A misleading website warns that the PC has been infected with fake
a.karmaplug.club virus/malware, asking the user to call a "hotline" to solve a non-existent problem.
| TG Soft's Anti-Malware Research Centre (C.R.A.M.) has detected phishing attempts that occour while visiting websites that conceal malicious code, which redirects the user to the following site/page: |
|
- trkute.com/scz?p=<casual ID>
|
 |
|
|
This webpage displays a pop-up, warning that the user is being attacked by the non-existent virus a.karmaplug.club.
This window looks like a Blue Screen Of Death (BSOD), written in Italian, where the user is told to call a hotline (in this case an Italian number) to solve security issues.
The numbers vary according to the country.
In Italy, these numbers have been acknowledged:
- 08x 1892 2627
- 0x5 7860 858
- x41 8520 539
|
|
Here's what happened to a person who dialed 08x 1892 2627.
The person that answered introduced himself as "TeknFix" technician, and informed the caller that only his company could solve the problem for which the users had called.
When asked for further information via mail, the technician himself asked for an email address, where he sent the following lines:
Subject: teknfx technical support!
Date: Mon, 11 Jan 2016 19:18:19 +0300
From: [Name] [Surname] <[user]@gmail.com>
To: [user]@tiscali.it
- http://www.teknfix.com/index.html
We tried to call 0x5 7860 858 ourselves.
The person that answered introduced himself as "TeknFix" technician, and informed us that our PC had been infected with one of the 10 most dangerous viruses and that we had to move quickly to stop and remove it.
In fact, the technician stated that only his company could fix those problems, using some remote desktop connection software.
He then invited us to open a web browser and visit "fastsuppxrt.com" from the allegedly infected pc.
The technician on the phone, speaking Italian with a strong foreign accent, prompted us to write our name in the name field, and then communicated the "Support Key" (that is, Chiave supporto in Italian).
We asked how much the procedure would cost. We were told that, in order to identify the virus, we had to log into the FastSupport website first, and that said operation was free of charge; the technician, however, didn't mention the removal of the virus, implying that it had a price. We then asked for further information via mail, and without exitation the technician took note of our email address; we received an email from a GOOGLE MAIL address, probably a dummy one, containing a link to a webpage:
- http://www.teknfix.com/serxxces.php
Here's what happened to an user who eventually got scammed
While visiting an e-commerce website (subito.it in this case), they saw the warning shown in the pictures above, and proceeded to call x41 8520 539. The operator offered tech support, plus 6 months of antivirus protection for just €209,00.
ATTENTION though: no antivirus product of any kind is actually given to the user.
Once the payment (with Credit Card) was completed, an operator remotely connected to the PC and:
- DISABLED ANTIVIRUS SOFTWARE on the PC by removing the msconfig key and disabling its services, thus deactivating real-time monitoring;
- cleaned web browsers cache and navigation history;
- used freeware tools such as ADW Cleaner to further clean the PC;
The technician eventually left on the desktop a file named "supporto.txt", containing the following lines:
+39 x94 801 483, x11 1962 1354
alesbia23@gmail.com
www.teknfix.com
|
| |
|
|
What has been done by this fake tech support is really helpful?
The operations carried out by these people are just maintenance activites that don't solve any malware-related problem at all. Disabling antimalware's real-time monitoring makes the PC vulnerable to ACTUAL threats, other than going against every security logic.
Furthermore, browser cleaning, temporary files elimination, and the use of freeware disk optimization tools can be easily done by the user themself without risks or troubles. In this case, though, these operations were presented as highly professional, in order to justify the price, paid with credit card.
|
How to avoid scam/phishing attempts
|
These scam attempts have been known for years; despite this, they still can trick lots of people. They use Fraudtools behaviour (see article, in Italian): the user is tricked into believing that their PC has severe malware issues with alarming pop-ups and messages, until the victim purchases a non-existent security suite to solve these simulated problems.
It is social engeenering at its finest: it generates more attraction because the user is given a quick solution to their "problem" (dedicated phone tech support and remote connection).
|
 |
Do not get scammed yourselves - here is some advice:
-
should you see messages like the ones in the pictures above, DO NOT PANIC;
-
get in touch with a technician you trust - you should NEVER allow a remote connection with your computer to strangers;
-
get in touch with your antivirus provider or its tech support. If you own a Vir.IT eXplorer PRO licence, you can call our FREE customer support: +39 049 631748 or +39 049 632750, Mon-Fri, 8:30-12:30 and 14:30-18:00, or you can send an email to assistenza@viritpro.com.
TG Soft - Anti-Malware Research Centre (C.R.A.M.)
