While we were working on the paper on support scam evolution that we presented at Virus Bulletin in September -"we" being myself, Martijn Grooten, Steven Burn and Craig Johnston - we were also working on a paper for the Cybercrime Forensics Education and Training Conference (CFET 2012)   in the UK that looked in more depth at the forensic issues that arose during our research. The paper is now available on the ESET conference papers resources page.

FUD and Blunder: Tracking PC Support Scams.

And here's the abstract.

Fake security products are not just an attack on the victim's credit card: while the main driver of nearly all malware authoring nowadays is profit, fake security is also an attack on the credibility and effectiveness of the real security industry. The attack is not restricted to scareware and other utilities without utility and constantly morphing malicious binaries, either: it's carried out on many levels, though not necessarily by the same gangs:

  • Threatened or actual legal action from cease-and-desist letters to court action in order to hamper the effectiveness and credibility of the security community;
  • PR-oriented activities such as forum, email and blog spamming, blogs and articles proclaiming the legitimacy of a dubious product;
  • Quasi-legitimate marketing, online support structures, and pricing models that mimic - or parody - the models used by the security industry;
  • The semi-fraudulent selling-on of legitimate but free products and services;
  • The increasingly sophisticated use and misuse of social media bolstering traditional Black Hat Search Engine Optimization.

Fake security products, supported by variations on Black Hat SEO and social media spam constitute a longstanding and well-documented area of cybercriminal activity. By comparison, lo-tech Windows support scams receive less attention, perhaps because they're seen as primarily social engineering not really susceptible to a technical "anti-scammer" solution. Yet they've been a consistent source of fraudulent income for some time, and have quietly increased in sophistication. But in recent years the battlefield has been broadening far beyond the highly adaptive technical attacks that characterize malware-based attacks: increased volumes, sophistication and infrastructural complexity of cold-call support scams prove that social engineering with a minimum of programmatic content can be as profitable as unequivocally malware-based attacks: lo-tech attacks with hi-tech profits. Here, we consider the evolution of the FUD and Blunder approach to cold-calling support scams, from "Microsoft told us you have a virus" to technically sophisticated hooks such as deliberate misrepresentation and misinterpretation of output from system utilities such as Event Viewer, Assoc, Prefetch and Inf. Next, we look at the developing PR-orientated infrastructure behind the phone calls:

  • deceptive company web sites;
  • flaky Facebook pages;
  • scraped informational content and fake testimonials.

We discuss some of the interaction we've had with scammers, scammer and scam-victim demographics, and scammer techniques, tools and psychology, as gleaned from conversational exchanges and a step-through remote cleaning and optimization session with a particular scammer. We go on to the resemblances between the support scam industry, other telephone scams, and the security fakery associated with mainstream malware. And finally we ask where the scammers might go next, what are the legal implications, and how can the industry best help the user distinguish between "good" and "bad" products and services? In the absence of a technical attack susceptible to a technical defence, are education and reverse victimology the only answer?

David Harley CITP FBCS CISSP
ESET Senior Research Fellow