1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How tech support scammers have made millions of dollars

Discussion in 'BlackHat Lounge' started by Asif WILSON Khan, Apr 20, 2017.

  1. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,638
    Likes Received:
    34,844
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Ahhh, the sweet smell of revenge! Nothing like unleashing some ransomware on those tech support scammers, eh?

    However, fortunately for them, there aren't hours enough in the day to turn the tables on the swindlers and social-engineer their pants off.

    Unless, that is, you're talking about researchers at Stony Brook University, who recently cooked up a robot to automatically crawl the web finding tech support scammers and figuring out where they lurk, how they monetize the scam, and what software tools they use to pull off their dastardly deeds.

    That tool is called RoboVic. It's short for Robot Victim, and it's just one aspect of an unprecedented dive into tech support scams undertaken by two Stony Brook U. PhD candidates - Najmeh Miramirkhani and Oleksii Starov - under advisor Nick Nikiforakis.

    Over the course of the study, they used RoboVic to discover hundreds of phone numbers and domains used by the scammers. And then, they jumped on the phone themselves, chatting with 60 scammers to determine what social engineering techniques they use to weasel money out of victims.

    As they describe in their paper, titled Dial One for Scam (PDF), the researchers conducted this first-ever systematic study of tech support scams, and the call centers they run out of, partly to find out how users get exposed to these scams in the first place.

    The answer: malvertising. In order to train RoboVic to find tech support scam pages, the researchers took advantage of the fact that the scams are often found on domain squatting pages.

    Those are the pages that take advantage of typos we make when typing popular domain names. For example, a scammer company will register a typosquatting domain such as twwitter.com.

    Domain parking companies have registered tens of thousands of similar, misspelled sound-alikes of popular domain names. Studies have shown that visitors who stumble into the typosquatting pages often get redirected to pages laced with malware, while a certain percentage get shuffled over to tech support scam pages.

    Once there, a visitor is bombarded with messages saying their operating system is infected with malware. Typically, the site is festooned with logos and trademarks from well-known software and security companies or user interfaces.

    A popular gambit has been to present users with a page that mimics the Windows blue screen of death. You're a Mac user, you say? No cause for worry? Unfortunately, that's flat-out wrong. Crooks have recently trained their sights on you, too, notes fellow Naked Security writer Paul Ducklin of Sophos:

    This isn't just about the keywords "Microsoft" and "Windows" any more. A year or two ago, almost all the reports we received from readers involved the crooks claiming close affiliation with Microsoft, which became a well-known indicator that the call was false.

    Recently, however, readers have reported phone scams where the callers align themselves with "Apple" and "iCloud" instead. This not only avoids the red alert word "Microsoft", but also casts the net of prospective victims even wider, given the range of different platforms where people use their iCloud accounts.

    Beyond spooking visitors with their bogus alerts, tech support pages will wrap them up in intrusive JavaScript so they can't navigate away. For example, they'll constantly show alert boxes that ask the intended prey to call the tech support number. As the researchers describe, other techniques include messing with a user's attempt to close the browser tab or navigate away from the site by hooking into the onunload event.

    Feeling stuck like a fly in a web, a naive user will call what's often a toll-free number for "help" with the "malware infection". The person on the other end of the line will instruct the caller to download remote desktop to allow the remote "technician" to connect to their machine. That gives the crook complete control over the victim's computer. At that point, perfectly innocent system messages will be interpreted as dire indications of infection.

    Sure, we can fix it, they'll say, once the hook is set. The price typically ranges in the hundreds of dollars, the researchers found, with the average price for a "fix" being $290.90.

    Some of the many interesting findings from the eight-month study:

    • These scammers register thousands of low-cost domain names, such as .xyz and .space, which play off the trademarks of large software companies.
    • They use content delivery networks in order to get free hosting for their scams.
    • The scammers are abusing 15 telecommunication providers, but four telecoms are responsible for the lion's share - more than 90% - of the phone numbers the researchers analyzed.
    • The fraudsters are actively evading dynamic-analysis systems located on public clouds.
    • The profits: making use of publicly exposed webserver analytics, the researchers estimated that just for a small fraction of the monitored domains, scammers are likely to have made more than $9m.
    • These guys take their time reeling us in. The average call duration was 17 minutes.
    • They use only a handful of remote administration tools (81% of all scammers used one of two software tools). Their favorites include LogMeIn Rescue, CITRIX GoToAssist and TeamViewer.
    • Scammers use more than 12 techniques to convince users their systems are infected, such as stopped services and drivers.
    • Scammer call centers are estimated to employ, on average, 11 tech support scammers.
    By the way, in case you're wondering, the researchers emphatically did not pay these scammers:

    We chose not to pay scammers primarily for ethical reasons. As described [elsewhere in the study], the average amount of money that a scammer requests is almost $300. To get statistically significant numbers, we would have to pay at least 30 scammers and thus put approximately $9,000 in the hands of cybercriminals, a fraction of which would, almost certainly, be used to fund new malvertising campaigns and attract new victims.

    The researchers suggest that to keep the public safe from these swindlers, we're going to need more public education - with broader use of public service announcements, for example - and some help from browser makers.

    As it is, desperate users who can't navigate away from these pages often try rebooting. Browsers that remember open tabs will just deposit the victims right back in that hell hole, though. The researchers suggest that browser makers might want to help them out by adopting a universal panic button: a shortcut for users feeling threatened by a webpage.

    That's good stuff. But our advice is even simpler: if you find yourself trapped by one of these scam pages, don't call that number. As we've said before with regards to unsolicited tech support calls, there's nothing useful to hear, and nothing useful to say.



    SOURCE: https://nakedsecurity.sophos.com/2017/04/19/how-tech-support-scammers-have-made-millions-of-dollars/
     
    • Thanks Thanks x 10
  2. The Curator

    The Curator Senior Member

    Joined:
    Dec 27, 2013
    Messages:
    1,057
    Likes Received:
    446
  3. Ozzyzig

    Ozzyzig Jr. VIP Jr. VIP

    Joined:
    Jun 10, 2011
    Messages:
    982
    Likes Received:
    516
    Awesome post. I had actually mistyped a domain before and was taken to a page that said there was a high level of corruption on my Mac OSX install. Knowing it was total BS, I phoned them up and asked them how they could detect this when I was running on Windows 7. The responses they were giving me was hilarious. Apparently Apple is secretly owned by Microsoft and that's what triggered their system. The cost to fix the the issues that I wasn't even having was going to be £600. When I was on my summer holidays from Uni back in the day, I'd routinely phone these scammers up for a laugh. The way that I looked at it was that they were using a freephone number so if I was holding them up on the phone, other people wouldn't be getting scammed.

    It just sucks big time for those that are properly duped by these scamming bandits.
     
  4. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    10,429
    Likes Received:
    8,129
    Interesting stuff.
     
  5. MakeGreenM8

    MakeGreenM8 Jr. VIP Jr. VIP

    Joined:
    Apr 6, 2017
    Messages:
    134
    Likes Received:
    90
    Haha I just put them on hold and play Rucka Rucka Ali songs. I tell them I need to find my password to login to my computer... please hang on a sec(in a confused old man voice). And just keep working. I got one to stay on for 18 minutes.

    Then they swear at me and I just turn up the speakers.
     
    • Thanks Thanks x 1
  6. dawniey

    dawniey Junior Member

    Joined:
    May 26, 2016
    Messages:
    128
    Likes Received:
    67
    Gender:
    Male
    Create a Yt channel
    Record it all
    Put it on your channel
    =xxxx $ month
    This shit is really popular
    Do ~15 min vids put ads every 3 min
     
    • Thanks Thanks x 1
  7. darulez

    darulez Jr. VIP Jr. VIP

    Joined:
    Mar 12, 2013
    Messages:
    3,067
    Likes Received:
    1,068
    Gender:
    Male
    Occupation:
    Doing Internet Warfare
    Location:
    Bad Neighborhood
    why do I get the strange feeling that some of the dudes I met in summer 2016 on my MP-OGADS-IG journey would know those guys...

    blackhat links? ranking s$tes the dark way? I can live whith that.
    scamming people, not for me
     
    • Thanks Thanks x 1