November 10, 2014 the Federal Trade Commission along with local Delray Beach Florida law enforcement raided the facilities of OMG Tech Help and Vast Tech Support; effectively closing down these and related businesses for engaging in deceptive business practices by running “a multi-million dollar computer repair scheme that exploits consumers’ fears about computer viruses, malware and other security threats.”

This is a huge win for consumers who, as the TRO Motion makes clear, have been bilked out of millions of dollars by fraudsters tricking people into paying for unnecessary tech support services or software. Included in the TRO is “an asset freeze” to allow for “equitable relief” for those victimized by this scam.

Tech support scams have been a growing industry in the past few years and we’ve written about them several times. Our advice has always been the same, take your computer or server to someone local, don’t trust the calls, emails or popups you receive.

For more information on how these scams are perpetrated read our article Tech Support Scams - Don't be a Victim. 

In the case of OMG Tech Help and Vast Tech Support the scam works through a free downloadable program called PC HealthBoost (see above image); the software was developed by and is maintained by Boost Software of Massachusetts and they are included in the TRO. The software is marketed, if you can call it that, through paid for ads and popups on websites.

Screenshot of PC HealthBoost software scam.[/caption]

From the FTC, “Upon downloading a free version of the product, the product automatically initiates a bogus computer system scan that invariably detects hundreds or thousands of purported “errors ” in need of repair. PC HealthBoost’s bogus free scan falsely identifies innocuous and helpful files as “errors”. The Boost Defendants then offer consumers the opportunity to “fix” these errors by downloading the paid version of the software for $29.97. After duping consumers into purchasing the paid version of PC HealthBoost, the software instructs consumers to call a toll free phone number to activate the product.”

For details on some of the innocuous items identified as errors, as well as how the remote access section of the scam works see our article.

It is through the need to activate the product that the scam transitions from Boost Software to OMG Tech Help and Vast Tech Support. Now you’re in the hands of the next step of the scheme to “extract additional money from unsuspecting consumers”.

As a part of the activation the telemarketer finds a way to get you to allow them to have remote access. Once remote access was gained to the intended victims’ computers they “tricked consumers into believing that their computers are riddled with problems and in imminent danger of crashing, the telemarketers then pitch the services of technicians, including repairs and long-term maintenance programs. The Vast Defendants recommend and charge for repairs even when computers are in good working order and have no issues. Through the course of the scheme, the Boost and Vast Defendants have caused more than $22 million in consumer injury.” (emphasis added)

Vast is reported to have operated under multiple dbas including OMG Tech Help, OMG Total Protection, OMG Back Up, dowloadsoftware.com and softwaretechsupport.com.

To put that $22 million in consumer injury into perspective, consider the President of OMG Tech Help Jon-Paul Vasta’s LinkedIn Profile.

That's $22 million in not even 3 years of running this scam.

Near the end the TRO gives us another encouraging bit of information, “Before founding Vast, JP Vasta worked for Inbound Call Experts, another computer repair scheme operating out of Boca Raton subject to an FTC and State of Florida enforcement action filed simultaneously with this case.”

While it is good news that it appears a second computer repair scheme is also out of business the damage caused by Inbound Call Experts dba Advanced Tech Support, appears to be even larger than OMG Tech Help. Consumer’s reported paying $150 – $500 for each phony repair, coming to a total of nearly $100 million in revenue from consumers.

Employer review site GlassDoor.com may offers a glimpse at what Inbound Call Experts was all about. From September 2, 2014 “Former Employee…you feel like you are taking money from people who don’t have it for things they don’t need.”

The related companies in the Inbound Call Experts case are coast to coast, from Advanced Tech Support in Florida to PC Cleaner, Inc. and Netcom3, Inc. in California. The combined defendants had approximately 150 domains that they would use to lure victims in. The domains include:

• freetechsupport.com
• advancedtechsupport.com
• malwareexperts.com
• pcmri.com
• pcmriforlife.com
• superpcsupport.com
• pcvitalware.com
• fix22.com
• fixme1.com

These defendants would “partner with computer security software companies to purportedly provide technical support for particular software. In those instances, unbeknownst to the consumer the defendants pay for the phone number that appears on the software partner’s website. When consumers call the software company for assistance with a particular product, rather than reaching that software developer, they reach ICE/ATS.”

One of the downloadable programs offered specifically by PC Cleaner, Inc. which claims to show infections, but instead uses false information to trick the victim has been downloaded by users more than 450,000 times between 2011 and 2013 per the FTC filing.

This is great news for consumers everywhere! But remember these two aren't the only companies working this scam online. It’s always best to take your computer to a local trusted company!

Top Speed's South Reno Office

Another bit of malware, named WireLurker, has been discovered targeting iPhones and iPads.

iPhone and iPads are infected when the device is connected through USB to a Mac computer where an infected OS X app has been downloaded. The source of the infection is reported to be third-party OS X apps in the Maiyadi App Store in China.  For the time being most of the reports of infection are located in China.  Apple devices are at risk whether they've been jailbroken or not.

Security firm Palo Alto Networks researcher Claud Xiao has said this "heralds a new era in malware attacking Apple's desktop and mobile platform" and is "the biggest in scale we have ever seen."

The larger the Apple market share, the more attractive Apple becomes as a target for cyber criminals.

Palo Alto Networks says the infected WireLurker app has been downloaded over 356,000 times to OS X computers, how many of those computers have attached via USB to an iPhone or iPad is unclear.  Once infected the malware has the capability of stealing "a variety of information" from the mobile device.

The recommendation is the same for iOS or Android, don't download from third-party app stores.

If nothing else, this malware is a proof of concept for malware / virus developers that Apple devices are not impenetrable.

If you've ever felt angry, irritated or upset at yourself for falling for some cleverly worded email and clicking on the attachment thereby infecting your computer or your company's network with something awful, you're not alone!

The point of social engineering is both to get around standard network security setups and to dupe individuals at all levels into opening that email attachment or entering their credentials into that look-alike site.

Operation Pawn Storm is a study done by TrendMicro into "economic and political espionage attacks instigated by a group of threat actors primarily targeting military, embassy, and defense contractor personnel from the United States and its allies."  Looking at the list of targets it's clear that this is a group with heightened security concerns and those most of us would imagine are well equipped to fend off cyber-attacks, but the reality is they are just as susceptible to a cleverly worded email as the rest of us.  And no amount of available money put into network infrastructure can full mitigate human error.

Included in the study as targets are ACADEMI - defense contractor formerly known as Blackwater, SAIC, the Organization for Security and Co-operation in Europe, the Ministry of Defense in France, broadcasting companies, Ministry of Defense in Hungary, Polish government employees, United States Department of State and the Vatican Embassy in Iraq.

So how were these individuals tricked?  The simple answer is exact same way the attackers trick everyone else.  Spear-phishing schemes, carefully worded emails, and slightly changed / redirected domains.

Examples from Trend Micros report:

The Ministry of Defense in Hungary was tricked using an upcoming Exhibition / Conference.  The attackers purchased a domain similar to the actual conference and created a similar website then sent out targeted emails to those who could be expected to attend from Hungary.

• Real conference domain - eurosatory.com
• Malicious conference domain - eursatory2014.com

Similar to the Hungarian Defense Ministry, SAIC was the target of a spoofed conference website.  In this case it was for the "Future Forces 2014" conference and the intent was to trick email recipients into providing their webmail credentials.

• Real conference domain - natoexhibition.org
• Malicious conference domain - natoexhibitionff14.com

Additionally the attackers are using malicious attachments to install malware on unsuspecting victims computers.  This is exactly what they do to users not in heightened security industries, only in these cases the attachments tend to be more specific to get the intended victim to open them.

Whereas many people receive and unfortunately open attachments that say "Undeliverable USPS Parcel Shipping Details" those in who work for more security entrenched targets are more specifically targeted with documents they won't suspect as being malicious:

Military official in Pakistan received a Word document claiming to relate to the Homeland Security Summit in the Middle East.

Polish government employees received a document related to the shooting down of flight MH17 over Ukraine. Military officials in multiple countries received an Excel attachment posing as a list of journalists accredited at the APEC Summit 2013.

Vatican Embassy in Iraq received a Word document claiming to be about a bombing the day before.

It's not USPS package that wasn't deliverable, it's specific, relevant information to the targeted recipient.

From these examples you can see how social engineering works across all spectrums and cyber criminals have become adept at exact targeting of their victims to get the desired information or result from the attack.

Albeit improved in all the wrong ways.  

CryptoWall 2.0 is ransomware that falls into the same category as CryptoLocker, CryptorBit, TorrentLocker, the original CryptoWall, etc.  As one would expect with anything labeled 2.0 there have been improvements made to the original CryptoWall, in this case making it all the more insidious.

The original CryptoWall has made plenty of trouble for network administrators, encrypting local data and any data found across network shares.  There had been some loopholes network admins were using to recover the files without paying the ransom, including using data recovery to recover the original unencrypted files that CryptoWall had deleted.  However, with CryptoWall 2.0 the malware developers have made changes to make things harder on their victims.

(It's terrible, calling them developers as it almost gives them professional legitimacy. Admittedly they do consider this their job and as I've discussed before it is a very profitable endeavor.)

Changes included in CryptoWall 2.0 include unique wallet IDs for each victim to send ransom payments to, use of their TOR gateway, secure deletion of original [now] encrypted files, and a pretty handy FAQ / set of Instructions, which both covers what has happened to your computer and how to fix the problem.  Interestingly the Instructions make it sound like these guys are hear to help and not like they are the ones who caused the problem in the first place.

Here is a Bleeping Computer image of the Instructions.  Click here to read the full article on Bleeping Computer.  

Always the recommended option for businesses is having a True Enterprise Backup, which allows for multiple copies your backed up material to be stored.  For many this has meant that yes the backup that happened last night was just a backup of the encrypted files, but the previous version from 3 nights ago is unencrypted.