(More) Confessions of a Support Scammer

Marek Lelovič, my colleague at ESET, drew my attention to a fascinating Reddit thread. It was initiated by someone who stated that:

"I worked at a phone scam for 6 months. I had just recently quit because I hated the job. So literally ask me anything."

It’s not the first ‘confessional’ I’ve seen (apparently) by a former support scammer, or even the most informative in terms of techniques – compare this blog, apparently from someone who worked for an Indian call centre – but it is nevertheless pretty interesting, because it comes from someone in the US.

I had a great deal of fun with one scammer who claimed to be calling from London, a city he evidently didn’t know at all

I wouldn’t expect to get calls from call centres focused on the US since I’m not in the US myself, but I rarely see reports anywhere of calls where the scammer isn’t in India. Mind you, the scammer will often claim to be somewhere local – I had a great deal of fun with one scammer who claimed to be calling from London, a city he evidently didn’t know at all, whereas I happen to know it very well, having lived there for most of my working life.

I was aware there are tech support operations around in the US that are advertising themselves on the net, and this isn’t the first report I’ve seen of a scammer who seems to be based in the US (as in one of the incidents described here). As with the report from Lenny Zeltser I cited there, the (ex-)scammer claims to have been dealing with inbound calls rather than cold-calling. However, the company he worked for appears to have gone much further than merely advertising via social media and web sites.

Basically we had "marketers" who would put pop ups on people computers saying that they may be infected with a virus and giving them a number to call. Those calls would be redirected to us and we would then pretty much convince them that they needed to pay us large sums of money to fix there computer. I would tell your parents to never give their credit card info out over the phone […] Also if they are having issues with their computer to always take it into a computer store for maintenance.

This is probably not surprising: call centres in the US – or, perhaps, Europe, though I haven’t yet seen reports of call centres in Europe thought to be carrying out support scams – are perhaps more tightly regulated than call centres in India primarily targeting countries well outside their own borders. That is, the US, the UK, and other countries where English is the main language, as well as some European countries where English is widely spoken as a second language. It’s not unknown, of course, for call-centre scams operating out of India to be advertised in social media and on (usually more-or-less disposable) web sites: I first discussed that in an article here (on which I collaborated with Martijn Grooten of Virus Bulletin and Steve Burn). But it’s not advantageous for a call centre in the US to go out of its expose itself to legal action through random cold calls with intent to deceive, where it may be subject to tighter regional regulation.

Another commenter remarked:

I worked for one that stayed just barely legit enough to not get shut down. Old practices they had to quit were opening up event viewer and acting shocked, "Look at all of these errors, that's not normal."

So why, you may be wondering, are people so ready to deceive others? At any rate, it’s a question that has fascinated me for some time. Here’s an extract from an earlier blog:

Some of them clearly have little real knowledge of the technology they are advising’ on and once they have to depart from their scripts, they lose the plot entirely…

It’s worth reiterating, though, that in some of these instances it’s quite feasible that some of the callers really don’t understand that what they’re doing is based on deception*. These aren’t, after all, the sharpest knives in the kitchen drawer: these are low-paid drones simply reading from scripts prepared for them by more devious minds bent on out-and-out fraud. Furthermore, they are under pressure from higher up the food chain to meet profitability targets by whatever means they can, according to reports from anonymous individuals claiming to have been employed by companies such as iYogi.

It’s not easy to take the moral high ground when there are any number of people standing by to take on your job if you refuse to do it.

After all it’s not easy to take the moral high ground when there are any number of people standing by to take on your job if you refuse to do it. And if your boss assures you that you’re working within the law and really helping people, maybe it’s easier just to keep the lid on your scepticism when it comes to keeping the job. To quote the mystery scammer again:

At first it's almost like you're brainwashed into believing that you are helping these people, but for me once I realized what I was actually doing it became a lot harder for me to make sales. I got to the point were [sic] I would sit at my computer and dread having another phone call come through […] I mean I was always very suspicious even from the start but didn't realize the extent of it. When I first started working there they told me that everything was legit and that the company was partnered with Microsoft lol.

Similar self-deception has been observed among Indian support scammers: Craig Johnston reported back in 2011 on a scammer who ‘admitted that the methods used to convince the 'customer' were dodgy [but] … was keen to assure me that the product being sold was legitimate and that it would benefit the customer.’ Craig observed ‘I think that this man genuinely believed that he and his colleagues were helping people out’ but also noted that the advice he was giving was not only based on FUD and deception but technically inaccurate:

The claim that Registry Mechanic is an anti-virus product that will protect users against malware is simply wrong. The product is a legitimate one, and it does its job very well, but it is not designed to provide full protection against malware.

Other comments to the thread also indicated that US recruits are not selected for their technical expertise, either:

• I had absolutely no technical qualifications except the fact that I somewhat knew how to use a computer and could speak proper English.
• They hired sales people who knew as little about computers as the people they sold to….

Unfortunately, scammers in India seem to have lost their innocence in recent years.

Unfortunately, scammers in India seem to have lost their innocence in recent years. For one thing they seem to be far readier to hang up on anyone who shows signs of scepticism or wanting to keep them on the line so as to waste their time and stop them moving onto someone more vulnerable. However, they have also shown considerably more aggression, moving on from the purely verbal abuse of yesteryear, to attempting to trash the systems of unwary victims who’ve given them remote access to their PCs but declined to follow through with their credit card details. As I observed in a recent blog:

The scammer may even booby trap the system immediately he gains access, either in order to trash it if the victim doesn’t play ball, or so that he can get access to the PC (and the victim’s credit card) again in the future.

Can we expect the same destructive behaviour from US-based scammers? Hopefully not: not that I necessarily have more faith in their benevolence, but because US law enforcement operations have been much more effective against support scammers with a presence on American shores than they’re likely to be offshore. But I make no promises.

David Harley