OFFICIAL SECURITY BLOG
February 28, 2014 | BY Jérôme Segura
Tech Support scammers are really creative these days. As if the Microsoft ruse was no longer in fashion, they are impersonating other popular companies, such as Netflix.
I came across what I first thought was a typical phishing scam targeting Netflix: [Edit] Many people have asked how I got to this. I’ve been tracking tech support scams for about a year, documenting company names, websites, phone numbers. It happens the number used in this scam was the same as one I had spotted just a few days prior. But typically, people would receive this phishing scam through an email or a pop up [/Edit].
Until I realized it wasn’t, or at least that there was something more to it. Of course it stole my credentials:
But it also displayed a message saying my account had been suspended:
In order to fix this issue, you are urged to call “Netflix” at a 1-800 number. If you do a bit of a search you will find out this is not the official hotline, so this warranted a deeper investigation.
Once I called the number, the rogue support representative had me download a “NetFlix Support Software”:
This is nothing else but the popular remote login program TeamViewer:
After remotely connecting to my PC, the scammer told me that my Netflix account had been suspended because of illegal activity.
This was supposedly due to hackers who had infiltrated my computer as he went on to show me the scan results from their own ‘Foreign IP Tracer’, a fraudulent custom-made Windows batch script:
According to him, there was only one thing to do: To let a Microsoft Certified Technician fix my computer.
He drafted a quick invoice and was kind enough to give me a $50 Netflix coupon (fake of course) before transferring me to another technician:
During our conversation, the scammers were not idle. They were going through my personal files and uploading those that looked interesting to them, such as ‘banking 2013.doc‘:
Not quite your Netflix support is it? Not at all.
Another peculiar thing is when they asked me for a picture ID and a photo of my credit card since the Internet is not secure and they needed proof of my identity. I could not produce one, therefore they activated my webcam so that I could show said cards to them onto their screen.
This is where it ended as my camera was disabled by default. The scammers were located in India, information gathered from the TeamViewer logfile:
IP geolocation courtesy of IPligence.
This scam seems relatively fresh, at least the domain they used was registered and updated recently:
This was a clever plan which not only is about stealing money for bogus services but also about identity theft by gathering personal details from the victim (photo, name, email, address, password, etc.).
For more information on Tech Support Scams and how to protect yourself, please check out this resource page.
Disclaimer: You should never let anyone take remote control of your computer unless you absolutely trust them. This scam took place in a controlled environment that had been set up specifically for that purpose.