Abstract:In technical support scams, cybercriminals attempt to convince users that their machines are infected with malware and are in need of their technical support. In this process, the victims are asked to provide scammers with remote access to their machines, who will then "diagnose the problem", before offering their support services which typically cost hundreds of dollars. Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from everyday users of the web. In this paper, we report on the first systematic study of technical support scams and the call centers hidden behind them. We identify malvertising as a major culprit for exposing users to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of phone numbers and domains operated by scammers. By allowing our system to run for more than 8 months we collect a large corpus of technical support scams and use it to provide insights on their prevalence, the abused infrastructure, the illicit profits, and the current evasion attempts of scammers. Finally, by setting up a controlled, IRB-approved, experiment where we interact with 60 different scammers, we experience first-hand their social engineering tactics, while collecting detailed statistics of the entire process. We explain how our findings can be used by law-enforcing agencies and propose technical and educational countermeasures for helping users avoid being victimized by technical support scams.
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the lack of systematic research on technical support scams. Specifically, although this type of scam causes millions of dollars in losses to ordinary Internet users every year, the security community has not yet conducted systematic research on it. Therefore, the authors of the paper designed and developed the first system capable of automatically detecting technical support scam domains and phone numbers. Through this system, a large amount of data was collected, and the first systematic analysis of technical support scam pages was carried out, identifying the techniques they use, the misused infrastructure, and the characteristics of the scamming activities. In addition, the authors interacted with 60 scammers, collecting intelligence that can be used for combat operations, technical countermeasures, and public education. Finally, the authors proposed a series of suggestions for educating the public about technical support scams and protecting users from malicious pages.
### Main Contributions
1. **Designed and developed the first system capable of automatically detecting technical support scam domains and phone numbers**.
2. **Conducted the first systematic analysis of technical support scam pages, identifying the techniques they use, the misused infrastructure, and the characteristics of the scamming activities**.
3. **Interacted with 60 scammers in a controlled manner, collecting intelligence that can be used for combat operations, technical countermeasures, and public education**.
4. **Proposed a series of suggestions for educating the public about technical support scams and protecting users from malicious pages**.
### Research Methods
- **Data Collection**: The authors used a distributed crawler infrastructure to identify technical support scam pages from websites known to be involved in malicious advertising activities. During the 250 - day deployment period, 8,698 unique domains were discovered, which claimed that users were infected and asked them to call 1,581 collected phone numbers.
- **Data Analysis**: By analyzing the collected data, multiple patterns and trends were identified, including low - cost domains registered by scammers, misused CDNs, phone number tracking, and scammers' strategies for evading dynamic analysis systems.
- **Interaction Experiment**: The authors obtained approval from the IRB and conducted sessions with 60 technical support scammers, recorded the entire process, and analyzed the tools, social engineering techniques, and charging situations used by the scammers.
### Key Findings
- **Scammers' Patience**: The average call duration was 17 minutes.
- **Frequently Used Remote Management Tools**: 81% of scammers used one of two software tools.
- **High Charges**: The average charge was $290.9.
- **Multiple Deception Means**: Scammers used more than 12 different techniques to convince users that their machines were infected with viruses.
- **Call Center Scale**: On average, there were 11 technical support scammers in each call center.
### Conclusion
Through systematic research and technical means, the paper reveals the operating mechanisms and characteristics of technical support scams, provides strong evidence for law enforcement agencies, and also proposes suggestions for educating the public and protecting users, which helps to reduce the occurrence of such scams.