FacebookTwitterLinkedIn

Screen Locking Tech Support Scams

Karolis Liucveikis Written by on

It’s too bad most people don’t use Ubuntu. While your mom would not understand it, maybe your sister would. Because Windows has too many security vulnerabilities. It also has more viruses, because it has more users, so it is a bigger target. Yet the weakest part of any system, Windows or not, remains people. People is how this exploit we describe here works.

Hackers Exploit Fear
Hackers have found a new way to prey on people. It’s mainly delivered via phishing attacks. And like most phishing attacks it’s based on fear, greed, lust, curiosity, and people’s lack of understanding of how computers really work.

Hackers have been planting malware that prompts people to call fake technical support sites. It does this by, for example, popping up fake messages that say their version of Windows is expired, such as 'Windows Activation Pro scam' or 'Your Software Copy is expired scam'. Different versions of this lock the screen too.

In the worst possible version, this malware infects the boot sector of their PC. That means they cannot start up their system in repair mode to try to fix this problem themselves, which would be one way around that. This is because the boot sector, meaning that disk partition marked as bootable, determines which operating system to load. This type of hack loads the hacker’s own operating system, which is scaled down version of Linux or whatever it takes to get the computer started enough to display these locked messages. So it runs before Windows thus blocking Windows from running.

The average person sees this error message and freaks out because they do not know what to do. So they are tricked into calling the technical support number shown on the screen.  

Someone who knows about computers would know this message is invalid, since Windows does not expire, and would simply wipe their disk and reinstall the OS.

Technical Support, Technical Scam
People who have been trapped this way phone up the technical support number where trained criminals walk the user through the process of unlocking their PC. These people pretend to be official Microsoft customer support. But first they won’t do anything until the victim agrees to pay some fee, typically $250. Or they are prodded to purchase a technical support plan.

tech support scams

Malwarebytes reports that the malware often installs remote control software, like TeamViewer. This purportedly lets the technician look around and solve the problem. But it also lets them copy documents, including those where the user has recorded their bank account details and passwords to other systems.

Social Engineering
The other way that people get tricked into this is when technical support people call them, telling them that their computer is hacked and offering to fix it. There have been media reports about this, but is does not seem too likely to work. Because criminals would have to spend a lot of time on the phone before they found someone who would fall for that. Spam lets them reach far more people with much less effort.  

Keyboard Shortcut
This guy on Twitter discovered a keyboard shortcut that would let you unlock the locked screen for some versions of this malware. It’s (-ctrl-)(-shift-)(-s-). The Malwarebytes article also shows some product keys that have been used before, so they might work again.

Other Worrisome Messages
Hackers are not just frightening people with screen locks, they also trick people into downloading fake antivirus. That pops up a message saying that their system has been infected and they need to call a number shown on the screen to fix that.

How to Prevent all of This
If you are a computer person then you should offer to train all of your relatives and friends in computer security. Probably half of them already have viruses on their computer and do not know it. Teach them about antivirus and show them where they can get a legitimate product and not to download a fake one. Then explain to them that hackers are using spam email to send them links to infect their computer. So teach them to not click on those. Tell them that Windows does not expire. Tell them that most messages that pop up on their PC can be ignored. Except show them that they should not click through the one that says an SSL certificate is invalid, as hackers cannot fake an SSL certificate to a domain that belongs to someone else. Tell them to keep their data in the cloud and not on their PC. Then when their computer gets locked, they can just get someone to erase it and reinstall Windows. If they do not know how to do that then they can carry their PC to a PC support company who can do that for them.

Needless to say if you have a business then you need to give your employees security awareness training too.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog