07
May 20

Tech Support Scam Uses Child Porn Warning

A new email scam is making the rounds, warning recipients that someone using their Internet address has been caught viewing child pornography. The message claims to have been sent from Microsoft Support, and says the recipient’s Windows license will be suspended unless they call an “MS Support” number to reinstate the license, but the number goes to a phony tech support scam that tries to trick callers into giving fraudsters direct access to their PCs.

The fraudulent message tries to seem more official by listing what are supposed to be the recipient’s IP address and MAC address. The latter term stands for “Media Access Control” and refers to a unique identifier assigned to a computer’s network interface.

However, this address is not visible to others outside of the user’s local network, and in any case the MAC address listed in the scam email is not even a full MAC address, which normally includes six groups of two alphanumeric characters separated by a colon. Also, the IP address cited in the email does not appear to have anything to do with the actual Internet address of the recipient.

Not that either of these details will be obvious to many people who receive this spam email, which states:

“We have found instances of child pornography accessed from your IP address & MAC Address.
IP Address: 206.19.86.255
MAC Address : A0:95:6D:C7

This is violation of Information Technology Act of 1996. For now we are Cancelling your Windows License, which means stopping all windows activities & updates on your computer.

If this was not You and would like to Reinstate the Windows License, Please call MS Support Team at 1-844-286-1916 for further help.

Microsoft Support
1 844 286 1916”

KrebsOnSecurity called the toll-free number in the email and was connected after a short hold to a man who claimed to be from MS Support. Immediately, he wanted me to type a specific Web addresses into my browser so he could take remote control over my computer. I was going to play along for a while but for some reason our call was terminated abruptly after several minutes.

These kinds of support scams are a dime a dozen, unfortunately. They prey mainly on elderly and unsophisticated Internet users, walking the frightened caller through a series of steps that allow the fraudsters to take complete, remote control over the system. Once inside the target’s PC, the scammer invariably finds all kinds of imaginary problems that need fixing, at which point the caller is asked for a credit card number or some form of payment and charged an exorbitant fee for some dubious service or software.

What seems new about this scam is the child porn angle, which I’m sure will worry quite a few recipients. I say this because over the past few weeks, someone has massively started sending the same type of sextortion emails that first began in earnest in the summer of 2018, and incredibly over the past few days I’ve received almost a dozen emails from readers wondering if they should be concerned or if they should pay the extortion demand.

Here’s a hard and fast rule: Never respond to spam, and certainly not to any email that threatens some negative consequence unless you respond. Doing otherwise only invites more spammy and scammy emails. On the other hand, I fully support the idea of tying up this scammer’s toll-free number with time-wasting calls.

Tags: , ,

83 comments

  1. “This is violation of Information Technology Act of 1996. For now we are Cancelling your Windows License, which means stopping all windows activities & updates on your computer.”

    Maybe the last part of that threat wouldn’t be such a bad thing considering the problems that I have had over the past year with Microsoft’s updates (e.g. losing the ability to print).

  2. obfuscatepleas

    It’s amazing to me that anyone who reads a security blog would take this email seriously.
    Wouldn’t a Who Is lookup of the IP and the incomplete mac very quickly make it clear that it is spam?
    Obviously the number of emails you received necessitated a post but it is very troubling that those emails were sent to you in the first place.

    • I think it’s more to keep everyone informed as we’re the ambassadors for security that can help spread the message of this latest tactic. I’ve actually received it and promptly ignored it, but seeing this made me think we have an obligation to educate the public at large that may not be as savy as us “professionals”

      • Thanks Ed for your feeling we need to educate the public because I came home to see my husband in a tizzy because of the child porn comments they were making and he did call them at the number they gave but thank heavens he said I need to talk to my wife about this before I do anything. Its easy to prey on people who do not have much knowledge regarding scams —–and even tho I feel I have more knowledge than the average person I was taken by a scam once and had to have my computer totally wiped out! Please contact your local network provider or a person who knows something computers and the current scams running out there before you do anything.

    • Brian has a lot of readers who are not that technical. Many times, users are so unsophisticated at computer technology, that a friend or family member sends them a Krebs article to read, and they start to think of Brian as someone to ask advice.

      • Right, it has only been 40 years since the intro of the IBM PC. No one should be in a hurry to learn about computers, after all they have only been around for a generation of so.

        • Cars have been around for a century or so. The vast majority of people don’t know more about how they work under the hood than to take them to the mechanic when certain lamps in the dashboard light up.

          But people don’t have to know how cars actually work to use them. The same is true for computers.

        • Weird excuse. Especially since the younger generation, who may have only a few years of experience with computers, can run circles around older folk with decades of experience.

          It isn’t intuitive. But computers aren’t something that gives you inherent knowledge from sitting around.
          If a computer sits in a data center in California, does it make everyone in Florida smarter even when they aren’t connected to it?

          • The young kids may know how to use the “lowest common denominator” interfaces created for them, but they can’t handle the ugly old actual protocols which still underlie most of what is in use.

            • Maybe, but in security… what are these fraudsters using exactly? Not trying to exploit the tcp/ip stack or some other old school protocol that old timers cut their teeth on.

              They are exploiting weakness in new trust systems and applications. If you watch these guys scamming… they are exploiting users by pointing at Windows processes that look confusing, and they convince them it’s malware.

              But guess what, those executables are new to Windows 10, and someone who new every process, service and open port for Windows 3.1 through Windows XP and Windows 7 even…. won’t know a damn thing about what is supposed to be running in the background.

              So it doesn’t matter how long ago an “IBM PC” was available… or even if a user is experienced. The whole point of these scams, is that they evolve just as fast as the technology. And even us savvy techs have to keep up. The average user doesn’t stand a chance, unless they are vigilant to the point of paranoia.

              And as pointed out above…. the whole point of personal computers is to democratize it so that users don’t need to have any technical ability to use them. That leaves a LOT of room for scammers to fool them. That’ll be true even after computers have been around for centuries.

          • Brian Fiori (AKA The Dean)

            It isn’t an “excuse” it’s THE TRUTH.

            Many, if not most, people use their computer simply for email and surfing the net. They have ZERO computer training.

            The adoption of the cyber world has happened faster than just about any other world-changing technology. To think people, thrust into the middle of this new technology should be held responsible for being abused by miscreants, is one of the most arrogant and irresponsible comments I hear. Unfortunately I hear it almost exclusively from younger users, born into the technology and supposed people expert in IT.

            Computers, tablets and smart phones come, for the most part, with no real user manual. It’s easy to sign into something, but where are the HUGE WARNINGS about how not to get scammed, once you sign up? They are conspicuously missing. There are instant popups/”tours” to get you using the specific site/technology ASAP, but nary a word about how to stay safe.

            I’m an older IT guy. And it sickens me to find other IT people using this kind of nonsense logic. All it does is support the SCUM who abuse it.

            Shame on you!!

            • Is this a reply to me or Lefty?

              • Brian Fiori (AKA The Dean)

                You can’t tell?

                Why is it that companies with IT departments get owned by scammers? They surely have the knowledge and training necessary to avoid the pitfalls. no?

                Blaming the victim is always the worst place to start. If the victim has a special responsibility to others, than some of the blame should find their way to them, as well. But the major blame always should to go the perpetrators.

                Blaming innocent individuals for their ignorance is a disgusting look, IMO.

              • Brian Fiori (AKA The Dean)

                Yes, Joe, it was to Lefty.

                Sorry for the confusion.

            • +1

              [my very first comment here, keep up the good work Krebs o/]

        • Joseph Dougherty

          This is not fair. I could scam most car owners, most homeowners, most people on a commercial ISP because they don’t have any reason to become expert enough to identify lies and doubletalk. It is an obligation for people with “skillz” to provide some help and sanity to those without.

          • Joseph Dougherty

            Adding: No need to provide a lot of free service; just be a calm voice when people reach out. Don’t patronize, don’t criticize. Offer some information and context, and reassure them that they are not actually at risk unless they believe random crap. I get maybe 20 texts, calls, or emails per week about stuff like this from people who will never be (and shouldn’t be) clients; a bit of patience and help does not cost me anything but a little time.

            And always, always, assure them that they are not “stupid about computers.” Because they are not.

      • I’m one of the non-IT people who reads KrebsOnSecurity. Yes, there’s a lot I don’t understand in the comments, but I have learned so much from Brian and all of you.
        For me, Brian’s articles always have a clear message: Be careful.

  3. A little surprising that this scam would resurface after so much exposure the second and third times it made the rounds but it goes to show how short peoples’ memories can be.

    I suspect that there is some background checking being done whenever someone calls to respond to the scam. It’s too easy to do nowadays, even when it comes to getting customer records, no matter what they say, and it’s a very good way to avoid getting caught.

  4. Brian,

    Come on, you know better than that – a MAC address isn’t alphanumeric, it’s six pairs of hexadecimal numbers (so you don’t ever get xy:gh:1k:…..

    • Mark, I do know better. What I wrote is not wrong, it’s just maybe not as precise as most uber geeks would like. I understand that. But you can see from the content of this post who is the intended audience here, and you can see from the follow-up comments to your comment how the interminable debate over the proper techno-jargon really does tend to alienate those readers.

      • *** standing ovation ***

      • ** STANDING O INDEED **

        Well said as usual, Cyberhero Krebs…

        How you gonna come on Cyberhero Krebs’ site and nitpick the man’s award-winning journalism??

        Who gives a rat’s tutu if it’s freakin pairs of duocentehexaquinquagesimal digits – the point is there are supposed to be 6 of ’em…

        Thanks for this whopper of a thread your article generated, Cyberhero Krebs (I might just go ahead and shorten your title to CK or maybe CBK from here on out in the name of brevity LOL)… I was originally too tired to chip in but upon seeing you get called out I’m afraid I had but no choice but to second that standing ovation…

        Keep up the ne’r-do-well hunt CBK

  5. … over the past few weeks, someone has massively started sending the same type of sextortion emails that first began in earnest in the summer of 2018, and incredibly over the past few days I’ve received almost a dozen emails from readers wondering if they should be concerned or if they should pay the extortion demand.

    This amazes me. What is the situation?
    1) People have a guilty conscience about what they have been doing whilst watching porn – presumably with their webcam un-shuttered (are there really that many who do this?)
    2) People are worried that there is sufficient online details of their facial movements that they fear there could be a deep-fake video of their faces and someone else’s body “performing”. Is Zoom (and its like) really that leaky?
    3) People can just be terrified by empty threats.

  6. “it’s 6 hexadecimal number.”

    No its 12-bit number, that can be represented any number of ways.

  7. If you are getting more that one or two spam emails a week; you have the wrong email service. I may get one phishing email and maybe two spam a week in my JUNK mail folder. I NEVER get any spam in my inbox.

    Of course I don’t give away my email address to just any Tom, Dick, or Harry either. For that I use junk mail addresses that don’t bother me. Amazingly my most used give away email address, only gets maybe 10 or so spams a month; so that one isn’t too bad either!

  8. Bruce Griffin

    A MAC address is six BYTES of information, usually displayed in Hexadecimal as colon separated byte values.

  9. The Sunshine State

    Child porn that’s a real taboo subject matter that would scare a lot of people into calling

    I am talking to a women from India women right now from that 1-844 number. My name is “Mike Hunt” and the women just said it LOL

    • DelilahTheSober

      One of my side email addresses has the name Mike Hunt somewhere in it. In case anyone is confused, say the two words out loud (just make sure you’re alone in the room when you say the name Mike Hunt)

      Here’s how I met Mike Hunt.

      Several years ago, someone in elected office in the City of Los Angeles fell for the Mike Hunt gag during a City Council meeting, after someone named Mike Hunt signed up to speak during the time set aside for the public to address the council. This politician repeated the name several times “Is Mike Hunt here?” before he realized he’d just been punked, but he thought it was so hilarious that later on, he went on a local radio talk show and joked about it.

  10. Is there really any email services safe? I did look at the IP address they were giving my husband and it was no where near the IP address that we have nor do we was the MAC. But regardless I appreciated the comments here and the knowledge I gained from reading your comments. As I say you are never too old to learn!

    Thanks everyone

    • Outlook web based free email is about as safe as you can get; and I’ve never seen this particular type of email in my junk folder, but then it is a JUNK folder, so why would anyone pay attention to it anyway? I have received some convincing phishing emails, very rarely in my junk folder, but I send them to the proper reporting address for each organization including Outlook[dot] so they can combat this kind of misinformation.

      • What you meant to say was Protonmail is the most secure.

        • I didn’t realize the basic version was free; or I might have used it as a first example. I’m used to working with indigent clients, so I always recommend free solutions whenever possible. ProtonVPN might even be better?

        • It depends on what you mean by “secure”.

          End to End Encryption, yes. But spam filtering, not so much. In fact, spam filtering based on message body text is impossible for Protonmail. Why? Because they secure the message from themselves, so they cannot perform in depth spam filtering.

          • Also I notice they developed it in Javascript and PHP; I wonder if it is really that safe because of that? Especially since the founder coder for PHP quit his post in security because of all the harassment of cleaning up the code for programmers.

            • I don’t mind the code base being in certain languages. The implementation is far more important. Proton seems to have a very robust implementation.

              • Seems like it would be a hassle filtering your own email. The question was what is safe? If a user that has limited IT knowledge is having the filter their own email, they might make a mistake. I don’t consider that safe for my clients. I try to point them toward products that make life easier for folks who are not It professionals.

                • I don’t find Protonmail filters to be any more difficult than Outlook rules.

                  Safe is the question, but safe from whom? I’ve seen Gmail abuse their spam filtering to profile my Amazon purchases. Every so often they add a “feature” I don’t want and didn’t ask for.
                  I don’t get hardly any Spam with Protonmail, but probably because I use disposable addresses when I can.

                  • I hear you there! I’ve seen poor practices in Gmail and Yahoo! Consequently I relegated them to junk accounts.

        • It depends on what you mean by “secure”.

          End to End Encryption, yes.
          But spam filtering, not so much. In fact, spam filtering based on message body text is impossible for Protonmail. Why? Because they secure the message from themselves, so they cannot perform in depth spam filtering.

    • Major email providers are going to be relatively safe.

      You should enable Two Factor Authentication (2FA) for your email accounts. And pretty much everything else.

      Brian has written a number of articles encouraging this practice.

      You can look for providers which support two factor auth [1]. In general, if your provider for a given service doesn’t offer 2FA, you should investigate alternatives that do. You can then either switch, or reach out to your provider and explain that you intend to switch because they aren’t offering 2FA and ask them about their plans.

      [1] https://twofactorauth.org/

  11. The Sunshine State

    Sending this article and 1-844 number to You Tube content creator “Kit Boga “

  12. Were these people on the other end of the call American, or foreign?

  13. This isn’t new. NYT columnist Paul Krugman fell for it in January.

    • Paul Krugman is an intellectual nitwit. Just because he has a job at the New York Times, doesn’t disqualify him from being a complete moron. You can easily discern this from his columns.

      • Joseph Dougherty

        Not really. I’d feel perfectly confident giving Krugman IT advice, and would expect he’d listen, once he checked my credentials. He’s hardly a moron for being unsophisticated in my field; indeed, he’s frequently pointed out Dunning-Kruger like problems, where people assumed their expertise in one area made them expert elsewhere.

        This is actually useful to scammers and confidence artists; no mark is as easy as the one who assumes their expertise in one area transfers to others where they are novices (at best).

    • He was my college roommate and I can assure you he’s not a moron.

  14. Mikey Doesn't Like It

    I’m surprised that they can’t identify the issuer of that particular toll-free number and try to identify who actually bought it. Most likely some sort of shell/fake entity, but there may be a pattern that would enable them to identify “bad” numbers and block them.

    Anything that makes a dent in this insanity.

    • I really wish that was a transparent process and that I could understand it.
      Maybe Brian Krebs can go in depth.

      For me, registering toll free numbers appears like a black box. The same with how legitimate businesses spoof phone numbers. There seems to be a lot of trust that can be bought from the phone companies. As long as they get paid, they don’t seem to ask any questions.

  15. Robert Braun

    The child porn aspect has been circulating for at least 10 years; the system had you pay a fine to the FBI.

  16. To us it seems ludicrous that any one would fall for such obvious scammery. But to the scammers, having an obvious scam is an advantage. It is a natural filter, removing the skeptics, and leaving only those vulnerable to their entreaties. Some recent research has shown that some scammers deliberately use grammatical errors, spelling mistakes and implausible circumstances just to get responses only from those who would be keen to be exploited.

    • DelilahTheSober

      I once had a foreign-born neighbor in his early twenties reach out to me because his laptop got locked up with an FBI warning and demanding a payment, and he was actually coming to me because he thought I would know how or where he should go pay the fine to unlock his computer.

      I was able to get his computer working again and was glad that I got the chance to explain to him that this FBI warning and anything else like it was definitely a scam.

      It’s probably a personality and cultural background thing that makes some individuals more susceptible to believing that a scam is legitimate. This same individual told me later that he’d once connected with a woman on Facebook, and she asked him for money. It was the Western Union window clerk in that case who politely convinced him that this was a complete and total scam and he didn’t end up sending the money to that total stranger.

  17. I get several emails a week about purchases that I have made ‘are being processed’ by Amazon, or Apple, etc.
    A simple scroll of the mouse over the sender’s name in most cases shows the domain name where the message came from.
    99% of the time they are weird names, indicating newbies getting their hands wet at their nefarious trade.

    Lately, in the last 10 days or so, I’ve gotten some emails with a password I used about ten years ago in the subject line, with the well known tired old message from the criminal claiming to have a recording of me watching porn etc., and demanding a payment to be sent to a bitcoin address.
    These messages have been from the outlook.com and hotmail.com email domains. I’m forwarding these messages to the admins at abuse@(domain).com hoping that at minimum the scum will be inconvenienced with an email account shutdown.
    Don’t know if these admins are doing so..

  18. Did they say they found a “Zeus Troan” on you PC?

  19. On the other hand, I fully support the idea of tying up this scammer’s toll-free number with time-wasting calls.

    Agreed. If I may, here is how I waste their time.

    Often these fraudsters will direct their victim to download a legit screen sharing or other remote access tool. They will direct you to the legit website for the download, and then walk you thru the install before proceeding to their nefarious act.

    I use an app the will temporarily redirect an URL in the hosts file to 127.0.0.1. The legit intent of this app is to to keep you from going to those time wasting websites when you should be working, etc.

    When I get on of those calls and they direct me to the download site, I quickly block that site with that app. So as they are coaching be along, of course it doesn’t work, and generates error messages. I read those error messages to them, throwing in a lot of naive questions like “Oh, is this one of those problems you were telling me about?” So I get them trying to troubleshoot my computer so they can get on with their evil deeds. But they won’t be able to fix it, of course.

    Eventually they get frustrated and the brighter ones might actually figure out how they’ve been played, and the do they get MAD! They tell me they’re going to turn off my Windows, report me to Windows management (never Microsoft and maybe law enforcement, etc.

    Oh, and I forget to mention to them that I am NOT running Windows and have NO Microsoft software on my computer.

    Great fun, when I have the time for it.

  20. “ I fully support the idea of tying up this scammer’s toll-free number with time-wasting calls.” Giddy-up !! And thanks for playing.

  21. Their scam emails would be more believable if they learned proper capitalization; they always give themselves away with capitalizing words that don’t need it.

  22. There’s a guy on YT who takes these calls and then somehow connects to *their* computer and deletes their files.

    • What’s the name of this YT guy you speak of?

      • His YT channel is ScammerRevolts. I saw this a few years ago and it looks like he’s still at it!

      • Do a yt search on “guy deletes phone scammer files”

        • I searched for it. I found long videos of guys claiming they deleted the scammer file, without neither proving it, nor explaining how they could do it. Look like a good way to make money with ad supported videos, but quite boring to watch.

          I am also wondering whether deleting files on scammer pc would be that big damage, as the one they do to their victims. For sure scammers don’t keep their picture memories or important documents on their pc. It’s not even their pc, but just company’s pc. Just do some reinstallation and they would be back on the road.

  23. It seems to me that Criminals Can be very creative!
    Creative and with Good imaginenations.
    Let’s Wait what They Come Up with Next

  24. How hidden is a MAC address anyway? Mine gets a routine change with a MAC address changer…doesn’t change the hardware, just what it reports.
    Wondering because our online poker app, (America’s Card Room) knows our MAC. On an unchanged MAC it will run and connect fine. But do nothing else but change the MAC, and try to run it, it will not authenticate.
    Granted, this is not a browser app, but clearly it is retrieving the MAC address and transmitting it to check it against the MAC stored on its servers associated with my login.
    So, “…this address is not visible to others outside of the user’s local network…”, is that just for browsers?

    • This online poker app is probably trying to get something unique about your system to prevent some kind of “play against yourself” spoofing.
      MAC addresses aren’t the best way to do that, but I suppose it fits their purpose.

  25. Lol “we have compromising video of you pleasuring yourself”……I have a reasonable body, normal porn….sure, knock yourself out and post on pornhub. Who knows, I may get lucky 🙂

  26. One piece of educational feedback: the term ‘child porn’ has become less favored, because ‘porn’ involves people able to give consent, and underage victims are unable to do that. The term that has become preferred within circles of people trying to stop it is ‘child sex abuse’. I know that’s not the main point of this post, and I’m a huge fan of Brian and this site! Just wanted to share a little insight from a segment of the online safety community Brian and readers may be less familiar with. Keep up the great work, Brian!

  27. If you receive an email saying, “someone using their Internet address has been caught viewing child pornography,” there’s two simple ways to know it’s bogus. First, Microsoft never calls or contacts you concerning such matters. Two, if your computer is involved in such shenanigans, the police will physically show up at your door with a warrant for your arrest and will seize your computer. It doesn’t get any easier than this to figure it out.

  28. Many will fall prey to such calls.

  29. Avast Klantenserce Belgie

    thanks for sharing this, if anyone have any iusse and query regarding this then go to Avast Klantenserce Belgie
    here you can get proper information and solution

  30. HP Klantenservice Belgie

    For any query and solution go to HP Klantenservice Belgie
    here you can get proper information and solution, even then you can just call them

Leave a comment