False security alerts and 800 phone number scams active now

Recently I have seen two computers taken over by false security alerts and 800 phone number scams.  Fortunately these two incidents were not destructive but they did require removing the scam settings to resume normal Internet web browsing.   Unfortunately some victims are falling for the scam, believing that their computer is infected with a bad virus and calling the 800 number on the screen to purchase the fix.

Example of a scam from the Internet.

Example of a scam from the Internet.

How these scams work

Suddenly the victim sees a big bold message on the screen saying that your computer is infected with viruses and that you must call the 800 phone number to fix it.

The big bold message is persistent – you can’t close the window or the pop-ups.  Rebooting the computer does not get rid of the message.

It blocks your Internet web browsing.

It tries to be convincing by stating a lot of technical jargon and using famous company names.

This is called “scareware” because it tries to scare you into buying bogus support or software.  It is criminal extortion.

Technically these scams work by setting your web browser’s home page their screen of false security warnings then make it difficult to close the windows or navigate away.

These threats are not destructive but remember there are plenty of destructive threats out there such as cryptoware and identity theft.

Scareware

I have seen two versions of the scareware 800 phone number scam.  The first is a persistent web home page.  The second is a registry entry that will autorun to display a web page after installing Chromium.  Both are not viruses or destructive.  Both can be removed.

Scareware #1

virus warning

Appearance:  A persistent web page saying that the computer is infected and to call the 800 phone number.  You can’t close the web page and restarting the browser returns the web page.  Rebooting does not help.

Audio.  There may be an audio track with warnings.

Screen:  Contains scare words including Trojan, worm, Infection, hijack, virus, threats.”

What the scammers want you to do:  The 800 number routes to India where a “tech” will remote into your PC using logmein and convince the user that they have viruses in their PC and network.  They will offer to fix it for a 1 year subscription $199, or a lifetime subscription for $500, payable by credit card.

How it works:  The scam sets your browser home page to their scare web page or a local copy and makes navigating away difficult.

Repair:  What you need to do is reset your home page.  A little technical, here is the outline for Windows.  Start process manager <ctrl><shift><esc>, application tab, find your browser, right click on it, left click End Process, restart browser, when it asks restore say no.  Done!

Kill_your_browser!

Scareware #2

Appearance:  Upon booting the computer a Chromium browser web page takes up the screen saying that the computer is infected and to call the 800 number.  You can’t close the web page and restarting the browser returns the web page.  Rebooting does not help.  The scare page may run popup windows that will not close.  Note that this is the Chromium browser not the Google Chrome web browser.  Malware bytes will find malware and remove it but the scam returns next boot.

Screen:  Various threats, explanations, including “Hyper-V”

The Hyper-V scam popup window.

The Hyper-V scam popup window.

How it works:  The scam has installed Chromium browser and added an autorun entry to the registry to autorun chromium with their web page (local file) as the home page.

Repair:  What you need to do is remove the registry autorun entry and delete the Chromium directory.  A little technical, here is the outline for Windows.  Run MalwareBytes and make note of the chromium autorun entry and directory.  Manually delete the chromium autorun entry (run regedit, back up your registry, find and delete the entry) and delete the directory that contains the bogus Chromium installation.

Nerds and Geeks can help

If you are not sure about the repair steps, consult with your local nerd or geek.

Notes

These steps will remove this fake scareware scam but there is always the threat that other malware may have been installed along with it or your computer has vulnerabilities.  Update all software.   Run anti-virus scans and software or reinstall Windows.

Your antivirus is a good first line of defense.

I recommend MalwareBytes as an on demand anti-malware scanner or as a realtime scanner with a subscription.

Time to re-educate yourself on safe Internet –

  • Email: Do not open attachments or click links in email that you are not certain are OK
  • Software: Do not accept software, downloads, or links that are offered
  • Be smart: Do not give out personal information
  • Backup: Make copies of your important data
  • No: If you are not sure, don’t do it

Cryptovirus

Cryptovirus, Encrypting virus.  This is an especially bad virus; it will encrypt your data and ask for money to unencrypt it.  This is extortion.  If you have backups you can recover.  If you don’t have backups and the bad guys wrote a good virus likely your only way to get the data back is to pay the ransom.  There are some loopholes – there may be file backups with shadow copies not deleted, possibly the crypto virus will have been cracked and keys available or you may have some backups in the cloud (Google Drive, Microsoft OneDrive, Dropbox) or on another device.

References

Today show host gets caught by the scam, Jeff Rossen explains:  http://www.today.com/video/how-to-avoid-the-computer-trap-even-todays-natalie-morales-fell-for-633336387645

YouTube video of Jason Smart removing this scam:  https://www.youtube.com/watch?v=tc2DFQdE1v8

YouTube video of Dylan interacting with the scammers:  https://www.youtube.com/watch?v=EoeCl8SKJdc

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>