Tech Support Scammers Impersonate Apple Technicians

Tech Support Scammers Impersonate Apple Technicians

Remote assistance is becoming more and more popular to troubleshoot computer issues without the hassle of bringing the problematic machine to a store. Indeed, from the comfort of your own home you can let a Certified Technician remotely log into your PC and have them fix the issues you are facing.

Apple offers a screen sharing service part of its support center that puts you in touch with a remote advisor. The process is secure and requires a unique session key to authenticate into the system that the customer needs to enter at the following URL: https://ara.apple.com

apple-legit

In today’s post we will talk about how we discovered that crooks are abusing this feature and fooling Mac users into trusting them.

As we have been documenting it so many times on this blog, there has been an explosion of tech support scams via malvertising and fraudulent affiliates. All systems are targeted, not just Windows PCs and in fact, fraudulent warnings for Mac are getting extremely common.

Safari_alert

 

These pages are designed to scare people into thinking there is something wrong with their computer. Fraudsters will use all sorts of messages, audio warnings and other artifacts in order to social engineer marks into calling for assistance.

Typically scammers will have the victim browse to LogMeIn or TeamViewer and have them download the remote software necessary to take remote control. However, and especially in this case that involves Apple consumers, this step may seem unnatural, not part of the whole “Apple experience”.

For this reason, the crooks registered a website with a domain name that looks like the real Apple one (ara.apple.com) by calling it ara-apple.com. The site was registered through GoDaddy and resides on IP address 184.168.221.63.

whois

This domain is used for everything from linking to the remote programs the ‘technician’ will use:

programs_download

to processing payments (note how the ‘Secure Payment’ page is using regular, unencrypted HTTP)

secure-notsomuch

We have contacted both the registrar (GoDaddy) and hosting provider (Liquid Web) so that they can take appropriate actions in shutting down these fraudulent websites.

This particular case shows that tech support scammers are resorting to more elaborate ways to social engineer their victims. Perhaps Apple users are even more at risk because they may be less experienced at dealing with these kinds of “errors”.

As always, please be particularly suspicious of alarming pop ups or websites that claim your computer may be infected. Remember that Apple would never use such methods to have you call them or would never call you directly either.

For more information about tech support scams and a comprehensive list of known malicious sites and phone numbers, please check out our resource page.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher