Week 5: When the first Google hit is not the right one and a freephone number turns into a scam

08.02.2022 - The NCSC received a large number of reports last week. Reports of fake extortion letters purportedly sent in the name of prosecution authorities still dominate. Two reports serve as examples of why it is always advisable to check very carefully whether you are on the right website. In addition, fake support fraudsters tried to make themselves appear serious by using a freephone number.

The first Google hit is not always the right one

At some point, everyone has surely made a mistake when hurriedly entering an internet address in the browser. Surprisingly, in many cases a website opens anyway. Owners speculate on such typos and earn their money from the advertisements displayed on these websites. However, in some cases there is also a malicious element involved, such as phishing sites.

"Typosquatter" domains related to an online trading platform
"Typosquatter" domains related to an online trading platform

Nowadays, however, most websites are not accessed directly via the address bar; instead they are opened via a search engine. In doing so, users trust that the first hit in the list of results is the correct one. The fraudsters have also realised this and have registered numerous domain names, each of which resembles the correct website. They then use various tricks – with search engine optimisation (SEO) – to try to get their websites as close to the top of the search engine rankings as possible. An incident that was reported to the NCSC shows that this nasty scam can also cause a lot of damage if you forget to take a second look. The person who reported the incident entered the name of the online trading platform he uses to trade cryptocurrency into the search field. He wanted to quickly check something on his account and had not noticed that the top result was not the original website, but an identical-looking fake with a similar domain name. On this page, he then entered his login, password and the second factor. At the same time, the fraudsters logged into his account on the real website using these details and were thus able to empty his account.

  • Always check the address bar in the browser to make sure you are on the right page, especially if you have to enter your login credentials.
  • Never enter your login credentials if you are in a stressful situation;
  • Many search engines display advertisements above the actual hits. These hits are marked accordingly as "ads" and the originators pay to have them listed as the first hits. As in the case described above, Google ads can also be misused for phishing.

KeePass or not to KeePass – that is the question

To increase login security, a different password should be used for each internet service. If the password for one service is compromised for any reason, the other services are still protected. Password managers are very helpful in keeping an overview of the mass of passwords. The data protection officer has written a document on this subject:

Since these programs store all passwords, their security and reliability are of great importance. A report from last week showed how important it is to be careful when downloading a password manager and to make sure that the program is downloaded from the official site. The official site of KeePass password manager is keepass.info. The NCSC has now been informed that KeePass is also available at the German .de domain. However, a check on the file offered showed that the vast majority of antivirus programs classify this software as malicious.

46 antivirus programs classify the file as malicious (source virustotal.com)
46 antivirus programs classify the file as malicious (source virustotal.com)

The program offered appears to be adware, i.e. a file that analyses user behaviour and then displays advertisements accordingly. This is not exactly the desired way for a secure password manager to operate.

  • Before installing a program, check that the provider is reputable. Use reviews and specialist magazines to do this;
  • Download software only from the official website.

Freephone computer support comes with a hefty bill

Fake support calls have been reported for many years now. Callers pretend to be from Microsoft Support and try to make the victims believe that they have malware on their computer. Therefore, they should download a remote access program and give the "service providers" access to the computer. Finally, an invoice is presented and credit card details are requested, for example. In many cases, it is not known what else the attackers do on the computers.

In one variant of this type of scam, however, no calls are made, but windows suddenly appear while surfing. They claim that the computer has been infected and locked, and urge the user to call a telephone number. In most cases, a Swiss telephone number is displayed. In a recent case, however, the attackers used a 0800 freephone number, something which had not been seen before. The attackers' motive is evident: 0800 numbers have a certain air of respectability; a company that pays the telephone costs cannot be fraudulent. The number has since been blocked.

Fake lock screen requesting the user to call an 0800 number
Fake lock screen requesting the user to call an 0800 number
  • End such phone calls immediately. Neither Microsoft nor other software companies make unannounced or unsolicited support calls to resolve computer problems.
  • Do not give anyone remote access to your computer.
  • If you have granted remote access, there is a possibility that your computer has been infected. The first step is to uninstall the remote access program.

Last modification 08.02.2022

Top of page