Fake error

Avoid this BSoD Tech Support Scam

Way back in 2008, I wrote about a piece of malware which took a prank Blue Screen of Death screensaver created by a security researcher, bundled it with malware and unleashed it on the general public.

While they sat looking in horror at the fake BSoD, rather nasty files were installing in the background. It was certainly inventive, but these days it’s all about the money and any attempt at elaborate shenanigans have been replaced by the quickest route to a pot of cash.

Here’s another one of those cut and paste fake Blue Screen of Death websites we wrote about in July, this time located at

windows-error-alert(dot)info/index(dot)html

The URL, registered behind an anonymity service on September 1st, really wants you to think your PC just went kaboom:

Fake error

 

Using the same boilerplate text as shown in our other blog, its claims you’ve had the following problem occur:

BSOD: Error 333 Registry Failure of Operating System – Host:

BLUE SCREEN ERROR 0x000000CE

Please contact Microsoft Technicians at Toll Free: [phone number]

To immediately rectify issue to prevent data loss

If you have Javascript enabled, you’ll be nagged forever and a day unless you kill the browser with the below pop-up message:

Javascript nag

It says:

Are you sure you want to leave this page?

*********** System Security At Risk ***********

Critical Security Warning! Windows has detected a serious attack on this system, as your IP Address seems to accessed from two different locations at one time. A Suspicious Connection was trying to access Your Logins, Banking Details & Tracking Your Internet Activity.

Please contact the Windows Support team immediately at [removed] (TOLL FREE) and provide error code UR97L1DA2TA to scan and resolve the potential threats to your personal and financial information, which seems to be accessed from another computer. Your Windows Security Center & Firewall Services are disabled. Your TCP Connection was blocked by your Firewall. Your Accounts may be suspended until you take an action.

Consequently we are performing additional security checks to verify the source of the attack and have halted all your resources in order to prevent any additional damage to your system and information.

Possibility of Data & Identity theft, if not fixed immediately.

Please call Windows Support Team at [removed] (TOLL FREE) to resolve the issues.

—————————————————— Customer Service: [removed] (TOLL-FREE)

Oh no! Not the suspicious connection!

They also seem to not like people poking round very much – In the below screenshot of the website’s source code you’ll notice some “Keycodes”:

We saw you...

These keycodes relate to certain keystrokes being registered as entered on the keyboard. Note that they’re looking out for certain keys pressed alongside the CTRL key. For example:

if (c.ctrlKey &&

e.keycode 67 = [C] (Copy) e.keycode 86 = [V] (Paste) e.keycode 85 = [U]  (View source) e.keycode 117 = [F6] (Typically highlights address bar) e.keycode 123 = [F12] (This is not being checked in combination with CTRL, as per the comments.)

What it looks like they’re doing is taking some script which would more commonly try to stop you copying content from a website, and instead turning it into a scare message:

“Your IP has been registed (sic) while you were trying to copy code…!!!”

Unfortunately for our fake BSoD scammers, it didn’t seem to work during testing. We did try calling the supplied phone number, but were placed into an automated hold queue from which there was apparently no escape (the music was semi-decent but I tapped out at the 8+ minute mark). The typical M.O. with these scams is to access your PC remotely with a program of the scammer’s choosing, but due to the no-show on the call we can’t give any more additional information at this time.

In a nutshell, should you see any form of messages in your browser claiming to be a BSoD, either close the window or disable Javascript then close it – and don’t call the number. If the various browser pop-ups make it impossible to access your Browser options for whatever reason (or you’re just not sure how to disable it), then hit CTRL+ALT+DEL and close it from the Task Manager.

There are many types of tech support scam out there, and this is just one of the newest. Feel free to take a look at our dedicated resource page and be ready for the inevitable phonecall and / or phony website claiming something has gone terribly wrong…

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.