Tech support scammers hacked back by vigilante

A UK cybercrime vigilante was so incensed by tech support scammers he reverse-hacked the call centre in India to reveal CCTV footage of perpetrators as they ripped off their victims in real-life calls.

Publicised by a BBC documentary, the hack was the work of ‘Jim Browning’ (not his real name), who has acquired a following on his YouTube channel for his campaigns to expose how these crimes work and the individuals behind them.

During 2019, Browning said he was able to identify dozens of call centres in India where many of tech support scams targeting English speakers originate.

Tech support scams typically involve phoning people in the UK or US claiming to represent a large company such as Microsoft and tricking them into allowing remote access to the computer after claiming it is infected with malware (scams also use malware pop-ups or poisoned search engine results containing fake support numbers).

If victims are reluctant, scammers will often up the ante by claiming that child abuse imagery has been detected which they must clean up or will have to report to the police.

The sums charged for bogus recovery can range from $80 to $1,000 or more. Hundreds of thousands of people fall for these scams every year netting the individuals behind the frauds huge sums.

It’s a cheap crime to pull off and, until recently, the chances of being caught were close to zero because investigating scammers thousands of miles away can be difficult.

It’s into this space that digital vigilantes have stepped, using a variety of techniques to bait, torment and, in the case of Browning, directly hack and expose the identifies of the people carrying them out.

Don’t try this at home

Browning told the BBC his technique is to allow scammers to connect to his computer, which has been set up to attack the scammer’s computer back using the same remote desktop connection.

He doesn’t say how he does this – that might depend on the software being used – but the use of a virtualised operating system to isolate the scammer’s activity, some form of reverse RDP attack, and the use of common hacking tools, seems likely.

In what he described as his most successful hack back yet, Browning was able to remotely access the CCTV webcams inside and outside the call centre used in one scam campaign, accessing recordings of 70,000 calls.

Footage captured included staff entering and leaving the building in Kolkata, milling around in its communal kitchen, and sitting at their desks, headsets on, making scam calls.

To the untrained eye, it just looks like well-dressed young people working in an office and yet some of the images clearly show the crimes being committed on-screen.

Browning was even able to record the fraudsters live as they sat at their desks trying to convince him to pay a fee to clean his own computer.

When one scammer claimed he was based in San Jose, the watching Browning decides to have fun:

Can you name me one restaurant in San Jose?

The scammer quickly turns to Google to locate a name, to which Browning quips:

Without looking at Google.

Interestingly, the scammers nabbed by Browning were trying the classic Windows support scam, whose popularity shows no sign of waning despite attempts by Microsoft to shutter them.

Hacking back

The BBC traced some of the victims of the hacked call centre, locating call exchanges in which they were defrauded out of hundreds of pounds each.

Browning’s work sounds like just desserts, but he acknowledges the techniques he uses are illegal under UK and US law, hence his reluctance to identify himself. Browning told the BBC:

I do not try and gain access to someone’s computer unless they’re trying to scam me.

Although the evidence gathered by the latest hack back should be interesting to police – named individuals are easily identified in the act of committing crimes – police never endorse digital vigilantism. Evidence must be gathered and documented carefully to be passed to the Indian authorities so prosecutions can take place.

Hacking back is a contentious topic in the US where there have been several attempts to legalize it, in the face of strong objections from some in the computer security industry.

Although few scam callers in the UK and the US see their money again, there is evidence that the Indian call centre operators have recently come under more pressure. In 2018, 16 call centres were raided by police, with a second bust netting another 28 centres in late 2019.

But there are hundreds that remain in operation. The business is simply too profitable to give up on.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.