Tech support scammers have come up with a new way to trick users into sharing their payment card information: screen lockers showing fake Windows alerts telling users that their Windows copy has expired or has been corrupted:
This scheme actually prevents users from using their computers until they call the provided toll-free “tech support” phone number and provide their payment info.
According to Malwarebytes researcher Jérôme Segura, the Windows locker is delivered to unsuspecting users bundled with other (potentially unwanted) software or posing as an update for a legitimate, popular application.
Once installed, the locker waits for the moment when users restart their computer, and then springs into action. It first shows a fake “Updating…” screen, and then the above shown alert that temporarily disables the computer.
“We called the number (1-844-872-8686) provided on the locked screen and after much back and forth, the technician revealed a hidden functionality to this locker. There is a built-in installer for TeamViewer which can be launched by a combination of the Ctrl+Shift+T keys,” says Segura. “However, the rogue ‘Microsoft technician’ would not proceed any further until we paid the $250 fee to unlock the computer, which we weren’t going to.”
Nobody should be forced to pay these scammers to regain control of their computer, and there is apparently a way to disable the locker: just hit ctrl+shift+S. Cleaning the machine from the malware should be next.
There has been an uptick of tech support scams with the same approach and similar graphics, so it’s good to be aware of this.
“This increased sophistication means that people can no simply rely on common sense or avoid the typical cold calls from ‘Microsoft’. Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone,” Segura concludes.