Social Service Administration, Scam,

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) has uncovered a phishing site designed to mimic Zoom, which facilitates the download of ScreenConnect software.

  • Scammers are leveraging Zoom’s trusted reputation to trick victims into downloading ScreenConnect. By impersonating a widely recognized platform, the phishing site increases the likelihood that victims will believe the download is legitimate, lowering their guard.

  • This ScreenConnect software allows attackers to establish a remote connection to the victim’s computer, giving them full access to the system.

  • The IP address associated with the Zoom phishing site is also linked to other malicious activities. Notably, it hosts a domain involved in scamming Social Security Administration (SSA) account holders, indicating that the same scammers are running multiple scams from the same infrastructure.

  • Another aspect of this campaign involves spam emails falsely claiming to come from SSA support. These emails target SSA account holders, urging them to download an application supposedly to stay updated on their account status.

Overview

Cyble Research & Intelligence Labs (CRIL) has identified a phishing website designed to impersonate Zoom. This fraudulent site tricks users into downloading ScreenConnect software. Once installed, ScreenConnect connects to a suspicious domain, giving unauthorized access to the victim’s computer. This access allows attackers to take control of affected machines and proceed to carry out further malicious activities.

Notably, the suspicious domain linked to the ScreenConnect installation resolves to an IP address that also hosts another domain involved in scamming Social Security Administration (SSA) account holders. A Facebook user highlighted this connection in a post, revealing the same infrastructure used for multiple scams targeting different groups. This indicates a broader operation where the same network is used to perpetrate various types of fraud. In the figure below, readers can see the Zoom phishing site in question.

Figure 1 – Phishing site

How The Scam Works

The scam often begins with a phishing email, text, or call, claiming to be from a trusted source (e.g., Amazon, PayPal, or even government agencies). The scammer informs the victim of an urgent issue like a compromised account, refund, or technical support problem. The scammer instructs the victim to call a fake tech support number or click on a link present in the spam email. They pose as a legitimate support representative and claim to help resolve the issue.

Once the victim engages, the scammer asks them to install remote desktop software such as ScreenConnect, allowing the scammer to take control of the victim’s computer under the guise of “fixing” the problem. After gaining remote access, the scammer can view the victim’s desktop, manipulate files, and gain access to sensitive information ranging from bank accounts and passwords to personal data. With control of the computer, scammers may initiate fraudulent transactions, ask for payment in the form of gift cards or cryptocurrency, or transfer funds directly from the victim’s bank accounts.

In 2023, CISA released an advisory warning about a scam where scammers contacted users through spam emails, pretending to be from Geek Squad regarding subscription renewals. The email included a customer service phone number, instructing recipients to call if they did not authorize the charge or wanted to cancel and request a refund.

When victims called, the scammers convinced them to download ScreenConnect software, giving them remote access to the victims’ computers. With this access, the scammers manipulated the bank account summary to falsely show that an excess refund had been issued. They then pressured the victims into “returning” the supposed overpayment, which was sent directly to the scammers.

The victim never actually received any extra money in their bank account—it just appeared that way because the scammer manipulated the screen. Once the victim sends the “refund,” they’re effectively sending their own money to the scammer, who will then disappear.

Campaign Analysis

In this campaign, it is suspected that the scammers will convince victims to download ScreenConnect software via a Zoom-themed phishing site. The downloaded binary “Private-Meeting.ClientSetup.exe” is a 32-bit binary containing five PE files in the resource section, with some filenames suggesting the installation of ScreenConnect software.

Figure 2 – Embedded resources

When the victim runs the binary, it extracts an MSI installer from the resource section and saves it in the temporary directory. The binary then reads the digital signature from the main executable, signs this signature to the installer file, and uses msiexec.exe to install ScreenConnect on the system. This process is designed to make the installation appear legitimate.

Figure 3 – Code snippet handling the installation of ScreenConnect

The ScreenConnect client is then launched, connecting to the specified domain “poyttwq[.]zapto[.]org” on port 8041, as shown in the figure below.

Figure 4 – ScreenConnect client execution command

The server at “poyttwq.zapto[.]org” is hosted on IP address “79.110.49[.]157,” which also hosts the website “railindiaticket[.]in.” This site displays a page with the ConnectWise icon, the title “Support,” and prompts users to enter a secure code to continue, suggesting that the website is involved in a scam related to ConnectWise.

Figure 5 – Scam website prompting to enter secure code

During our investigation of this scam website, we uncovered a social media post in which a user reported receiving an email from “support@railindiaticket[.]in,” falsely claiming to be from Social Security Administration (SSA) support. The email urged the recipient to download an application. Based on this post, we suspect that the scammer behind this campaign is targeting SSA account holders and attempting to trick them into installing software such as ConnectWise.

Figure 6 – Social media post reporting support scam

The Social Security Administration (SSA) is a U.S. government agency responsible for administering Social Security, a government program that provides retirement, disability, and survivor benefits to eligible Americans. The SSA issues Social Security numbers (SSNs), which are used to track earnings and benefits for individuals throughout their lives.

On August 7th, the Office of the Inspector General (SSA) issued a scam alert advisory, warning about scammers escalating their tactics by using fake Amazon or PayPal tech support emails and text messages. These messages aim to connect victims with individuals impersonating Social Security Administration (SSA) employees, who then attempt to convince the targets that their Social Security number (SSN) or record has been compromised.

Scammers use a “long-con” approach and then pass the victim to an imposter pretending to be an SSA agent, exploiting detailed personal information to build trust. This scheme often culminates in the victim handing over valuables or currency during a staged in-person meeting with someone involved in the scam. This method, known as “pig butchering,” is designed to deplete the victim’s resources.

Figure 7 – Advisory from SSA

Conclusion

By leveraging a fake Zoom-themed website and digitally signed binaries, the scammers successfully masked the installation of ScreenConnect software as a legitimate process. The use of ScreenConnect, a widely recognized remote desktop application, further aided in the deception, allowing the scammers to gain unauthorized access to victims’ systems under the guise of providing support. This same infrastructure is used for multiple fraudulent activities, including scams targeting Social Security Administration (SSA) account holders. This phishing campaign exemplifies the increasingly sophisticated methods cybercriminals are using to deceive victims into compromising their own systems.

Recommendations

  • Social Security Administration (SSA) typically contacts beneficiaries through official channels, not unsolicited emails or phone calls. If you receive a suspicious message, do not click on links or provide personal information.

  • If you’re unsure about the legitimacy of a communication, contact SSA directly through their official website or customer service number, not the contact information provided in the suspicious message.

  • SSA will never ask you to download software or applications via email or text. If you receive a request like this, it is likely a scam.

  • Always verify website URLs to ensure they belong to the legitimate SSA domain (e.g., www.ssa.gov). Scammers may use slight variations in URLs to deceive victims.

MITRE ATT&CK® Techniques

Tactics Techniques Procedure
Initial Access (TA0001) Phishing (T1566) Uses phishing website
Command and Control (TA0011) Remote Access Software (T1219) Installs ScreenConnect
Execution (TA0002) User Execution: Malicious File (T1204.002) Scammers rely on users to execute the ScreenConnect Software
Defense Evasion (TA0005) Obfuscated Files or Information (T1027) .NET binaries are stored in the resource section of the main executable

Indicators of Compromise

Indicators Indicator Type Description
zoominvite[.]live Domain Phishing site
4e81851729d58f321bb83bdb03200f62bc5ee56e0703b2d609a3923a033d5b53 SHA256 Zoom.exe
poyttwq[.]zapto[.]org Domain Remote server
79.110.49[.]157 IPv4 Resolved IP
railindiaticket[.]in Domain Phishing site

The post Scammers Use ScreenConnect to Defraud SSA Beneficiaries appeared first on Cyble.