44

I'm seeing a lot of tech support scam videos on YouTube, which made me think; do legitimate tech support companies use remote control for regular customer service calls?

I remember calling Lenovo tech support from their website a while back (I double checked it was their official site because I'm paranoid) and they had to use a remote control software to check my PC. I reasoned it was the same as handing over your PC to a repair shop as long as you know it's legitimate.

Now I'm thinking; do they even use this type of software?

What are the security flaws/implications of letting them do it? Is it fine as long as we can see our screen and retain control of the cursor?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Skawang
  • 551
  • 4
  • 6
  • 8
    As someone that works in support and uses such tools: it's a damn sight easier to get someone to open a teamviewer session to type in commands that may be required or to see the issue happeing than have the user describe it over the phone. – tombull89 Jul 04 '20 at 11:15
  • 3
    @tombull89: I've seen legitimate support sessions where guiding to download and launch the TeamViewer QuickSupport application takes more time than solving the actual problem. (Maybe we should learn that part from the criminals...) – Esa Jokinen Jul 04 '20 at 13:45
  • 2
    Personal anecdote: Microsoft support routinely uses some kind of remote control software to fix issues with Windows activation. – n0rd Jul 05 '20 at 18:30
  • 1
    I want to add to this topic that these are youtube videos. You can script the hell out of this. Probably most are fakes – clockw0rk Jul 06 '20 at 14:19

7 Answers7

65

Yes, it is normal for legitimate tech support to use remote support tools. It's far easier than trying to blindly walk someone through a complicated series of technical steps. Companies like TeamViewer exist because of this reason.

The risks of the software are:

  • having a persistent "back door" into a system, but there are security measures in most software to limit this
  • vulnerabilities in the software that could be exploited by others
  • a malicious tech support user using legitimate access to create harm

There are several functions in remote support tools besides cursor control that could also create secondary problems, like being able to upload and download files.

As long as all that is enabled is "remote viewing" or "screen share", your risks are limited. The more control you give, the higher your risks.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Not just malicious tech support. Not all tech support users are competent; they could do some serious harm by means of an honest mistake, if given too much access. – Ray Jul 06 '20 at 14:41
33

Yes, they do. A key difference is that typically you have initiated the session by asking them to help you. In order to do that they may ask you to launch a remote control tool, as it's both easier than assisting you on the phone and faster and more cost-effective than bringing the device in.

Commercial products available for this, e.g. TeamViewer (possibly branded), are designed to be transparent e.g. by avoiding persistent access (periodically changing passwords, verification to allow remote control session), showing dialogs of background actions like file transfers etc.

On the other hand, both legitimate and malicious actors may use the same tools:

  • A legitimate tech support might not be competent enough to use proper tools in a proper way, which may leave the computer more vulnerable to malicious third party actors. E.g. a password giving persistent access to a computer may seem convenient from their perspective, but such a password may leak, leaving their customers compromised.
  • Criminals use the same tools to look more trustworthy. They are skilled to act naturally and may seem to help you by solving actual problems and do their malicious actions in the background.
  • An individual employee on a legitimate tech support might abuse the position & trust. Although they eventually get caught, there's still such possibility. Just like a phone repair guy may steal your intimate photos while repairing a broken screen.

If you haven't genuinely initiated the session with a support you have chosen to trust (or otherwise know they should be actively monitoring your systems, as pointed out by @Draco-S), don't allow remote control.

  • If someone calls you to tell you have problems with your computer and offers help through remote control, it's a scam.

  • If your computer screen says your computer is infected and gives you a number to call or a remote control program to execute, it's a scam.

  • If you suspect something is wrong, contact someone you trust, instead.

With a legitimate tech support you are entitled to question their actions and ask them to explain what they are doing. You could also ensure the remote control tool is turned off / deactivated / uninstalled after the session.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • 2
    If they tell you that they're calling from "Microsoft Windows", it's a scam. I don't know what's going through the minds of whoever writes their scripts. FWIW, I have had 100% success rate so far on these scam callers, that if I ask them to tell me what IP address they detected the alleged suspicious activity from, they instantly hang up. So presumably this tactic works even if you don't know what an IP address is. – Steve Jessop Jul 04 '20 at 03:13
  • 10
    @SteveJessop Part of the scammer's success depends on their targets being clueless. Any hint of technical skills or intelligence is a signal to them that they are wasting their time. – Booga Roo Jul 04 '20 at 10:19
  • 2
    @BoogaRoo That's true. [Kitboga (YouTube channel)](https://www.youtube.com/c/KitbogaShow/) does such a great job wasting their time for fun. Although mainly hilarious, his videos are also good examples on how these scammers operate. – Esa Jokinen Jul 04 '20 at 13:25
  • 2
    And they generally ask you to run a command which outputs [888DCA60-FC0A](https://www.google.com/search?q=888DCA60-FC0A&ie=utf-8&oe=utf-8) and claim it identifies your Windows box. Of course every Windows user has that CLSID. Searching for that CLISD brings up a whole list of scam reports. If I'm playing along with the scammer I tell him the number first and ask him to search for it on Google and then tell me what he finds. Their reactions are priceless. – DavidPostill Jul 04 '20 at 16:21
  • I used to sometimes play along a bit when they called to tell me there were issues with my computer. Now I mostly don't even bother with an abrupt "not interested" reply. As soon as I detect that the call is unsolicited, I simply hang up. Life is too short to waste time talking to these parasites. I actually suspect they now may have voice recognition for their robo-dialers, that targets particular demographics, elderly people, and women. Very often now the call cuts out as soon as I say "hello", presumably they can tell by the tone of my voice that I'm not going to be an easy target. – user1751825 Jul 06 '20 at 06:14
11

The short answer is “yes, with some caveats”.

The long answer is yes, but you have to ensure that prior trust has been established with the support agent by ensuring one of the points is true:

  1. You have initiated the support call. For example, you call Microsoft, Dell, HP etc. and they ask to connect to your computer. This is safe because you know who are you calling.
  2. You have logged a ticket and received an expected callback. In this case, the agent will need to confirm the trust by providing you with the details only a legitimate party will know, like the ticket number, your name, case details etc.
  3. You have prior trust with an agent, for example, it's your company's IT department or an outsourced contractor that has access already.

There was an opinion that you must initiate the support case. This is not true, strictly speaking, especially for option 3 where your computer is a managed one. I have, on multiple occasions, called customers based on alerts raised by our monitoring software. But in this case we already have a remote control agent installed on the computer and call them to advise of the issue and notify that we need to take control.

Draco-S
  • 211
  • 1
  • 3
  • 1
    +1 for pointing out a case where IT support could initiate the session. It's also good you explained that in this case it's typically a known IT department or contractor with pre-installed tools. – Esa Jokinen Jul 04 '20 at 06:02
5

Yes, for example in a typical "Enterprise" setting. But note that the tech support will be one of your company (or a subsidiary, well-known partner, whatever). You will reach it through your company's ticketing system. Yes, they have the same bad accent like the criminals in your videos, but they're legitimate (not necessarily knowledgeable or helpful, though... I've once had one of them delete one year worth of "useless" data for an entire geographic region before I could shout "stop this!").

One thing to note is that tech support never initiates the session (as pointed out in Esa Jokinen's answer, too). If anyone asks you to, it is 100% certain illegitimate.

However, and this is important, do note that the reverse conclusion is not true. If you initiated the session, that does not necessarily mean that the other side is legitimate or professional, or non-fraudulent. It certainly seems that way, but it's not necessarily the case.
In fact, the procedure that is shown in the videos that you mention exploit this very appearance to trick the pigeon into trusting the criminal.

You get shown some sort of scary notice and you are to call support (they're kind enough to even provide the number, so you don't need to Google it!). So you actually do initiate the session. Clearly it's legitimate, isn't it!
If you show signs of doubt, the criminal on the other end will point that out as well: "It's alright, you did call us, remember. And we're Microsoft partners, this is why your Windows showed that screen".
But although you did initiate the session, it is of course still fraudulent. The only goal of the entire endeavor is to find someone stupid enough to either download and execute some malware, or grant remote access with a user account that has admin rights (the default for most home users).

Upon which typically the first thing will be to sabotage the -- so far perfectly working -- computer in such a way that it can no longer be started without their help (e.g. by encrypting the user profiles), for which they will extort a lot of money. Then you will be shown some directory listings and stuff, which to the uneducated average user looks like something very important and scary, and well... in the end you're going to pay because your computer is now unusable. Which, if you don't fall for the scam right away and pay them anyway, you'll discover after rebooting.

Damon
  • 5,001
  • 1
  • 19
  • 26
  • 1
    "One thing to note is that tech support never initiates the session" - err, not quite true - the majority of tools REQUIRE the tech support person to initiate the session, though genuine tools will then always require some form of consent button or code at the 'customer' end. – Mike Brockington Jul 03 '20 at 18:10
  • @MikeBrockington: I was probably a bit loose on my wording. What I mean is, they don't initiate the session _out of the blue_. That is, they certainly do the click to start RD, and then you click on "Accept". It won't work otherwise (obviously). But they **don't** do that unless you have ticketed them first, and talked with them on the phone, or via Skype or Teams, or whatever you use. You have the request, you want something to happen, not them. So that's "initiate" for me. If CIO wants something to happen, they can just schedule an update, and that will install without your consent anyway. – Damon Jul 03 '20 at 18:27
  • Annoying as Windows is about it, that's actually a pretty cool feature for enterprise (other than being so disruptive). You get a popup saying "Oh by the way, in 1h59min the computer will reboot for update", and that is the only truth, nothing you can do about it, except saving your stuff and rebooting immediately if you need the machine in 2 hours. Which on the one hand side totally sucks, but then again, it's pretty darn awesome otherwise. Very hard to get it wrong on the user side, very hard to miss updates (impossible even?). No need to click on a link, or follow instructions otherwise. – Damon Jul 03 '20 at 18:32
  • A session here doesn't mean a remote control *connection*, but more widely the whole procedure starting from the initial contact with the support. – Esa Jokinen Jul 03 '20 at 19:13
  • @EsaJokinen: Now _that_ is something I've never seen. The only occasion where tech or CIO actually initiates contact is when they send you fake phishing mails. You are to report these, and woe if you fail to report three or more of these in a month or even inconsiderably click on a link, then you're a candidate for a 2-hour awareness bullshit session. But otherwise, if you want contact, then **you** need to open a ticket. They don't need you or your assistance (or approval) for anything they'd like to do, you know. They basically "own" the computer. – Damon Jul 05 '20 at 16:57
  • @Damon: I was replying to Mike Brockington's comment, though. :) – Esa Jokinen Jul 05 '20 at 17:57
  • 1
    @Damon Unfortunate this is untrue also. Legitimate IT support people will sometimes need to initiate the support call, to get users systems updated with the latest support software, or if they've received an alert that a laptop may be infected with malware etc. This is in the context of corporate managed computer systems. The problem is that staff do not always know who is supposed to be managing their laptops. There's not always a guaranteed way for regular users to be ablet to differentiate a legitimate call from a malicious scam. – user1751825 Jul 06 '20 at 06:34
  • See my answer re support-initiated remote control sessions. We (a small MSP) have most of our customers on managed control, so the call often goes like ”we need to do (stuff) to your PC, please save your work and we will connect now, or please designate a time when we can do this” and then we connect. For those on ”break-fix” plan, we never call first. – Draco-S Jul 06 '20 at 10:14
2

I used to work level 3 support for various telecom products we would sometimes use teamviewer. If possible we'd use one of our local technician's laptops connected to the customers network. If not, then a customers machine but use the one-time passwords. Always be on a call with the person on the remote end and explain what you're doing and why. A previous employer has remote access via VPN built into the kit we sold but access was via a customer controlled gateway with full logging. You have to have an audit trail.

If you've initiated the call and you're expecting it, then there's only a small chance of it being dodgy. Restrict the access as needed and you're okay. If you get a random call asking for access, it's a scam.

auspicious99
  • 493
  • 3
  • 17
boots
  • 21
  • 3
1

Yes, legitimate tech support uses remote control software. But illegitimate ones also use them.

"What are the security flaws/implications of letting them do it? Is it fine as long as we can see our screen and retain control of the cursor?"

There was a scam where the attacker would let the victim download and install a specifically designed remote control software. They would do something that doesn't seem too harmful, using mouse and GUI on your bank account (supposedly because there are usually more security measures while logging in, so they have to find a seemingly legitimate reason to do so), but also transfer all your money in the background which you couldn't see.

auspicious99
  • 493
  • 3
  • 17
user23013
  • 660
  • 5
  • 11
  • This doesn't really add anything to the other answers. Also, tech support scammers aren't usually after web banking, as bank transfered money is easy to follow. They rather use gift cards and other untraceable means of payment. – Esa Jokinen Jul 06 '20 at 05:51
  • @EsaJokinen Scammers are very often after bank accounts, and even though it may be easy enough to see where the money went, getting it back may be next to impossible, if the money has left the country. – user1751825 Jul 06 '20 at 06:46
  • The example is still rather limited, leaving a picture that's the only thing they are after. That might lead to a false assumption that if you don't log into your bank account you would be safe. – Esa Jokinen Jul 06 '20 at 06:50
-1

It's not fine, regardless whether they are legitimately helping you and are not scammers. Much more often than people would like to think tech support workers abuse their access to clients' computers, both in a corporate environment or private. You never know what someone will do so give only the bare amount of trust and don't assume legitimately accessing your computer on anyone's behalf means you get someone with integrity and who adheres to any sort of professional ethics. Once they gain access to any part of your network or any single device you are vulnerable everywhere.

Henry A
  • 11
  • 2
    "Once they gain access to any part of your network or any single device you are vulnerable everywhere." -- is a complete overstatement. And you basically repeat my answerr. – schroeder Jul 04 '20 at 09:52
  • It's not even close to an overstatement but I can see you won't be convinced otherwise. As I said before, nothing is fine and that was a part of your question. Your only assurance that you're safe from malicious intrusion by an IT professional is that which you grant yourself because you want to believe it doesn't happen. I've seen this very thing first-hand and I have experience with remote access hacks perpetrated by legitimate professional IT personnel working in an official capacity using enterprise tools. I answered your question- believe what makes you feel good. – Henry A Jul 04 '20 at 10:00
  • It's not my question ... – schroeder Jul 04 '20 at 10:05
  • Here's what you asked: "What are the security implications" and "Is it fine" and it is as I said, not fine. To add further, because you can see the cursor you are not assured of anything. Hacks can run in the background unbeknownst to you, the user. Sometimes this is by design, and it's also possible for a malicious tool to be used simultaneously or as a modified version of a legitimate tool. I know of a case where the operating system was entirely comprised by attackers who gained access to the device through a company network, replacing the OS with SaaS, so that it was indistinguishable. – Henry A Jul 04 '20 at 10:16
  • No, I did not post the question. And attacking someone is not the appropriate response. Address the content, not the person, – schroeder Jul 04 '20 at 10:23
  • And you are also misreading the question that was posted. And you are confusing "threat", "risk", and "vulnerability". How does one "replace an OS with SaaS" because that does not appear to make sense. – schroeder Jul 04 '20 at 10:29
  • By joining the PC to an azure active directory domain and configuring it as a hybrid deployment. I don't expect to convince you because, admittedly, it's unlikely to happen to such an extent but this can be accomplished if you were to connect to a corporate network with a personal device and an attacker had remote access. – Henry A Jul 04 '20 at 11:25
  • 2
    In most cases it's the other way around: it's your BYOD device that may compromise the corporate data – not their ICT department that would compromise your private computer. In real life corporates have assets way more interesting to criminals than most individuals. – Esa Jokinen Jul 04 '20 at 13:38
  • @HenryA I understand where you're coming from but I think we'll have to put some level of trust on people if we know they come from legitimate places and they don't have a lot to gain from screwing with my stuff (with the risk being they lose their job). This is probably different for corporate. Still remote control software makes me uneasy so I'll probably stay away from it as much as I can – Skawang Jul 04 '20 at 20:01
  • 1
    It's good to be cautious, however if you are an employee of a company, and using a company provided laptop, you can't just arbitrarily refuse access to the IT support staff. It would look highly suspicious if you wouldn't allow IT admin staff access to your computer, and taking this stance could pretty quickly land you in a lot of trouble with management. – user1751825 Jul 06 '20 at 06:53