The dialog, sounding ominous, is using ignorance and fear to urge the user to “Act Fast” to avoid disaster. It is also a complete lie aimed at scamming you
Mistype “Twitter” or any popular URL into you browser and you might fall victim to scam-ware with an dialog box that looks like the one to the right. This screen shot is a dialog box that pops up upon being redirected to a domain name with a common miskeying of “twitter.” The landing page has a javascript that threw up this auto-opening dialog box that is intended to look like a system level warning. This is all a con game — and BTW: “con” stands for “confidence” because the whole scam is based on tricking people that they can trust the person scamming them with confidence.
This dialog box automatically opens on this page, and reopens after being closed. It contains text that is ripe with known psychological techniques that urge victims to take fast action and not look for outside help. Its wording is finely crafted to shuts down a person’s reasoning centers and on impulse.
The first is a warning of imminent warning of danger: Which is akin to a sailor in a bird’s nest yelling “VIRUSES HO!”
Back in the day when a warning would require immediate action to avoid crashing a ship on the rock, this was a good survival instinct: “Don’t think, thus do it” has saved countless lives. However, this assumes you know what to do in the case of an emergency. If you don’t, following the instructions of a trusted instructor could sometime land a plane safely — as in many a commercial airliner disaster movie. So, here is a manual that shows how these scams work which might help novice users avoid losing a lot of money for no other reason than not knowing any better.
Step 1 (Impulse Hack & Isolation)
In this case the dialog box is just a trick to urge immediate action. Scam artists know that using trigger words like “warning,” “risk,” “danger,” “private files exposed” and “stalker” will activate or deactivate certain centers of the brain. They want to shut down your reasoning, and act on impulse. A dangerous situation often requires not overthinking and to be in the moment. Another clue in the language in the use of the word “may” or “might.” This is important for reasons given later. If you see these last 2 words, in every instance I have seen, it is a guaranteed con game.
Even the dialog box’s name sounds official “system alert firewall message.” But if you look at the entire line, it is just the subdomain name for the domain (“web site” for laypeople) of “games-online365.”
Next, dismissing this javascript dialog box will just make it reopen — the javascript programmer wants to annoy a person and convince them that something is wrong with their system by re-opening the dialog box every time it is closed. If you try to leave the page, another javascript will ask for confirmation. These are all tricks that any basic javascript programmer can do, but doesn’t because most programmers understand that making their program twerk* annoys the user (like a paperclip popping up by interrupting their work) and is bad for UI for any program. So, they avoid twerking. But for a scam artist twerking is good. Twerking makes the user think there is a problem since usual behavior is for the computer to do what a person wants correctly, and when it is not behaving, that usually means there is a problem with the system or application. Twerking is used to build confidence that there is a real problem.
(“Twerking” is my word for when a program or device is behaving in a way that is annoying and not how a person expects it to react. I named it after all the outrage with a Miley Cyrus performance since people found her twerking loud, brash, annoying and basically unacceptable behavior for a children’s idol. Personally, I like her “young Madonna” phase because its dual role in breaking out of her Disney stereotype which will expand her opportunities and getting media attention in a controlled manner* [whether positive or negative] is always a net gain for a musician. So, as a communications person, I see she has learned from people that know how to manipulate public image in a mass communications setting. *”controlled manner” means planned behavior versus unplanned events: DUIs, arrests, etc. )
The second trick in the dialog box is to urge the user to not look for outside help on the internet with the phrase: “ call this number before you continue to use the internet…” However, if you did search for this information about such messages online, it would lead you here or a site dedicated to security education, such as the FBI’s IC3 [http://www.ic3.gov/default.aspx] site that warns about this sort of social hack. Isolation is used so that the information a person can find about the problem all comes from the Con artist, which is carefully manipulated to build trust and convince the mark that they are trying to help them, all the while simply increasing the odds of the con game working.
Step 2 (Establish Confidence)
If you DID call the site, you would be greeted by a person not trained to help you fix a problem, but a person that would try to convince the user that their system is infected. First to establish credibility the person claims to be from some upstanding company that closely resembles a known trusted company, such as “Windows Technical Support” or “Internet Security Support” or some other trigger words that suggest a reputable company. Note: if they claim to be from a <product name> support such as Windows and you ask them the company, they will say “Windows” when any savvy user knows there is no company called “Windows” and that Windows is a product. Most non-savvy people are easily tricked by this careful use of word play and skip the next step. which is to convince the person their system is infected
Step 3 (Confidence Trick and Sucker Test):
One way of convincing users that their system is infected is by showing them log files from the console or log application — which always has “warning” messages in yellow or “failure” message in red which are really just diagnostic messages used by programmers and tech support to see where errors occur in a procedure and when operations are carried out.
This is also a test for the mark used by the con operator. If a savvy user was directed to do this, they would tell the operator that this is normal. This would signal to the operator to disconnect the call or try to convince the person that these are indications of being infected. If this fails they might try to use intimidation — claiming to know more than the user. If none of this works they will probably hang up, because this person might be savvy enough to spot the con.
Step 4 (Begin the Con Game)
After this, the next step is to get the user to go to a URL and download an app. This app, they claim is to diagnose the problem and allow remote access by the operator on the other end of the line. However, if you DO that then you have just given a stranger complete access to control your system.
Step 5 (Collect and Setup Repeat Business)
The con operator logs in to you computer remotely and claims to remove the remove viruses. They will show you the empty logs and run a program that supposedly finds and removes them. What they really do is clear your logs and install a program that will get you to call back in a few months with more problems. They will probably install a timed script to pop up with the same warning months later to repeat the fee collection. They may also collect all personal info you have on the machine such as your contacts so they have a list of other potential victims to email with a warning like this one to repeat the con on them. They also sometimes install an app to block the user from UTLs that have information about the viruses they claimed to have had or information about them and what they really do by blocking known commercial virus databases and security sites maintained by Kaspersky, Sophos.com and Norton and real security organizations.
Step 6 (Repeat the Scam and Collect More Payments)
They might sell you a version of any of these products but with their exploits removed so they can keep triggering virus alert every few months, or just site back and collect your subscription fees. I have heard of people falling victim to this scam, and tried to help one person remove the problem personally. I also tried to educate him using much of what I wrote here. However, as long as there are ways to remotely con a person, there will be increasingly more sophisticated cons.
Best Defense is Self-Education
The best defense against falling victim to a confidence game is to educate yourself about the tools you use and pay attention to what people actually say. Read URLs and everything carefully. Do not always click the “Yes” dialog box without reading what it does.
If you notice the initial lure has the words “may” and “might be” to protect them from prosecution since their did not in fact make a claim, they simply posed it as a possibility. This makes it much more difficult to prosecute, which means they often can continue to operate just like this. Also, if you notice the above test, by educating yourself you know what questions to ask. Asking the right questions that might get a person to outright lie, such as claiming they work for Microsoft, will often get them to hang up. Why? Because as long as a person does not lie to you, and uses carefully crafted language so your interpretation is at fault, not what they said, you cannot win a court case.
So, another defense is to verify the identity of anyone you deal with remotely— if you get a call from someone that wants financial or other person data such as Social Security number. It is best to ask them for their extension and dial the official number on correspondence or listed on the orgs official site instead of trusting a person that they are who they say they are.
Also, if something seems suspicious, and urges you to act fast — it probably is a scam. So, check with trusted systems expert that you have met in person. Ask them about scams they know about, such as this one, and about their practices that avoid falling victim to scams. Some of my suggestions, aside from education, are (1) never clicking on unsolicited links in email, (2) never open unsolicited attachments, (3) read the sender’s domain name and the headers to see that they match, (4) for files you do download, make sure you can see the full file name — so change your system setting to always show the files extension (the characters after the dot) such as “.jpg” or “.mp3”. Scammer often title something like “rebate form.pdf.exe” or “sexy picture.jpg.exe” and hope the user’s system is set to hide extensions so they only see .pdf or .jpg and think it is an pdf or jpg and not an executable trojan virus. One way to tell is if the icon does not match the usual icon, BTW. Executables usually have a window icon.
Also, running security software (I like Sophos) regardless of platform (no system is invulnerable), and using other security managers that help you secure your accounts (such as 1Password) is a good idea as well. Oh, one last thing: always have backups of your data in case someone does lock your system with a ransomware virus.
Thanks for reading.