Threat Awareness – Tech Support Scams Pushing PowerShell for Pilfering

Tech support scams are nothing new. According to the FBI Internet Crime Complaint Center’s 2023 Internet Crime Report, tech and customer support impersonation scams were the third costliest type of cyber crime at 37,560 complaints totaling $924,512,658 in losses which resulted in a 15% increase over 2022. While tech support scams have notably been targeting older adults over the past year, recently observed activity suggests a widening scope being promoted through compromised YouTube channels.

According to eSentire’s Threat Response Unit (TRU), threat actors are creating fake videos promoting fixes for many frustrated Windows users seeking solutions for various Windows Update Error codes – specifically for the 0x80070643 error that millions of Windows users have been dealing with since January. Many of the fake sites/videos, such as pchelprwizzards[dot]com and fixedguides[dot] com, provide “solutions” that either require the user to copy and run a PowerShell script or import the contents of a Windows Registry file. Regardless of which “solution” is used, a PowerShell script will be executed that downloads information-stealing malware onto the device.

Whether your utility allows YouTube in your corporate environment or not, consider sharing this recent tactic with end users to help them protect their personal devices. Members are encouraged to share the following lessons learned (excerpted from eSentire) with staff:

• The involvement of a YouTube video with bot-generated likes and comments promoting the malicious site demonstrates the extent to which attackers integrate multiple platforms to create a convincing scam environment.
• The use of PowerShell, a legitimate and powerful tool in Windows environments, underscores the importance of monitoring and controlling administrative tools within an organization to prevent misuse by attackers.
• The attackers exploited common user problems, such as Windows Update errors, to lure users to a fake IT support website. This highlights the effectiveness of social engineering tactics and the need for users to be cautious about the authenticity of the solutions they find online.

Finally, to further help protect from information-stealing malware, security analysts and sysadmins are encouraged to check out Understanding and Protecting Against Infostealer Malware: A Comprehensive Guide from Flashpoint.

Additional Resources

• Fake IT Support Website Leading to Vidar Infection | eSentire
• Fake IT support sites push malicious PowerShell scripts as Windows fixes | BleepingComputer
• Increase in Tech Support Scams Targeting Older Adults and Directing Victims to Send Cash through Shipping Companies | FBI Public Service Announcement
• “Phantom Hacker” Scams Target Senior Citizens and Result in Victims Losing their Life Savings | FBI Public Service Announcement