- Oct 23, 2012
- 12,527
Five days ago we were reporting about a ransomware/tech support scam that relied on a fake Windows activation screen to scare users into calling a special telephone number and having their operating system unlocked.
According to two reports from Bleeping Computer and Malwarebytes, there seems to be a resurgence of tech support scams that follow a trend of mimicking Windows activation screens, which is in no way innovative, but hasn't been spotted so often in such a short period of time.
Tech support scam locks your screen, prevents access to anything else
The way this tech support scam works is simple. The scam locks the user's computer (a reason why infosec experts also categorize it as ransomware) and asks the user to enter a Windows product key or call a tech support number for help.
If the user tries to enter his real Windows product key, the scam won't go away by any means. In fact, entering any text in the product field key will show the standard Windows 10 settings page, even if the user runs another Windows version.
This is a clear sign that this is a scam if the user wasn'tt already alerted by the fact that the activation screen interface features a wonky UI that's not properly aligned, something that Microsoft's UI team would not ever released to the public. EVER!
If you missed all these signs, if you click anywhere on the screen, this malware will read out to infected hosts "Please activate your Window call to us on 1-888-414-4284."
According to two reports from Bleeping Computer and Malwarebytes, there seems to be a resurgence of tech support scams that follow a trend of mimicking Windows activation screens, which is in no way innovative, but hasn't been spotted so often in such a short period of time.
Tech support scam locks your screen, prevents access to anything else
The way this tech support scam works is simple. The scam locks the user's computer (a reason why infosec experts also categorize it as ransomware) and asks the user to enter a Windows product key or call a tech support number for help.
If the user tries to enter his real Windows product key, the scam won't go away by any means. In fact, entering any text in the product field key will show the standard Windows 10 settings page, even if the user runs another Windows version.
This is a clear sign that this is a scam if the user wasn'tt already alerted by the fact that the activation screen interface features a wonky UI that's not properly aligned, something that Microsoft's UI team would not ever released to the public. EVER!
If you missed all these signs, if you click anywhere on the screen, this malware will read out to infected hosts "Please activate your Window call to us on 1-888-414-4284."
Scammers ask for $100 to unlock your PC
Lawrence Abrams of Bleeping Computer says he called the number, and an operator tried to charge him $99.99 for a new product key.
Poking around this tech support scam's interface, Abrams discovered support for opening applications such as cmd.exe, Windows Explorer, TeamViewer, LogMeIn, and Supremo.
The last three are remote desktop utilities and are no doubt used by the tech support operator to log onto infected PCs and remove the lockscreen after the user pays.
The "suspicious" Windows 10 Settings screen
Unfortunately for the people behind this fraud, there are security experts that dedicate their time for breaking their malicious code. Just like the previous scam analyzed by Symantec, this one also includes an unlock key hard-coded inside the malware's source code.
Simple removal instructions
To get rid of this tech support scam, just enter closecloseclosecloseclose (five times close, without spaces) in the activation key input field.
This will allow users to close the screen-locker window. If this doesn't work, users should reboot their PC after entering the code, which in most cases should fix the problem.
There is also a second way to remove this scam. Users can reboot their PC in Safe Mode with Networking, and scan their PC with an antivirus product. Since Malwarebytes was the company that stumbled upon this scam, you should start with their product which probably already includes support for removing this threat.
Below is a video courtesy of Bleeping Computer which shows how this tech support scam works and sounds.
