Ahhh, the sweet smell of revenge! Nothing like unleashing some ransomware on those tech support scammers, eh?
However, fortunately for them, there aren’t hours enough in the day to turn the tables on the swindlers and social-engineer their pants off.
Unless, that is, you’re talking about researchers at Stony Brook University, who recently cooked up a robot to automatically crawl the web finding tech support scammers and figuring out where they lurk, how they monetize the scam, and what software tools they use to pull off their dastardly deeds.
That tool is called RoboVic. It’s short for Robot Victim, and it’s just one aspect of an unprecedented dive into tech support scams undertaken by two Stony Brook U. PhD candidates – Najmeh Miramirkhani and Oleksii Starov – under advisor Nick Nikiforakis.
Over the course of the study, they used RoboVic to discover hundreds of phone numbers and domains used by the scammers. And then, they jumped on the phone themselves, chatting with 60 scammers to determine what social engineering techniques they use to weasel money out of victims.
As they describe in their paper, titled Dial One for Scam (PDF), the researchers conducted this first-ever systematic study of tech support scams, and the call centers they run out of, partly to find out how users get exposed to these scams in the first place.
The answer: malvertising. In order to train RoboVic to find tech support scam pages, the researchers took advantage of the fact that the scams are often found on domain squatting pages.
Those are the pages that take advantage of typos we make when typing popular domain names. For example, a scammer company will register a typosquatting domain such as twwitter.com.
Domain parking companies have registered tens of thousands of similar, misspelled sound-alikes of popular domain names. Studies have shown that visitors who stumble into the typosquatting pages often get redirected to pages laced with malware, while a certain percentage get shuffled over to tech support scam pages.
Once there, a visitor is bombarded with messages saying their operating system is infected with malware. Typically, the site is festooned with logos and trademarks from well-known software and security companies or user interfaces.
A popular gambit has been to present users with a page that mimics the Windows blue screen of death. You’re a Mac user, you say? No cause for worry? Unfortunately, that’s flat-out wrong. Crooks have recently trained their sights on you, too, notes fellow Naked Security writer Paul Ducklin of Sophos:
This isn’t just about the keywords “Microsoft” and “Windows” any more. A year or two ago, almost all the reports we received from readers involved the crooks claiming close affiliation with Microsoft, which became a well-known indicator that the call was false.
Recently, however, readers have reported phone scams where the callers align themselves with “Apple” and “iCloud” instead. This not only avoids the red alert word “Microsoft”, but also casts the net of prospective victims even wider, given the range of different platforms where people use their iCloud accounts.
Beyond spooking visitors with their bogus alerts, tech support pages will wrap them up in intrusive JavaScript so they can’t navigate away. For example, they’ll constantly show alert boxes that ask the intended prey to call the tech support number. As the researchers describe, other techniques include messing with a user’s attempt to close the browser tab or navigate away from the site by hooking into the onunload event.
Feeling stuck like a fly in a web, a naive user will call what’s often a toll-free number for “help” with the “malware infection”. The person on the other end of the line will instruct the caller to download remote desktop to allow the remote “technician” to connect to their machine. That gives the crook complete control over the victim’s computer. At that point, perfectly innocent system messages will be interpreted as dire indications of infection.
Sure, we can fix it, they’ll say, once the hook is set. The price typically ranges in the hundreds of dollars, the researchers found, with the average price for a “fix” being $290.90.
Some of the many interesting findings from the eight-month study:
- These scammers register thousands of low-cost domain names, such as .xyz and .space, which play off the trademarks of large software companies.
- They use content delivery networks in order to get free hosting for their scams.
- The scammers are abusing 15 telecommunication providers, but four telecoms are responsible for the lion’s share – more than 90% – of the phone numbers the researchers analyzed.
- The fraudsters are actively evading dynamic-analysis systems located on public clouds.
- The profits: making use of publicly exposed webserver analytics, the researchers estimated that just for a small fraction of the monitored domains, scammers are likely to have made more than $9m.
- These guys take their time reeling us in. The average call duration was 17 minutes.
- They use only a handful of remote administration tools (81% of all scammers used one of two software tools). Their favorites include LogMeIn Rescue, CITRIX GoToAssist and TeamViewer.
- Scammers use more than 12 techniques to convince users their systems are infected, such as stopped services and drivers.
- Scammer call centers are estimated to employ, on average, 11 tech support scammers.
By the way, in case you’re wondering, the researchers emphatically did not pay these scammers:
We chose not to pay scammers primarily for ethical reasons. As described [elsewhere in the study], the average amount of money that a scammer requests is almost $300. To get statistically significant numbers, we would have to pay at least 30 scammers and thus put approximately $9,000 in the hands of cybercriminals, a fraction of which would, almost certainly, be used to fund new malvertising campaigns and attract new victims.
The researchers suggest that to keep the public safe from these swindlers, we’re going to need more public education – with broader use of public service announcements, for example – and some help from browser makers.
As it is, desperate users who can’t navigate away from these pages often try rebooting. Browsers that remember open tabs will just deposit the victims right back in that hell hole, though. The researchers suggest that browser makers might want to help them out by adopting a universal panic button: a shortcut for users feeling threatened by a webpage.
That’s good stuff. But our advice is even simpler: if you find yourself trapped by one of these scam pages, don’t call that number. As we’ve said before with regards to unsolicited tech support calls, there’s nothing useful to hear, and nothing useful to say.
FreedomISaMYTH
I would like to see the average age of the user that gets scammed…
my grandmother got hit by this even though I warned her and she ended up shelling out nearly $1,000 before she called me and admitted the mistake. She got a pop-up on her iPad and called the number, gave them remote access to her Windows 10 PC (with admin, even though her daily account does not have admin access). I preached and preached to her not to call any numbers like that and never give anyone remote access… but they talked her into it. Even after I go involved and rebuilt the PC she would get calls and they made her “feel bad” that she didn’t trust them… even though i told her to block the number.
What I am saying is that even with plenty of “public education” it may not matter… the older generations are susceptible regardless.
I did track down the scammer to Arizona and the call center was in India. The ring leader was involved with selling fake jewelry in Malls throughout the 90s in Texas/Arizona… so he’s a scammer for life, you can take away one scam but he will find another. Scum!
Lisa Vaas
Oh, your poor, sweet grandmother! Scum INDEED. It might sound odd to think of these are benefits, but my elderly mom’s deficits—deafness and lack of a computer—keep her safely tucked away from these scumbags, be they tech support scammers or plain old-style phone scammers. At any rate, you’re right about the inadequacy of PSAs. It’s really up to us to intervene in whatever ways we can to protect elders or others, of any age, who tend to be naive.
Vog Bedrog
My teenage niece fell for one of these hook, line, sinker, rod, reel, bucket, and copy of ‘Anglers Quarterly’. While I see plenty of elderly victims through my work, I think technical knowledge and susceptibility to panic when presented with a problem are the real determining factors (they just tend to align conveniently with age). I agree that public education is barely a factor at all.
Faridah Abdullah
Thank you for your alert advise.I hope from time to time these scamer get caught and put in jail until they lose their mind like the living dead.All scamer property should be taken by the goverment international body in fighting against scamer.Thank you
A name
The “universal panic button” is Ctrl+W. It closes the tab on the three major modern browsers: chrome, edge, and Firefox.
Paul Ducklin
Not *entirely* universal – it’s Wacky-W (where “wacky” is the Command key, the one with the weird quatrefoil icon on it) on macOS…
Jim
A universal “panic button” would be a god-send. Something like ctrl-alt-del used to be.
Another would be saving browser settings at startup (of the browser). A panic button should cause the browser to ask if it should go back to the backup (and include a time stamp and reason). That way, if the scammers already changed your home page, it could be put back the way it was.
Jim
Another thing that would be really useful: Easier access to Edge’s settings. You can get to IE’s settings via Control Panel. But, I couldn’t find a way to get to Edge’s settings without bringing up Edge.
Saim locus
Thank you so much for this.If you want to open a new tab in Google, Firefox and other then you use the key shortcut is (ctrl+t).
techzone270
I got this on my android phone, and I suddenly turned off my wi-fi thinking for not get downloaded anything malicious.
I clicked okay and it brought me to a page which I did not even read because
I panicked at that point (I was not expecting any new page to appear because the wi-fi was off).
So I clicked out of the window before I could think straight, and I don’t even know what it said
. Is it possible that they have installed anything on my phone or stolen any information? I am usually careful about these things but I lost my mind that dayThis is for those who are still not aware much about these scams.
So be careful and stay protected
Need Help
Hey, I am reading this. And it happens yesterday to me, something similar about what you are talking about. I got nervous with the pop up and called the number.
I got their service and their install malware and spyware etc in my computer.
Really, it was a weird feeling but i don’t know why I did believe. They told me that McAfee antivirus is not compatible with my computer and showed me that in the program properties and they installed the tools I should have for protection. I paid them 149,99$.
I have to travel tomorrow, and I need to take my computer. Really the pop up and alert, which seemed from Microsoft, afraid me and for that I called the number…and then I didn’t get out of it… My computer is working now. But because everything was so weird, I was now trying to check about this company/service. And when I read this article I am too confuse.
Tomorrow I start travelling, and I don’t have time to go to police or call the bank… and after tomorrow I will be in other country …. So, what i should do?
and I don’t know what to do. What should be the steps to follow after you have been calling and using their remote service?
More scares me is my bank account, because I don’t know what they have or not?
And how I know that even when they are out of my computer that they are not still having access to it? What I should do?
Any help please?