Week 18 in review

11.05.2021 - The NCSC received a moderate number of reports last week. Reports were made of fake support calls combined with pop-up windows as well as fraudulent calendar entries being sent. In addition, it received information about bills from mobile phone providers that had allegedly been paid twice and a fake Migros competition.

Current statistics

Reports per week during the last 12 months

Last week's reports by category

Fake support calls – increased reports of pop-up variant

Fake support calls have been observed for several years: a caller pretends to be an employee of an IT company (typically Microsoft) and tells the victim that their computer is infected and needs to be repaired. The purported support callers have no idea whatsoever of the configuration of the computers of the people they are calling. The attackers want to persuade the victims to download a program that allows them to access their computer. They gain access to the system only via this program and can thus manipulate the computer. In most cases, the callers try to sell the victims a software licence or service ("system cleaning") and thereby obtain their credit card information.

Last week saw an increase in the variant where an error message is displayed in the browser while surfing, stating that the computer has been locked. Users are asked to call a telephone number to unlock their computers. When they call the number, the fraudsters' approach is exactly the same as a described above. They ask for access to the computer and end up by requesting credit card details.

Example of a fraudulent blocking page

The pop-ups are mainly displayed in the form of spoof banner advertisements. Another possibility is the misuse of Google ads. This was also observed last week. Advertisements that are placed by advertisers and that also match the searched terms are usually displayed above the actual search results. This advertising service is also used by fraudsters. The advertisements imitate well-known companies but redirect visitors to a site run by the fraudster.

Ignore these "screen blockers". Closing the browser usually works; if not, shutting down the computer will help.

When your calendar warns about being hacked

In recent weeks, the NCSC has been alerted several times to strange entries in electronic calendars. These are known as calendar spam, the term used to describe unwanted messages that are sent via email and then find their way into the recipient's calendar. Depending on the software, this may happen automatically or after clicking on an attached calendar file.

Spammers and fraudsters use this function to place unwanted messages directly in people's calendars. Victims then either see these entries when browsing the calendar or are reminded of the event by the system when the appointment approaches. An example of one variant observed is a claim that WhatsApp and or other apps have been hacked. This is a bluff used to entice the recipients to click on a malicious link. Entries with links to dubious investment sites are also being reported. If users actively refuse such invitations, there is also the risk that the sender will receive a notification confirming that their address is valid. They may then receive even more advertising.

Example of fraudulent calendar entries

As a countermeasure against calendar spam, many apps only allow automatic entries if the sender is already in the recipient's contact list, i.e. the sender is known to the recipient. However, the spammers have also reacted to this measure. Over the past week, the NCSC has observed an increase in fraudulent appointment requests that come from a person known to the recipient. In these cases, the fraudsters probably assume that the person is in the contact list and the spam will therefore automatically end up in the calendar.

Ignore dubious calendar entries!

Last modification 11.05.2021

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/wochenrueckblick_18.html