Trending Scams

 

This is an experimental section of the website that aims to inform you of scams making the rounds in our area, as reported by our staff and customers. If you find this section useful, please let us know.

 

June 2017 – Fake Virus removal, PC cleanup scam

An all too common scam these days … One day while browsing the web you are hit with a dire looking popup that claims your computer is infected with a virus or some other fictional malady. Scam authors are able to produce a semi-legitimate looking popup to your desktop by leveraging background html code embedded in an advertising frame, or through an external link on a site you visit. Javascript can be used to resize your browser window so that the fake error appears to be on your entire desktop, and the browser frame often tries to copy standard Windows visual themes. They are hoping to exploit your sense of alarm,  and conveniently provide a website address or phone number you are encouraged to visit in order to ‘remedy the issue’.

Of course legitimate providers like Microsoft, and any of the reputable Anti-Malware vendors will never use tactics like these to contact you. The 2nd stage of this scam usually involves the fake support agent talking you into running something on your computer that you’ve never heard of, in order to gain control of the machine, or trick you into making payments.
The number we were asked to call is (866) 315-1003.

Two of the more common vectors for this ruse are Teamviewer and GoToAssist. These are ‘desktop sharing’ applications that are often used by legitimate tech support to assist people remotely, however when you give a scammer remote control over your PC, they are not going be fixing any existing problems, only creating new ones for you.

 

team viewer launch                gotoassist launch

 

In the iteration we recently encountered and were able to investigate, the scammers trick was to get you to launch ‘hh‘ from a Windows runbox, supposedly confirming the virus-caused error, and then manually redirect you to a spammer controlled ‘GoToAssist’ session, where the scammers can then demonstrate another bunch of plausible looking errors by pulling irrelevant data from various system utilities that come with Windows.  You will then be taken to a credit card payment processor and asked to pay in advance for a ‘premium support’ contract.

This scam operates in the quasi-legal realm of offering a fictional service to remedy a fictional technical issue, however scammers with even fewer qualms about prosecution and legal jurisdictions will often install actual malware onto your system during the shared desktop session, in order to give themselves persistent administrative control over your computer.

 

July 2017 – IRS Lawsuit/Arrest scam

This scam appears to originate from the 409 (Texas) area code, but the caller ID may be spoofed. A recorded speaker threatens you with a pending IRS lawsuit and/or arrest. Of course the caller never identifies themselves, or who ‘you’, the supposed target of this lawsuit/warrant is, for that matter.
The number you’re being asked to call during our observed samples is either (409) 965-5767 or (409) 965-5763.

click here to hear an audio sample of this scam.

IRS Lawsuit Scam

 

January 2018 – Craigslist Vehicle transfer scams

Recently one of our techs found himself in need of some new wheels, and went looking on Craigslist in the Olympic Peninsula section for something local, and affordable, to drive. Perhaps the price and mileage were just a bit too good in this ad, but we all like to find a deal, it’s part of the online bargain hunting experience.

The apparent stock photos, and being asked to call a burner mobile number in Georgia, (770) 515-8478, set off some early red flags, so we set our tech up with a disposable one-time use mailbox for correspondence with the would-be scammers.

Magicians use a tactic called ‘misdirection’ to fool their audiences, scammers are often heavily invested in ‘redirection’, a tactic of bouncing you around, so that when their assets like numbers and mailboxes get burned by abuse reports, they can swap in a new one into that spot, and be back to scamming in short order.

Our Georgia number asks our tech to email ‘their mom’ at <michellesp222@gmail.com> to purchase the vehicle.

So he does. Our advice to avoiding Craigslist scams is to ask very specific questions right off the bat that a ‘remote agent’ or ‘sale by proxy’ will not be able to provide you satisfactory answers to.

The response back, is of course scripted, and answers neither of the questions posed. Scammers want to get you invested in their made-up back story, and avoid having to provide any kind of information to you that might be verifiable.

A nice prepared paragraph that answers all the questions … that nobody had asked. Now comes time for the scammer to really see if they can get their hooks into you, and use your excitement over the fictional ‘good buy’ to propose a very odd sort of car sale, with no in-person interactions, and an escrow service chosen by the scammer, of course.

The scammer continues to make requests, and ignore all requests made of them for tangible, verifiable information, like a contact number and the physical address of the vehicle. Notice that when confronted for the local location of the truck, the vehicle has magically teleported out of the timezone it was listed in. So our journey takes us from a burner number in Georgia, to Nebraska, through Alaska, to a disposable gmail account, and asks that we now await ‘an email from eBay’.

And if we were to continue traveling, we’re likely going to end up back to the scammers own web front operation. Know, of course, that Ebay does not personally message anyone with ‘details’ of a listing at a sellers’ request. What comes next is a phish. Stay tuned, and we’ll see if we can land the scaly fellow, while this scam in still in season.

 

Decemember 2018 – Bitcoin Extortion scam

In late 2018, this trending scam has been combining a bit of technical scare-mongering with the increasing popularity of crypto-currencies for ransom demands.

You may find an email in your inbox similar to the one below. It promises to e-mail all your contacts with blackmail material unless a payment is made in Bitcoin (BTC)

bitcoin_porn_hoax

While this does at first seem alarming, and also appears to ‘originate’ from your own e-mail account, it’s a one-trick pony relying on a first impression of actual impersonation and account takeover.

If you use the ‘Show full headers’ or ‘View Source’ option in our webmail, you will see that this example of the scam message is really from Argentina.

 

 

Return-path: <redacted@nikolabroadband.com>
Authentication-Results: mail.nikola.com;
     spf=fail smtp.mailfrom=redacted@nikolabroadband.com;
     iprev=pass policy.iprev=190.245.103.23 (PTR 23-103-245-190.fibertel.com.ar);
Received-SPF: fail (mail.nikola.com: domain nikolabroadband.com
does not designate 190.245.103.23 as permitted sender)
     receiver=mail.nikola.com; client-ip=190.245.103.23;
     mechanism=all; envelope-from=”redacted@nikolabroadband.com”;
     helo=23-103-245-190.fibertel.com.ar;
Received: from 23-103-245-190.fibertel.com.ar
     (23-103-245-190.fibertel.com.ar [190.245.103.23])
     by nikola.com (64.146.180.228) (MDaemon PRO v18.5.1) with ESMTP id md50003361617.msg;
Tue, 15 Jan 2019 17:24:13 -0800
X-MDSPF-Result: fail (mail.nikola.com)
X-MDRemoteIP: 190.245.103.23
X-MDHelo: 23-103-245-190.fibertel.com.ar
X-MDArrival-Date: Tue, 15 Jan 2019 17:24:13 -0800
From: <redacted@nikolabroadband.com>
To: “f4k3p@$werd” <redacted@nikolabroadband.com>
Subject: High danger. Your account was attacked.

 

 

To explain how this scam is operating, shady operators have been grabbing up lists of accounts (sometimes with the passwords used on the site disclosed as well) from high profile data breaches as they become available.

The operator then generates a forged message, and by showing you a credential that you may have used, or are currently still using, appears to have credibly compromised your security.

The fact is: They have done no such thing, and there is no video, it’s a semi-elaborate ruse to extort you out of your money, and hard to track back to the scammer once converted to bitcoin.

Nikola catches 1000’s of these everyday, but you may notice the erratic and broken language patterns as this scam evolves. It’s not that the scammer is incapable of using proper english, it’s that they are actively trying to evade pattern-matching by using phrases that do not commonly occur in correspondence, and prior versions of the scam template.

Please let us know if you are receiving a variant of the Bitcoin extortion scam, and we can help take corrective measures. But do not send any money (or coins) to these jerks.