Research on Tech-Support Scams

Interesting paper: “Dial One for Scam: A Large-Scale Analysis of Technical Support Scams“:

Abstract: In technical support scams, cybercriminals attempt to convince users that their machines are infected with malware and are in need of their technical support. In this process, the victims are asked to provide scammers with remote access to their machines, who will then “diagnose the problem”, before offering their support services which typically cost hundreds of dollars. Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from everyday users of the web.

In this paper, we report on the first systematic study of technical support scams and the call centers hidden behind them. We identify malvertising as a major culprit for exposing users to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of phone numbers and domains operated by scammers. By allowing our system to run for more than 8 months we collect a large corpus of technical support scams and use it to provide insights on their prevalence, the abused infrastructure, the illicit profits, and the current evasion attempts of scammers. Finally, by setting up a controlled, IRB-approved, experiment where we interact with 60 different scammers, we experience first-hand their social engineering tactics, while collecting detailed statistics of the entire process. We explain how our findings can be used by law-enforcing agencies and propose technical and educational countermeasures for helping users avoid being victimized by
technical support scams.

BoingBoing post.

Tags: , ,

Posted on April 12, 2017 at 6:34 AM22 Comments

Comments

Thom April 12, 2017 7:20 AM

What right minded person would voluntarily allow a remote user access to their pc in the first place?

Obviously there’s different levels of idiocy,. but sadly i fear these scams mostly target the inept and elderly. :/

Andy April 12, 2017 7:46 AM

Once, when I had time on my hands, I kept “Nigel” (who had a suspiciously strong Indian accent) “from Microsoft” on the line for nearly 45 minutes. Good entertainment for me – and it stopped him targeting someone else.

The conversation went along the lines of “we’ve noticed suspicious data coming from your PC — we’ve been monitoring your traffic and it looks like you have a virus” – after stringing him along to let himself dig even deeper (10 mins or so) I pointed out that he was in breach of [at minimum] the Computer Misuse Act 1990, Data Protection Act 1998 and possibly RIPA as well – did he really want to continue? — yes he did – so I asked him what my IP was and what operating system (he told me 192.168.1.2 [good guess at a NAT address but obviously not the value he would have seen] and Windows 7). I said are you sure? he said yes and then I pointed out that I was using Linux — so charging me to fix Windows viruses there was at best misleading and at worst fraudulent.

Then he hung up.

Nowadays I just ask them – “would your parents be proud of you, working as a scammer?”

A colleague in the office had a better response (pays to be a good actor – and to be willing to indulge in a poor taste response) a couple of years ago. He screamed into the phone “a virus?? it’s not Ebola is it? I was emailing a friend in Nigeria who’s sorting out my banking! can I catch it through the keyboard?” very entertaining for us and the poor phone scammer was nearly in tears.

Winter April 12, 2017 8:16 AM

“Once, when I had time on my hands, I kept “Nigel” (who had a suspiciously strong Indian accent) “from Microsoft” on the line for nearly 45 minutes.”

I did once too, years ago. I was upscaled one level to a person with better English skills. I kept him at the phone for some time. When he realized I had tied him up, he wasted another 5 minutes or so cursing and threatening me. He really exploded and threatened to kill me if I ever would set foot in his city. He revealed the name of the city in India but I forgot which one it was (Bangalore?).

Nowadays, I say hello and ah, uh and then set the phone on a stand while I do other things. Every second they hang on with me, they cannot target someone else.

Some educational material to learn how to handle these, and have fun:

https://www.youtube.com/watch?v=5Te-jnS_Dq0

https://www.youtube.com/watch?v=1UE_Q1pprEg

John Galt April 12, 2017 8:22 AM

Obviously, operatives of the CIA and NSA have used their bag of tools to start the Tech-Support-As-Extortion racket.

Thom April 12, 2017 10:05 AM

Scammers in general rely on either the greed, stupidity or general ignorance of their targets.

It’s in part why scam/spam emails tend to have a lot of spelling and grammatical errors,. It’s not (only) because the sender doesn’t fully control the english language,. but to ensure “smart” people are filtered at step 1 of the scamming process.
Smart people are not the target audience, by filtering them out at step 1, they can avoid wasting time getting them into step 2 where they might have to personally talk to them and then get rejected.

Imagine you have an advert up on ebay for 100$, and john doe offers you 80$.
You’d probably haggle, or accept but be wary about the offer.

Now, imagine john doe offers you 250$ and comes up with a story that it’s a gift for a friend of his.
If you’ve any experience with sites like ebay and have a bigger brain than the average monkey, you’d instantly know the person messaging you is a scammer, because honestly,. who on earth would offer that much more than the asking price right off the bat?
If you’re greedy and experienced, your caution in this situation may be lowered however – 250$ after all is a nice sum,. and you’d give the scammer an opening.

I’ve kept a marketscammer like this busy for a few days asking him to send payment, proof of payment, address info etc etc,. turns out he started sending fake (photoshopped) paypal proof etc, and wanted some stuff sent to an address in Africa,. rrrright.

In either event, you get a phone call,. an email, a letter in the mail.
Always ask yourself, or the person who sent you – why and how did you get this info,. and are you the right person I should reply to?
Or just trash it if it’s too obvious.

CallMeLateForSupper April 12, 2017 10:17 AM

Last year(?) a scammer rang me and prattled on about my computer’s “throwing errors on the internet”. Like one reader remarked above, my scammer tried to convince me that my Windows machine was a mess. I quickly explained to Bangalore Buddy that he was mistaken because my main machine runs OS/2, and then I hung up.

That experience left my feeling giddy; I had been blessed with my first computer fraud call! It put me in mind of The Jerk (Steve Martin) gushing, “The new phone book’s here! I’m SOMEBODY.”

Anselm April 12, 2017 10:23 AM

I had a few sessions with scammers who claim that my computer is infested with viruses and malware. They give me instructions that I find very difficult to follow because on my screen I can’t locate any of the menu items and icons they want me to click on. They are driven to near-desperation because none of the spyware-type programs they want me to install and start seem to run on my computer. After a while I ask them whether they really know anything about computers at all since apparently their “expert” efforts don’t actually lead anywhere. Are they sure they are qualified support technicians? Will they finally get on with what they’re doing since I don’t have all day? I get more and more annoyed with them and in the end they hang up.

Now, this may all be due to the fact that my computer is running Linux. But of course I have no idea that that might be an issue, and they certainly never ask, or I’d tell them.

Ergo Sum April 12, 2017 10:47 AM

@Thom…

What right minded person would voluntarily allow a remote user access to their pc in the first place?

Obviously there’s different levels of idiocy,. but sadly i fear these scams mostly target the inept and elderly. :/

The scarware delivery mechanism, mostly malwertisement, does not differentiate between different age groups and/or the level of idocy. I am certain that if they could, they would be doing it already. There’s no control on whose system will receive the scareware and whose won’t…

People with limited computer knowledge and the fear of loosing their system and/or data are the primary victims for scareware. Falling for it does not mean that they reside low on the levels of idiocy, it just means they have very limited knowledge in this area that exploited by the scammer at hand.

Within less of a week, I’ve encountered scareware twice. Once from my client, who called me and reported the scareware. It took some times to return the call and she was really nervous. She did not want to loose her clients’ data and she was close to to call the number on the screen. Yes, she does have offline daily backup for system and data rotated on a standard schedule. This person is not inept or elderly, well, maybe the person’s computer knowledge inept…

Four days later, my own system popped up a scareware in the browser. I’ve promptly listened to the voice and called the number on the screen… NOT! 🙂 Instead, I captured the image, called over my partner and showed the screen, killed the browser session and dumped the browser cache.

Scareware is not programmed to judge people, it just hopes to reach out and scare someone….

Spaceman Spiff April 12, 2017 12:39 PM

I love to get these calls, and then lead them on – never letting them have access to my computers of course, but then I only have Linux systems, and my wife Apple systems. Some of my colleagues have installed Windows in virtual machines for these knuckleheads to futz with. Heck, I don’t want them anywhere near my network!

Clive Robinson April 12, 2017 3:05 PM

I’ve yet to receive any unsolicited phone calls from “The land of the sweatypour TecSup scammer”, which might make me unique 😉

Not that they could “help” me as I’ve mentioned in the past I don’t connect mutable PC systems to the Internet as standard policy, and where I do have to make a connection to “download” I use what is effectively an “immutable” system with an older 486 based motherboard and “Real ROM” only BIOS and IO hardware with an older CD drive that likewise has “Real ROM”.

For those that want to do likewise, you are probably way to late to get a PC that lacks “Flash ROM” which is sadly mutable by rouge software. However if you have a hunt around you will still find PC104 embedded boards made for industrial control systems and those designing “Space Qualified” CubeSat systems, though they are by the time you put them together a tads expensive (around $500 is the cheapest you will pay).

However the question you should ask is “what price security”?

A cheaper option for all those that are not “Persons of Interest” to a national SigInt agency is to build a minimal system with next to no IO no harddrive or other mutable storage and a couple of realy cheap all in one motherboards. If the PC starts to “act odd” just pull the motherboard, swap the CPU and RAM onto your reserve motherboard and if the problem disapears, punt the motherboard onto sombody else second hand, and use the cash as part payment for your next reserve motherboard. If the problem does not disappear then change the minimal IO. I’ve built a couple of such systems for other people and so far they’ve not had to use the reserves due to malicious code, just the occasional cheap hardware early death and the swap fix was less than $100.

If you are more confident about your abilities you can also download in advance BIOS reflash for the all in one motherboards and reflash the motherboard if you suspect problems. However the only time I’ve reflashed a motherboard was when the motherboard manufacturer came out with an update.

As for stringing the scamers along, I used to get moronic “financial services” types calling along with the double glazing sales bods and market researchers. The number they called was one I only used for outgoing calls so had never given the number to anyone. After stringing a couple along you realised they were “working to a script” thus you did not actually have to speak to them other than give them phoney info to get them into their script. Then all that surficed was an audio recording that made an electrical scratching or drill noise and then you would say “I’m terribly sorry but I missed what you said due to that noise, could you please start again” and a couple of variations, you just leave it on an endless loop until they hang up.

Unfortunatly they have a habit of calling back again later which is tedious and a friend who had a PC based VoIP system found that a push of a button audio recording of a screaming totally enraged and frenzied person, not even pausing for breath calling them “illigitiamte”, “ladies of negotiable virtue”, “the offspring of satan / a camal / dung heap”, “questioning their ability to procrate” etc etc –but in less temperate words– generally not only got them to ring off fairly quickly, but also mark his entry in their call database with a “Do not call foul language” flag, thus you did not get repeate calls… As my friend pointed out if they are daft enough to call back there was plenty more where that came from. His view was that you would demoralize them slightly and potentialy put them off their game on the next call or with luck seek alternative employment or maybe even top themselves.

Steve Porter April 12, 2017 6:14 PM

I LOVE these guys! Time permitting, I try to sound like a general end-user and will tell them I’m booting my machine. While I’m stringing them along, I inquire about which of the Reverse-DNS search tools they are using, as I don’t know of any that associate my ISP-provided DHCP address with my telephone number, and that I’d really like to start my own tech support business. Of course, most of them hang up by now, so we haven’t yet arrived at how they want me to perform their requested tasks on Linux… (sigh).

r April 12, 2017 8:05 PM

I couldn’t even tell you how many times I’ve had to fix somebody’s home computer just to find some sort of skinned tech support popup/overlay and a zipfile with teamviewer in it… There’s no competing against this kind of blanket parasitism, especially when you try to explain how they got there how they found them and what they brought with them… ‘The customer is always right’ and cleaning up after these entities when the client really and truly believes that they’re helping at $180 an hour requires more Aspirin than I can afford, thank you for sharing this paper.

Dan H April 13, 2017 9:18 AM

I regularly use Plan 9 and OS/2 (eComStation) instead of the virus prone Windows and Linux operating systems.

John E. Quantum April 13, 2017 2:35 PM

I’m always quite happy to take calls from these people, especially the ones from Microsoft. They can never get past helping me with the fact that all my icons are upside down, since that problem doesn’t seem to be addressed in their script.

John Galt April 13, 2017 11:49 PM

@ John Quantum

[[[ I’m always quite happy to take calls from these people, especially the ones from Microsoft. They can never get past helping me with the fact that all my icons are upside down, since that problem doesn’t seem to be addressed in their script. ]]]

Upside down Icons! LOL.

I’ll remember that one.

Nick P April 14, 2017 10:23 AM

@ Bruce

Far as support scams, this demo is hands-down by favorite. That woman is devilishly effective. The attack was so simple & yet I knew it would work the second it started. Exploits psychology of listener plus a believable situation where they’re supposed to be empathetic.

Dirk Praet April 14, 2017 11:03 AM

The simplest way to deal with these clowns is to just hang up the phone. Or reply “p*nis” to every question they ask.

@ Thom

What right minded person would voluntarily allow a remote user access to their pc in the first place?

It’s the same as asking why anyone in his right mind would have unsafe sex with a stranger. Still it happens all the time. Even the suggested remedies are kinda similar. The paper talks about user awareness and education by both private and public sector, and a sort of panic button in every browser to shut it down cleanly and forget about all current tabs and cookies. For the Quagmires among us, the former is the same, whereas the equivalent of the latter would be thinking about Dianne Feinstein.

@ Dan H

I regularly use Plan 9 and OS/2 (eComStation) …

Good luck using Abaco or Charon for rendering (most of) today’s web pages. I would however love to get my hands on an eComStation VM and take it for a spin. You wouldn’t happen to know where I can find one?

Dan H April 14, 2017 10:18 PM

@Dirt Praet

I don’t know where you could find an eCS VM for testing, but they offer a trial license. Also, Arca Noae is a company founded in 2014 who signed a deal with IBM to release the next version of OS/2 which will be named ArcaOS 5.0. The release date is tentatively April 15, 2017.

You’re correct about Abaco and Charon, however, linuxemu3 will run 386 Linux binaries if you want to run XMMS, Mozilla, Opera, mplayer, etc., on Plan 9. It can be a little slow, but it works fairly well.

JJ April 15, 2017 8:37 PM

@Nick P

Far as support scams, this demo is hands-down by favorite. That woman is devilishly effective.

as usual,another quality offering from Nick P thank you.
rather than being exclusively social engineering (depending on your definition) it is worth noting she does spoof the number to begin with. This isn’t my area of expertise but, unless there’s a skiddie plugin to spoof like that, wouldn’t it be a moderately significant obstacle for many? calling from a verified phone number is a reliable data point for the comms centre

Tony Pelliccio April 24, 2017 8:42 AM

I have never gotten one of these requests. But I do love the folks who setup honeypots and record it for YouTube posterity.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.