Despite the positive news blogged by Stephen Cobb recently about the steps taken by the Federal Trade Commission to crack down on India-based PC tech support scams, no-one should be taking it for granted that the problem is now solved. While an FTC press release says FTC Halts Massive Tech Support Scams, in the real world the freezing of assets and other measures in the US is unlikely to have a huge immediate impact on companies operating out of Kolkata and the surrounding areas. The day of judgement? It's far too early for church bells and street parties.

After years of struggling to get not only the attention of law enforcement agencies but positive action, we are encouraged by the assertion that so many parties have contributed to acting on the problem: the FTC cites ACMA (Australian Communications and Media Authority), CRTC (Canadian Radio-television and Telecommunications Commission), and SOCA, the United Kingdom's Serious Organised Crime Agency, as well as a number of IT companies. (Including Microsoft, whose name and Windows branding have been misused so many times by support scammers.)

We would, perhaps, be much more encouraged if law enforcement in India also got a name-check in that press release. (We've been told by a law-enforcement source in the UK that the UK police do have a point of liaison with Indian law enforcement, but haven't so far seen much sign of that cooperation translated into punitive action in India itself.) In any case, we are certainly not seeing an instant drop-off in the number of scam calls received.

Is this persistence some people are still reporting receiving several calls a day perhaps actually due to fear of an imminent crackdown in the US, driving a last-ditch effort to make as much money as possible before the well dries up? Maybe that fear plays some part in the strategic thinking of the masterminds behind this type of scam and make no mistake, some of the ploys used do suggest a certain amount of technical knowledge, and the formulaic script-driven ignorance of IT issues displayed by some of the callers we've talked to is far from the whole story.  We're in no doubt that there are people scripting the scams who are fully aware of what they're doing and who are actively researching and working on ways of misusing system utilities in order to mislead and panic people into using their services.

However, we don't think the unceasing barrage of scam calls reported by readers of our blogs is (primarily) in response to fear of imminent US judicial process. The desperation of multitudes of hard-pressed call-centre staff competing for a slice of the same shrinking pie is probably a more important factor right now. (Hopefully, fewer people are falling for these scams than when we first started writing about them a few years ago.) Of course, there may be a drop-off in the figures further down the line as the FTC turns its spotlight on more scammers, but only if the FTC's attention is translated into direct action where the scammers actually live and hold their bank accounts.

Even if we were more confident of the full engagement of law enforcement locally, we're not likely to see many of the offending call centres dismantled. After all, the same operations are also servicing more-or-less legitimate enterprises in the US and the UK who are seeking to reduce support costs and the complications of honouring Do-Not-Call registers by outsourcing to India (or, increasingly, the Philippines). There is considerable anecdotal evidence (hat tip to Craig Johnston, who talked about that in our joint paper/presentation at Virus Bulletin this year) that many first-line callers don't see a distinction between more-or-less legitimate support services and the essentially fraudulent misrepresentation of the CLSID entry flagged by ASSOC, the Event Viewer utility, and other programs characteristically misused by support scammers.

Did we really say multitudes' of scammers? Well, while many of the people who've reported scam calls seem to think they're being persecuted time and time again by the same caller, there do seem to be plenty of call centre agents to go round.

We don't currently know the number of victims that have been taken in by these scammers (and are unlikely ever to have an exact figure), a 2011 New York Times article estimated that there are 350,000 call centre agents based in India alone. If we arbitrarily but conservatively estimate that 5% of those are involved in tech support and are engaged in rogue' cold-calling at least some of the time, that suggests 17,500 potential call center agents capable of each making at least 100 calls per day. At that rate, this would be 1,750,000 calls per day.

In fact, while the percentage of rogue agents is a guesstimate, it's likely that the figure of 100 calls per shift is very conservative indeed. But let's stick with that figure for now. As victims are typically taken for an average of $200, so if we estimate very conservatively indeed that 0.1% are taken in by the scammers, we achieve a figure of $200 x 1,750 = $350,000 per day which projects to well over $100 Million annually. That may be a small proportion of the total revenue generated by call centres in general, but it's not that tiny, and it may not be practical to consider support scams as a phenomenon completely isolated from more legitimate' call centre services. For example, one of our competitors disengaged from its relationship with the company to which it had outsourced its support when it seemed that the support site in question was stepping way over ethical boundaries in expanding its customer base, by using the same scammer techniques that we've discussed on the Threatblog so many times.

We've been thinking about what makes the scammers tick and it's not our intention here to demonize the call-centre staff at the front line, unpleasant though some of them are to talk to (patronizing and threatening by turn): they're not all sociopaths.

Some of them clearly have little real knowledge of the technology they are advising' on and once they have to depart from their scripts, they lose the plot entirely. On the many occasions when some of us have been lucky' enough to get this kind of scam call, we have been primarily concerned with using the opportunity to gather information about the gambits and technology currently in use so that we can share that information with other security people and the wider pool of potential victims. However, the gormless floundering and confusion of support scammers at the shallower end of the gene pool has resulted in many entertaining accounts of trolling' where wasting the scammer's time has been seen as a worthwhile exercise in itself. An excellent recent article in Ars Technica by Jon Brodkin recounts quite a few of these and suggests that in this instance the trolls may, for once, be performing an important public service'.

It's worth reiterating, though, that in some of these instances it's quite feasible that some of the callers really don't understand that what they're doing is based on deception*. These aren't, after all, the sharpest knives in the kitchen drawer: these are low-paid drones simply reading from scripts prepared for them by more devious minds bent on out-and-out fraud. Furthermore, they are under pressure from higher up the food chain to meet profitability targets by whatever means they can, according to reports from anonymous individuals claiming to have been employed by companies such as iYogi.

Others know and are prepared to admit that what they're doing is not totally honest, yet seem to believe (as Craig Johnston discussed in our presentation at Virus Bulletin) that on balance they are helping to protect people by installing protective utilities they wouldn't have the knowledge to install themselves. Though since some of the utilities concerned, such as performance-enhancing programs of dubious effectiveness, are of little use, this in itself argues either lack of real technical knowledge or a bad case of self-deception and denial.

And, of course, there are other support scammers whose aggressive and threatening behaviour, sometimes including vengeful attempts to trash a user's system, is hard to defend in any way, even though some call-centre staff may be under considerable pressure to generate profitable transactions, irrespective of moral and ethical considerations, and there isn't much evidence so far of a lessening of that pressure. In fact, while we live in hope that increasing legal pressure in heavily-targeted English-speaking jurisdictions will eventually have a significant effect, right now it's likely that the drive to keep scamming is actually increased by the ongoing migration of many outsourced services to the Philippines, where the workers speak American English and are less likely to have a strong accent.

This isn't a trivial consideration. The sheer volume of scam calls (not only support scams, but survey scams, mortgage scamming and so on) means that for many English-speaking people, the first reaction on hearing an Indian voice initiating an unsolicited phone-call is to anticipate some form of scam. Such perceptions and emotional reactions are an essential component of marketing, legitimate or not. And that has a lot to do with the fact that legitimate Indian companies are already linking with (or themselves setting up) call centres in the Philippines, thought to have already passed India in terms of the number of call-centre agents employed. The exact ways on which this migration will impact on call-centre scams is as yet undetermined. But the first time you get a phone-call where an American voice tells you that you have a virus problem with your PC, we suspect that the origin of the call is more likely to be Manila than New York, where a District Court judge granted the FTC's request for action against a few of the offending companies/individuals.

*It has to be said that such questionable behaviour is encountered in many other contexts and in many countries. On October 10, 2012, for example, the BBC's Watchdog programme reported on a company in the UK exploiting the lack of knowledge of customers to sell unnecessary hardware upgrades, passing off refurbished hard drives and whole systems as new, and so on. (If you're not in the UK, you may not be able to see that video.) There are many other sites whose profits are derived from selling software that their customers could easily obtain for free themselves. If you think the online world is fundamentally more honest than the mean streets of real life, then perhaps the naysayers are right after all: education isn't working. Though it might work better if we actually tried using it a little more often.

This commentary derives from discussion during and after our presentation at Virus Bulletin: thanks and hat tips are due (among others) to our co-presenters Martijn Grooten and Craig Johnston, as well as to Stephen Cobb and David Jacoby.

David Harley, ESET North America
Steven Burn, Malwarebytes