My most recent CFET paper, co-written with Martijn Grooten (Virus Bulletin), Craig Johnston (independent researcher) and Stephen Burn (Malwarebytes).
Presented at the Cybercrime Forensics Education & Training Conference in September 2012, this paper looks at the support scam problem from a forensic point of view.
Here’s the abstract.
While the main driver of nearly all malware authoring nowadays is profit, fake security also undermines the credibility and effectiveness of the real security industry on many levels.
- Threatened or actual legal action, spamming and quasi-legitimate blogs and articles asserting the legitimacy of dubious products and services
- Marketing models that parody those used by the security industry
- The ethically challenged, and sometimes essentially fraudulent selling-on of legitimate but free products and services
Fake security products, supported by variations on Black Hat SEO and social media spam constitute a longstanding and well-documented area of cybercriminal activity. By comparison, lo-tech Windows support scams receive less attention, perhaps because they’re seen as primarily social engineering not really susceptible to a technical “anti-scammer” solution. Yet they’ve been a consistent source of fraudulent income for some time, and have quietly increased in sophistication.
The increased volumes, sophistication and infrastructural complexity of cold-call support scams suggest that social engineering with minimal programmatic content has been as profitable as attacks based on the use of unequivocally malicious binaries: lo-tech attacks with hi-tech profits.
These attacks have gone beyond the FUD and Blunder approach, from “Microsoft told us you have a virus” to technically more sophisticated hooks such as deliberate misrepresentation and misinterpretation of output from system utilities such as Event Viewer, Assoc, Prefetch, Inf and Task Manager.
We also look at the developing PR-orientated infrastructure behind some of the scammer phone calls, including deceptive company web sites and Facebook pages making use of scraped or deceptive informational content and fake testimonials.
We discuss some of the interaction we’ve had with scammers, scammer and scam-victim demographics, and scammer techniques, tools and psychology, as gleaned from conversational exchanges and a step-through remote cleaning and optimization session with a particular scammer. We consider the resemblances between the support scam industry, other telephone scams, and the security fakery associated with mainstream malware. And finally we ask where the scammers might go next, what are the legal implications, and how can the industry best help the user distinguish between “good” and “bad” products and services? In the absence of a technical attack susceptible to a technical defence, is the only answer education and reverse victimology?
Small Blue-Green World
ESET Senior Research Fellow