How tech support scammers have made millions of dollars

Ahhh, the sweet smell of revenge! Nothing like unleashing some ransomware on those tech support scammers, eh?

However, fortunately for them, there aren’t hours enough in the day to turn the tables on the swindlers and social-engineer their pants off.

Unless, that is, you’re talking about researchers at Stony Brook University, who recently cooked up a robot to automatically crawl the web finding tech support scammers and figuring out where they lurk, how they monetize the scam, and what software tools they use to pull off their dastardly deeds.

That tool is called RoboVic. It’s short for Robot Victim, and it’s just one aspect of an unprecedented dive into tech support scams undertaken by two Stony Brook U. PhD candidates – Najmeh Miramirkhani and Oleksii Starov – under advisor Nick Nikiforakis.

Over the course of the study, they used RoboVic to discover hundreds of phone numbers and domains used by the scammers. And then, they jumped on the phone themselves, chatting with 60 scammers to determine what social engineering techniques they use to weasel money out of victims.

As they describe in their paper, titled Dial One for Scam (PDF), the researchers conducted this first-ever systematic study of tech support scams, and the call centers they run out of, partly to find out how users get exposed to these scams in the first place.

The answer: malvertising. In order to train RoboVic to find tech support scam pages, the researchers took advantage of the fact that the scams are often found on domain squatting pages.

Those are the pages that take advantage of typos we make when typing popular domain names. For example, a scammer company will register a typosquatting domain such as

Domain parking companies have registered tens of thousands of similar, misspelled sound-alikes of popular domain names. Studies have shown that visitors who stumble into the typosquatting pages often get redirected to pages laced with malware, while a certain percentage get shuffled over to tech support scam pages.

Once there, a visitor is bombarded with messages saying their operating system is infected with malware. Typically, the site is festooned with logos and trademarks from well-known software and security companies or user interfaces.

A popular gambit has been to present users with a page that mimics the Windows blue screen of death. You’re a Mac user, you say? No cause for worry? Unfortunately, that’s flat-out wrong. Crooks have recently trained their sights on you, too, notes fellow Naked Security writer Paul Ducklin of Sophos:

This isn’t just about the keywords “Microsoft” and “Windows” any more. A year or two ago, almost all the reports we received from readers involved the crooks claiming close affiliation with Microsoft, which became a well-known indicator that the call was false.

Recently, however, readers have reported phone scams where the callers align themselves with “Apple” and “iCloud” instead. This not only avoids the red alert word “Microsoft”, but also casts the net of prospective victims even wider, given the range of different platforms where people use their iCloud accounts.

Beyond spooking visitors with their bogus alerts, tech support pages will wrap them up in intrusive JavaScript so they can’t navigate away. For example, they’ll constantly show alert boxes that ask the intended prey to call the tech support number. As the researchers describe, other techniques include messing with a user’s attempt to close the browser tab or navigate away from the site by hooking into the onunload event.

Feeling stuck like a fly in a web, a naive user will call what’s often a toll-free number for “help” with the “malware infection”. The person on the other end of the line will instruct the caller to download remote desktop to allow the remote “technician” to connect to their machine. That gives the crook complete control over the victim’s computer. At that point, perfectly innocent system messages will be interpreted as dire indications of infection.

Sure, we can fix it, they’ll say, once the hook is set. The price typically ranges in the hundreds of dollars, the researchers found, with the average price for a “fix” being $290.90.

Some of the many interesting findings from the eight-month study:

  • These scammers register thousands of low-cost domain names, such as .xyz and .space, which play off the trademarks of large software companies.
  • They use content delivery networks in order to get free hosting for their scams.
  • The scammers are abusing 15 telecommunication providers, but four telecoms are responsible for the lion’s share – more than 90% – of the phone numbers the researchers analyzed.
  • The fraudsters are actively evading dynamic-analysis systems located on public clouds.
  • The profits: making use of publicly exposed webserver analytics, the researchers estimated that just for a small fraction of the monitored domains, scammers are likely to have made more than $9m.
  • These guys take their time reeling us in. The average call duration was 17 minutes.
  • They use only a handful of remote administration tools (81% of all scammers used one of two software tools). Their favorites include LogMeIn Rescue, CITRIX GoToAssist and TeamViewer.
  • Scammers use more than 12 techniques to convince users their systems are infected, such as stopped services and drivers.
  • Scammer call centers are estimated to employ, on average, 11 tech support scammers.

By the way, in case you’re wondering, the researchers emphatically did not pay these scammers:

We chose not to pay scammers primarily for ethical reasons. As described [elsewhere in the study], the average amount of money that a scammer requests is almost $300. To get statistically significant numbers, we would have to pay at least 30 scammers and thus put approximately $9,000 in the hands of cybercriminals, a fraction of which would, almost certainly, be used to fund new malvertising campaigns and attract new victims.

The researchers suggest that to keep the public safe from these swindlers, we’re going to need more public education – with broader use of public service announcements, for example – and some help from browser makers.

As it is, desperate users who can’t navigate away from these pages often try rebooting. Browsers that remember open tabs will just deposit the victims right back in that hell hole, though. The researchers suggest that browser makers might want to help them out by adopting a universal panic button: a shortcut for users feeling threatened by a webpage.

That’s good stuff. But our advice is even simpler: if you find yourself trapped by one of these scam pages, don’t call that number. As we’ve said before with regards to unsolicited tech support calls, there’s nothing useful to hear, and nothing useful to say.