Tech Support Scams: Second Byte at the Cherry

Tech Support Scams: Second Byte at the Cherry

Is there really anything new to be said about tech support scams? Unfortunately, the FTC tells us there is. Not only because people are still falling prey to this type of fraud, but because the scammers are still finding new approaches to harvesting their victims’ credit card details. Some quite interesting, sophisticated technical tricks are

Is there really anything new to be said about tech support scams? Unfortunately, the FTC tells us there is. Not only because people are still falling prey to this type of fraud, but because the scammers are still finding new approaches to harvesting their victims’ credit card details. Some quite interesting, sophisticated technical tricks are

Is there really anything new to be said about tech support scams? Unfortunately, the FTC tells us there is. Not only because people are still falling prey to this type of fraud, but because the scammers are still finding new approaches to harvesting their victims’ credit card details. Some quite interesting, sophisticated technical tricks are used to persuade you that:

  1. you have a problem with your computer
  2. that the scammer knows or could possibly know anything about your computer
  3. that the scammer needs you to give him access to your computer so that he can prove to you that the problem is real and to enable him to ‘fix’ it for you.

But sometimes a more generic social engineering approach also turns up, and one of these has been flagged by the Federal Trade Commission (FTC). In brief, Nicole Vincent Fleming tells us that support scammers are calling back and offering a refund.

As it happens, I’ve seen a couple of reports in the past year or two that have suggested a somewhat similar variation, but too few to determine exactly what form the scam was taking. And in fact, it’s not uncommon for 419 scammers to kick off with an offer to reimburse people who are – wait for it – victims of 419 scams. In that instance, the scammer doesn’t usually admit to being a 419 scammer, but poses as a representative of a government agency (for instance).

The FTC article, however, suggests that at least some of these calls are from scammers revisiting previous victims and offering a refund if they considered the service unsatisfactory, which isn’t something I’ve seen reported previously. Sometimes, though, it seems that the refund is offered on account of the ‘service’ going out of business, and that resembles previous reports I’ve seen, though looking at them in the light of the FTC article, I don’t think that the callers operating this particular variation of the scam are necessarily the same scammers who may have called previously. At least one of our correspondents was puzzled and alerted by the fact that the caller offering a refund didn’t represent the same company with whom he thought he had a contract.

The article gives more information on how the scam works and advice on what to do if you fell for it (complain to the FTC, reverse credit card charges and so on).

I suspect, though, that the real step-change here is that the scammers have once more crossed a line. Earlier in the evolution of the scam, we found that some scammers who admitted that they were not being altogether honest with their victims nevertheless justified their actions by claiming they were providing a useful service. And from time to time, we see comments along the lines of “this isn’t really a scam, more like aggressive marketing”. (I don’t agree, by the way: selling a service by lying to the customer is fraud, in my book.)

Later, we saw scammers who reacted aggressively when they thought they weren’t going to get the payment they anticipated: if they’d already been allowed access to the victim’s machine, they would try to trash the system. While trashing someone’s system for non-payment doesn’t often stand up as a defence in court – remember Dr. Popp and the AIDS Trojan? –motivation in the case where the criminal thinks he’s supplied some kind of service is kind of understandable, if morally, ethically and legally indefensible.

What the FTC is describing, though, seems to me to be a clear case of fraud: asking for credit card details on the grounds that you’re going to give them money and then taking money instead seem unequivocally criminal to me. I don’t see how any scammer can seriously convince himself that this is somehow offering a legitimate service. Of course, this doesn’t mean I think that the scammers weren’t previously aware that what they were doing is wrong: only that it’s harder for scammers to justify their actions to themselves.

If you’re interested in finding out more about this kind of scam, I’ve been maintaining a page on the AVIEN blog for some time with links to resources pertaining to support scams and related issues, papers, articles, and blogs (to which this and the FTC article will shortly be added): PC ‘TECH SUPPORT’ COLD-CALL SCAM RESOURCES. Of course, there are an awful lot of articles on the topic here on WeLiveSecurity. We’ve also posted several papers on the topic:

Details on the book, movie and TV series will follow. :-)

David Harley
ESET Senior Research Fellow

Discussion