirus software.
Recall that over the past two months, Indian law enforcement officials have stopped 26 fraudulent call centers, posing as technical support for Microsoft, Google, Apple and other large companies.