FBI Warns of Technical Support Scams

The FBI’s Internet Crime Complaint Center has issued an advisory on increased complaints for Technical Support Scams.  The scammer claims to be an employee of a major computer software or security company offering technical support to the victim.  Some of these scammers claim to be from cable and internet companies to assist with cable boxes, modems and routers.  The scammer claims that they are seeing viruses or security issues from the victim’s internet connection or computer.  Some scammers are even claiming to work on behalf of government agencies to resolve threats from possible foreign countries or terrorist organizations.

The initial contact by the scammer is usually by phone, but has also been seen in pop-up messages or locked screens (Blue Screen of Death) with a message to call a number or go to a URL for assistance.  After the subject makes verbal contact, they try to get the victim to provide remote access to their device.  Once they get access to your device, they will ask for a fee to remove the virus from the computer, attempt to access personal files that may have passwords, financial data, or personal data, or they may install malware on the device.

To guard against this scam:

  • Recognize the attempt and cease all communication with the subject.
  • Ignore the pressure from the scammer to act quickly.
  • Do not give an unknown/unverified person remote access to your computer or accounts.

Additionally:

  • Remember that a legitimate software company will not contact an individual unless it is initiated by the customer.
  • Be sure to install anti-virus, security and malware protection applications and make sure it is updated on a regular basis.

If you find that a scammer has gained access to your device or accounts:

  • Contact your financial intuitions to alert them and monitor your accounts for suspicious activity.
  • If the device is owned by UT Arlington, contact the Information Security Office – security@uta.edu.
  • Complaints may also be filed with the FBI’s Internet Crime Complaint Center at ic3.gov. (You may be required to be specific with details; name of company, phone numbers and email addresses used by the subject, websites used, account names and numbers, financial institutions that received any funds, and a description of the interaction with the subject).

Keep any original documentation, emails, faxes and logs of all communications with the subjects.

To view this and other FBI Public Service Announcements or Scam Alerts go to www.ic3.gov/media/default.aspx.

New Phishing Campaign Discovered.

A CIS Cyber Alert (see below) has been published detailing a Phishing campaign that utilizes a weaponized PDF document that exploits a vulnerability in Adobe Reader(CVE-2013-2729). This campaign attempts to entice users to open the attached file by referring to an “Unpaid invoic”(sic)

This campaign is utilizing the Dyre Banking Trojan, focused on stealing banking credentials.

Recommendations:

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
  • Ensure that systems are hardened with industry-accepted guidelines.
  • Make sure all AV products are up-to-date with their signatures.
  • Implement filters at your email gateway for filtering out emails with subject line “Unpaid invoic”. [Note the typo]

REFERENCES:

PhishLabs:

http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

Phishing Attempt – 2014/2/25

The Information Security Office has been made aware of a phishing attempt that has been sent to some UTA employees.  Please delete this email if you receive it:

_________________________________________________________________________________________________________________________

From: IT.SYSTEM.ADMINISTRATOR@mta5.xxx.xxx.edu [mailto:IT.SYSTEM.ADMINISTRATOR@mta5.xxx.xxx.edu]

Sent: Tuesday, February 25, 2014 11:02 AM
To: Recipients
Subject: Your Input Needed: URGENT

Your EMPLOYEE ACCOUNT have been compromised. The is the cause of the recent increse in unsolicited emails. You are to CLICK HERE and verify your account so that we can effectively thwart the damage done by phishing on our network.

Regards,

Systems Security

Phishing Attempt – 2014/2/04

The Information Security Office has been made aware of a phishing attempt that has been sent to some UTA employees.  Please delete this email if you receive it:

“””


From: Support
Sent: Tuesday, February 04, 2014 8:28 AM
To: User
Subject: Your Email Account

Dear Subscriber,

Due to congestion on our webmail servers, all unused and unconfirmed accounts will be shut down. It is mandatory you confirm ownership of your webmail account by clicking ClickHere and following the instructions by completing the form or your account will be suspended.

We sincerely apologize for any inconveniences caused.

Customer Dept.

Copyright 2013, All Rights Reserved