ISP customer data breach could turn into supercharged tech support scams

As Naked Security readers will be aware, tech support fraudsters have recently taken a real shine to customers of TalkTalk, a British internet service provider.

As many attest, they just won’t leave TalkTalk customers alone, cold-calling them on a scale the BBC recently described as “industrial”. Needless to say, this is not good.

The phone spiel always unfolds in the same way. The caller claims to be a TalkTalk engineer and to have detected a router or malware issue on the user’s computer that requires immediate intervention.

The customer is persuaded to turn on their computer and run the Windows Event Viewer to perform bogus diagnostics before being asked to install one of a range of remote desktop support tools.

This type of application gives the scammers complete remote control over the victim’s PC, at which point they are free to steal data, install malware and, in some cases, engineer the user into logging into online banking or transferring money.

A popular choice with the fraudsters since at least 2015 has been TeamViewer, so much so that on March 8, TalkTalk abruptly started blocking the application from functioning on its network in a desperate effort to stem a tide of abuse customers had started complaining about.

TeamViewer’s block was removed on Thursday after complaints by the company, but that didn’t stop TalkTalk  from quietly blocking equivalents such as AnyDesk, whose users started noticing unexpected connection issues around the same time.

Tech support fraud, or “vishing”, has been around for years, so is there much new to be worried about here?

The unsettling aspect of the TalkTalk attacks is that the fraudsters allegedly accessed stolen data, which means they immediately sounded more convincing to their victims. If confirmed, this means that fraudsters have been able to synthesise old-fashioned tech support social engineering with data breach cybercrime to create something novel and perhaps unstoppable.

It also seems to be easy to abuse remote support applications, which have flourished on the back of untraceable freemium accounts. It’s not clear how these companies detect misuse but clearly more needs to be done. In other cases, genuine accounts have also been hijacked to execute remote fraud.

Clearly, nobody should hand over a full password, bank details or agree to transfer money on the basis of a cold call but the fact that people are still doing this suggests the message is not being heard.

The traditional advice for dealing with cold calls runs as follows:

  • Hang up and dial that company’s advertised number to check its authenticity.
  • Never respond to a web pop-up asking you to call a number or visit a website
  • Never install a remote support application on the basis of a cold call
  • Report all tech support cold calls to Action Fraud, where it stands a chance of becoming useful intelligence.
  • TalkTalk offers a way for customers to report fraud direct

Rejecting all cold calls would be a simpler option but that might be hard to keep to as occasionally companies do need to call their customers out of the blue often, ironically, because they’ve detected fraud.

This is a bit of a mess. Cold calling, once a useful marketing tool for industries keen to make use of their databases, has been turned against them. Companies could introduce better authentication but this wouldn’t easily defend against fraudsters armed with personal data from a breach.

We urgently need to know more about what has happened at TalkTalk because this could be the tech support scam on steroids, a poisoning of the well that has done long-term damage to the whole concept of helping people down a phone line.  It would be a shame if this marks the moment a once-useful facility started to wither for good.