Researcher Social Engineers Tech Support Scammer into Installing Locky Ransomware

August 8, 2016 8:52 am David Bisson

A security researcher tricked a tech support scammer into installing a copy of Locky ransomware onto their computer.

The story began for Ivan Kwiatkowski, a security researcher who lives in France, when his parents asked him for help after visiting a website (snapshot here) that claimed the Zeus trojan had infected their computer.

The page was a perfect storm for unsuspecting users. As the researcher explains in a blog post:

“This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows’ BSoD days, and yet somehow it displayed a random IP address instead of the visitor’s one.”

Curious to learn more about the scam, the researcher decided to get in touch with “tech support.” He called twice. Both “tech representatives” with whom he spoke told Kwiatkowski someone had infected his computer and that he should purchase an anti-virus subscription.

During the second call, Kwiatkowski provided the tech representative with a few test credit card numbers to waste their time. While the representative spoke with his supervisor, the researcher had a sudden realisation:

I open my ‘junk’ e-mail folder where I find many samples of the latest Locky campaign – those .zip files containing a JS script which downloads ransomware. I grab one at random, drag it into the VM. The remote-assistance client I installed has a feature allowing me to send files to the operator. I upload him the archiveā€¦.”

Locky has been masquerading as .ZIP files since at least March 2016 when, Rodel Mendrez, a security researcher at Trustwave, first detected a surge of spam emails containing malicious JS attachments that peaked at approximately 200,000 emails in a single hour.

Kwiatkowski ultimately used social engineering techniques to trick the representative into opening the malicious file onto their computer, a trick which he thinks others should replicate:

In conclusion, whenever one stumbles on an obvious scam, the civic thing to do is to act like you buy it. Rationale: scammers don’t have the time to separate legitimate mugus from the ones who just pretend. Their business model relies on the fact that only gullible people will reply. Now were they spammed back, their workload would increase so much that scamming wouldn’t be a profitable activity anymore. So if you’re a French speaker, you should definitely take 15 minutes of your time, call them at +339 75 18 77 63 and try to social engineer them into doing something funny.”

But let’s be honest: tricking tech support scammers isn’t for everyone. Some organisations would much rather invest in security awareness eLearning training to help prevent their employees from falling for tech support scams in the first place.

That’s where Metacompliance comes in.

Metacompliance, an organisation that specialises in policy management software, consults with other companies to recommend process and security training changes that can better protect them and their staff. To help implement those changes, the Metacompliance team might recommend one of their security awareness training eLearning modules.

Learn more about how Metacompliance’s eLearning solutions can help your employees evade tech support scams.