The scam starts with a warning on your computer—a shamelessly fake one, often imitating a blue screen of death or a blinking malware alert. It informs you that your PC suffers from a smorgasboard of security problems, ranging from stolen credit cards to breached family photos to stalkers watching you through your webcam. And it offers a toll-free number for a “Microsoft” support line.

You probably (hopefully) know better than to dial that number. But three security researchers from the State University of New York at Stony Brook did it anyway. Again and again, for hours on end, they played out the full racket, calling actual human tech-support scammers who patiently, fraudulently “analyzed” their computers’ security via a remote connection. Each time, they found it supposedly infected with viruses and spyware, and offered a cleanup for a fee—on average around $300.

What they found, after all those calls? The disturbing scale of those so-called “tech support” scams. And, the team hopes, some clues about how to prevent more vulnerable marks from getting bilked by the call centers that carry them out.

1-800-SCAMMERS

At the Network and Distributed Systems Security Symposium two weeks ago, the Stony Brook team showed how they mapped out those fraudulent tech support call schemes more thoroughly than ever before. Using an automatic web-crawling tool, they visited tens of thousands of the web pages that ensnare victims in the scam. And then they went further, actually dialing 60 of those numbers, and spending a total of more than 22 hours on the phone with the scammers, pretending to be victims to hear the fake IT help desks’ entire scripts.

Their research offers new measurements of the scope of those scams, which count revenue in the tens of millions of dollars. It provides methods for identifying the largest scam call centers. And it hints that the best way to attack the problem may be preventing scammers from generating new phone lines.

“We wanted to know how big this scam was, how do scammers reach people, and when they get them on the phone, how do they convince them” to spend hundreds of dollars on fake malware fixes, says Nick Nikiforakis, the Stony Brook computer science professor who led the team’s research. “This was a way to find tech support scams automatically at scale and to understand their anatomy.”

As part of that analysis, the three researchers each called 20 of the scam lines and recorded the results. Three example recordings are embedded below, as is the full paper, which includes in its appendix two of the call transcripts.

Bad Support

The team found that the scammers followed a very predictable series of steps: First, they said they needed to learn more about the malware that had supposedly triggered the browser alert. They then asked the victim to visit a website, download a remote administration tool, and give the scammer access so that they could run “tests” on the machine. (To avoid giving themselves away to the scammers who connected to their PCs, the researchers invited them to connect to fake virtual machines they’d pre-populated with enough software to look realistic.)

“It was very stressful. You’re interacting with a person you’re lying to for 20 minutes, and you know they’re lying to you, too,” says Nikiforakis. “They were scamming us, and we were scamming them in the name of science.”

Once connected, the scammers would click around the would-be victim’s computer and ask about recent usage, implying that whatever the caller had done had led to the machine’s corruption. They’d praise the computer’s underlying hardware, to give the victim a sense that cleaning up its infections would be worth the money. Then they’d point to entirely normal but obscure features of the operating system—listing Windows’ “stopped” services, Netstat scans, Event Viewer, and so on—as evidence of malware or hacker intrusions. Finally, they’d tell the victims about pricing plans for cleanup services, which averaged $291.

The researchers also traced the IP addresses of the remote administration tools the scammers used, which provided an educated guess at where they were based: 85 percent were in India, a logical location given its relatively low wages and English-speaking population. Another 10 percent were in the United States, and the remaining five percent were in Costa Rica.

They were scamming us, and we were scamming them in the name of science. Stony Brook Computer Science Professor Nick Nikiforakis

Those calls, and the pricing data they generated, were only one component of the study. To find as many of the scam sites as possible, the researchers built a software tool they called “ROBOVIC” (or “robotic victim”) to automatically visit millions of websites in search of tech-support scam pages. They targeted their crawler in particular at misspellings of popular websites—knowing that scammers often create “typosquatting” pages that impersonate legitimate sites—and certain URL shorteners that show spammy ads to visitors.

Out of five million pages it visited, ROBOVIC discovered about 22,000 tech support scam pages hosted at roughly 8,700 domains. By a stroke of luck, they found that an Apache module in 142 of those pages exposed traffic-counting code, allowing the researchers to estimate how many visitors those pages received. Since prior research on fake antivirus scams indicate about two percent of people fall for similar traps, the team estimated that the domains each took in about $2,000 a day.

By periodically visiting the scam sites, they also learned how long those pages stayed online before disappearing—likely as domain-hosting companies discovered the fraud and removed them. About 70 percent survived for between one and three days, though about 7 percent lasted well over a month. Based on all of that data taken together, the researchers roughly estimated that the scam domains they discovered made about $75 million a year. But given that they’ve likely found only a fraction of the scam sites and didn’t track the total number of campaigns creating them, they don’t claim to have an estimate for the entire tech-support scam industry.

Getting Ahead of It

The researchers’ work provided a few ideas about how authorities can prevent tech support scams, or at least render them less profitable. They found that that the 22,000 pages used just over 1,600 phone numbers among them, mostly sourced from VoIP services like Twilio, WilTel, RingRevenue, and Bandwidth. Encouraging those services to ban known fraud numbers could offer a pressure point. “If you blacklist numbers, you can make the scam more expensive,” Nikiforakis says.

They also suggest two methods for estimating the effectiveness of various call-center operations, to better prioritize law enforcement’s response. Gathering data about the number and length of calls to a certain call center should sniff out the most lucrative schemes, the researchers argue. To that end, they conducted second experiment in which 20 volunteers dialed into a call center simultaneously. The Stony Brook team then counted how many were put on hold, to estimate the operation’s overall capacity.

All of those tactics are more than theoretical. Nikiforakis presented the Stony Brook study at the Federal Trade Commission last year, and the FTC is actively taking on the scammers. The commission sued one Florida call center, extracting a $10 million ruling in December. “Before you can stop these scams, you have to really understand how they work,” says Lorrie Cranor, who was resident technologist at the FTC at the time of Nikiforakis’ visit. “This research really maps that out nicely.”

Beyond law enforcement raids and phone number blacklists, Nikiforakis says that education could solve the tech support scam most effectively of all. Victims need to learn to spot online virus infection warnings as fraud, long before they start a 20-minute phone call with a fake help-desk grifter.

“Don’t trust what your browser tells you about the safety and security of your system,” says Nikiforakis. “People need to understand there’s no legitimate scenario where your computer will start beeping and ask you to call a toll-free number.”





