Technical support scam

fake tech support scam popup
Example of a technical support scam popup

A technical support scam, or tech support scam, is a type of fraud in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or via fake "help lines" advertised on websites owned by the scammers. Technical support scammers use social engineering and a variety of confidence tricks to persuade their victim of the presence of problems on their computer or mobile device, such as a malware infection, when there are no issues with the victim's device. The scammer will then persuade the victim to pay to fix the fictitious "problems" that they claim to have found. Payment is made to the scammer through ways which are hard to trace and have fewer consumer protections in place which could allow the victim to claim their money back, usually through gift cards.

Technical support scams have occurred as early as 2008. A 2017 study of technical support scams found that of the IPs that could be geolocated, 85% could be traced to locations in India, 7% to locations in the United States and 3% to locations in Costa Rica. Research into tech support scams suggests that millennials and those in generation Z have the highest exposure to such scams; however, senior citizens are more likely to lose money to tech support scams.[citation needed] Technical support scams were named by Norton as the top phishing threat to consumers in October 2021; Microsoft found that 60% of consumers who took part in a survey had been exposed to a technical support scam within the previous twelve months. Responses to technical support scams include lawsuits brought against companies responsible for running fraudulent call centres and scam baiting.

Operation

Technical support scams rely on social engineering to persuade victims that their device is infected with malware. Scammers use a variety of confidence tricks to persuade the victim to install remote desktop software, with which the scammer can then take control of the victim's computer. With this access, the scammer may then launch various Windows components and utilities (such as the Event Viewer), install third-party utilities (such as rogue security software) and perform other tasks in an effort to convince the victim that the computer has critical problems that must be remediated, such as infection with a virus. Scammers target a variety of people, though research by Microsoft suggests that millennials and people part of generation Z have the highest exposure to tech support scams and the Federal Trade Commission has found that seniors are more likely to lose money to tech support scams. The scammer will urge the victim to pay so the "issues" can be fixed.

Initiation

A Recent Changes page from a MediaWiki site affected by technical support scammers promoting fake "help lines".
A Recent Changes page from a MediaWiki site affected by technical support scammers promoting fake "help lines"

Technical support scams can begin in a variety of ways. Some variants of the scam are initiated using pop-up advertising on infected websites or via cybersquatting of major websites. The victim is shown pop-ups which resemble legitimate error messages such as a Blue Screen of Death and freeze the victim's web browser. The pop-up instructs the victim to call the scammers via a phone number to fix the "error". Technical support scams can also be initiated via cold calls. These are usually robocalls which claim to be associated with a legitimate third party such as Microsoft or Apple. Technical support scams can also attract victims by purchasing keyword advertising on major search engines for phrases such as "Microsoft support". Victims who click on these adverts are taken to web pages containing the scammer's phone numbers.

Confidence tricks

Once a victim has contacted a scammer, the scammer will usually instruct them to download and install a remote access program such as TeamViewer, AnyDesk, LogMeIn or GoToAssist. The scammer convinces the victim to provide them with the credentials required to initiate a remote-control session, giving the scammer complete control of the victim's desktop.

After gaining access, the scammer attempts to convince the victim that the computer is suffering from problems that must be repaired, most often as the putative result of malicious hacking activity. Scammers use several methods to misrepresent the content and significance of common Windows tools and system directories as evidence of malicious activity, such as viruses and other malware. These tricks are meant to target victims who may be unfamiliar with the actual uses of these tools, such as inexperienced users and senior citizens. The scammer then coaxes the victim into paying for the scammer's services or software, which they claim is designed to "repair" or "clean" the computer but is actually malware that infects it or software that causes other damage, or does nothing at all.

  • The scammer may direct users to Windows' Event Viewer, which displays a logfile of various events for use by system administrators to troubleshoot problems. Although many of the log entries are relatively harmless notifications, the scammer may claim that log entries labeled as warnings and errors are evidence of malware activity or that the computer is becoming corrupted, and must be "fixed".
  • The scammer may show system folders that contain unusually named files to the victim, such as Windows' Prefetch and Temp folders, and claim that the files are evidence of malware on the victim's computer. The scammer may open some of these files in Notepad, where the file contents are rendered as mojibake. The scammer claims that malware has corrupted these files, causing the unintelligible output. In reality, the files in Prefetch are typically harmless, intact binary files used to speed up certain operations.
  • The scammer may claim that normally disabled services should not be disabled, when not all services need to be enabled.
  • The scammer may misuse Command Prompt tools to generate suspicious-looking output, for instance using the tree or dir /s command which displays an extensive listing of files and directories. The scammer may claim that the utility is a malware scanner, and while the tool is running the scammer will enter text purporting to be an error message (such as "security breach ... trojans found") that will appear when the job finishes, or into a blank Notepad document.
  • The scammer may misrepresent values and keys stored in the Windows Registry as being malicious, such as innocuous keys whose values are listed as not being set.
  • The "Send To" Windows function is associated with a globally unique identifier. The output of the command assoc, which lists all file associations on the system, displays this association with the line ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}; this GUID is the same on all versions of Windows. The scammer may claim that this is a unique ID used to identify the user's computer, before reading out the identifier to "verify" that they are a legitimate support company with information on the victim's computer, or claim that the CLSID listed is actually a "Computer Licence Security ID" that must be renewed.
  • The scammer may claim that the alleged "problems" are the result of expired hardware or software warranties, for example, Windows product keys, and coax the victim into paying for a "renewal".
  • The scammer may block the victim from viewing their screen, claiming that it is the result of malware or of a scan being run, and use the time to search the victim's files for sensitive information, attempt to break into the victim's accounts with stolen or stored credentials or activate the webcam and see the victim's face.
  • The scammer may run the netstat command in a terminal/command window, which shows local and foreign IP addresses. The scammer then tells the victim that these addresses belong to hackers that have gained access to their computer.
  • The scammer may claim that a legitimate Windows process such as rundll32.exe is a virus. Often, the scammer will search the web for an article about the Windows process and will scroll to a section saying that the process name can also possibly be part of malware, even though the victim's computer does not contain that malware.

Payment and impact

The preferred method of payment in a technical support scam is through gift cards. Gift cards are favoured by scammers because they are readily available to buy and have less consumer protections in place that could allow the victim to reclaim their money back. Additionally, the usage of gift cards as payment allows the scammers to extract money quickly whilst remaining anonymous. Tech support scammers have also been known to ask for payment in the form of cryptocurrency, cheques and direct bank transfers made through automated clearing house (the latter only gives victims 60 days to recover their funds).

If a victim refuses to follow the scammer's instructions or to pay them, scammers have been known to resort to insulting and threatening their victim to procure payment. Crimes threatened to be inflicted on victims or their families by scammers have ranged from theft, fraud and extortion, to serious crimes such as rape and murder. Canadian citizen Jakob Dulisse reported to CBC that, upon asking the scammer why he had been targeted, the scammer responded with a death threat; 'Anglo people who travel to the country' (India) were 'cut up in little pieces and thrown in the river.' Scammers have also been known to lock uncooperative victims out of their computer using the syskey utility (present only in Windows versions previous to Windows 10) or third party applications which they install on the victim's computer, and to delete documents and/or programs essential to the operation of the victim's computer if they do not receive payment.

Microsoft commissioned a survey by YouGov across 16 countries in July 2021 to research tech support scams and their impact on consumers. The survey found that approximately 60% of consumers who participated had been exposed to a technical support scam within the last 12 months. Victims reported losing an average of 200 USD to the scammers and many faced repeated interactions from other scammers once they had been successfully scammed. Norton named technical support scams as the top phishing threat to consumers in October 2021, having blocked over 12.3 million tech support scam URLs between July and September 2021.

Origin and distribution

The first tech support scams were recorded in 2008. Technical support scams have been seen in a variety of countries, including the United States, Canada, United Kingdom, Ireland, Australia, New Zealand, India and South Africa.

A 2017 study of technical support scams published at the NDSS Symposium found that, of the tech support scams in which the IPs involved could be geolocated, 85% could be traced to locations in India, 7% to locations in the United States and 3% to locations in Costa Rica. India has millions of English speakers who are competing for relatively few jobs. One municipality had 114 jobs and received 19,000 applicants. This high level of unemployment serves as an incentive for tech scamming jobs, which are often well-paid. Additionally, scammers exploit the levels of unemployment by offering jobs to people desperate to be employed. Many scammers do not realise they are applying and being trained for tech support scam jobs, but many decide to stay after finding out the nature of their job as they feel it is too late to back out of the job and change careers. Scammers are forced to choose between keeping their job or becoming jobless. Some scammers convince themselves that they are targeting wealthy people that have money to spare, which justifies their theft, whilst others see their job as generating "easy money".

Response

Legal action has been taken against some companies carrying out technical support scams. In December 2014, Microsoft filed a lawsuit against a California-based company operating such scams for "misusing Microsoft's name and trademarks" and "creating security issues for victims by gaining access to their computers and installing malicious software, including a password grabber that could provide access to personal and financial information". In December 2015, the state of Washington sued the firm IYogi for scamming consumers and making false claims in order to scare the users into buying iYogi's diagnostic software. iYogi was also accused of falsely claiming that they were affiliated with Microsoft, Hewlett-Packard and Apple.

In September 2011, Microsoft dropped gold partner Comantra from its Microsoft Partner Network following accusations of involvement in cold-call technical-support scams. However, the ease of which companies that carry out technical support scams can be launched makes it difficult to prevent tech support scams from taking place.

Major search engines such as Bing and Google have taken steps to restrict the promotion of fake technical support websites through keyword advertising. Microsoft-owned advertising network Bing Ads (which services ad sales on Bing and Yahoo! Search engines) amended its terms of service in May 2016 to prohibit the advertising of third-party technical support services or ads claiming to "provide a service that can only be provided by the actual owner of the products or service advertised". Google announced a verification program in 2018 in an attempt to restrict advertising for third-party tech support to legitimate companies.

Scam baiting

Tech support scammers are regularly targeted by scam baiting, with individuals seeking to raise awareness of these scams by uploading recordings on platforms like YouTube, cause scammers inconvenience by wasting their time and protect potential victims.

Advanced scam baiters may infiltrate the scammer's computer, and potentially disable it by deploying RATs, distributed denial of service attacks and destructive malware. Scam baiters may also attempt to lure scammers into exposing their unethical practices by leaving dummy files or malware disguised as confidential information such as credit/debit card information and passwords on a virtual machine, which the scammer may attempt to steal, only to become infected. Sensitive information important to carrying out further investigations by a law enforcement agency may be retrieved, and additional information on the rogue firm may then be posted or compiled online to warn potential victims.

In March 2020, an anonymous YouTuber under the alias Jim Browning successfully infiltrated and gathered drone and CCTV footage of a fraudulent call centre scam operation through the help of fellow YouTube personality Karl Rock. Through the aid of the British documentary programme Panorama, a police raid was carried out when the documentary was brought to the attention of assistant police commissioner Karan Goel, leading to the arrest of call centre operator Amit Chauhan who also operated a fraudulent travel agency under the name "Faremart Travels".

See also


This page was last updated at 2022-06-11 22:27 UTC. Update now. View original page.

All our content comes from Wikipedia and under the Creative Commons Attribution-ShareAlike License.


Top

If mathematical, chemical, physical and other formulas are not displayed correctly on this page, please useFirefox or Safari