I haven’t been writing about support scams lately, largely because I haven’t been getting the phone calls much for a while, and those I have received have been boringly predictable. I just haven’t got the patience any more to sit through some scammer’s script, meant to convince me that he has magically obtained information about a problem on my PC that I need to pay him to help with.

But that doesn’t mean they haven’t been happening to other people, or even that there’s nothing else to say about them. In fact, I see a steady stream of comments made on my earlier articles as new readers offer their own insights on new experiences of support scams. Usually these comments are from people who have been contacted by scammers, though one recent comment was actually comment spam from one of the very sites I’ve been complaining about for so long. Nice targeting, guys. Did you really think I don’t moderate or even look at blog comments?

Scamdi Noir**

Sometimes, though, a comment actually alerts us to a new development out there in Scamdinavia, a not-altogether-imaginary land without borders where the conscienceless man is king. A few days ago, I saw a comment from someone in Spain who received a scam call using classic support scam techniques – misrepresenting the Event Viewer log as evidence of infection, and misrepresenting the CLSID as a unique identifier to ‘prove’ that he really had access to information about the intended victim’s PC. So far, so bad.

Bad Language

However, the really interesting feature of this particular event was that the scammer started the conversation in ‘poor Spanish’. It’s not that unusual for support scammers to expand into countries where English is not usually the first language of a potential victim, but up to now the scammers have almost invariably insisted on speaking English, often claiming that Microsoft won’t allow them to use other languages. Of course, Microsoft isn’t behind this sort of fake support at all, and certainly doesn’t insist that real support contact with customers must be in English in countries where English is not the first language.

India still seems to have a near-monopoly on support scamming as we describe it here - though sites that make exaggerated claims about the support service they provide can be found all over - and I guess that's an unwanted side-effect of its huge presence in legitimate offshored IT services.  I would speculate that the real issue behind this emphasis on English is this: poorly-paid operators in may well be fluent in a number of local languages, but not necessarily in non-Indian languages. English is something an exception, for historical reasons: quite a high percentage of residents of India speak it. That said, while Hindi and English are the official languages of the Union government, there is no official language spoken throughout India, and some regions have a different official language. For example, the only official language in Tamil Nadu is Tamil.

In fact, the 8th Schedule of the Indian Constitution acknowledges 22 official languages (not including English, as it isn’t an Indian language) spoken in the various regions, and around 30 languages are estimated to be the native language of a million or more people. It’s reasonable to assume that quite a few people speak more than one Indian language (and an unquantifiable number of people will certainly speak non-Indian languages), but English is, to the best of my knowledge, the only European language still to be an official language anywhere in India.

Cold-Call of the Wild

Given the still widespread ‘official’ use of English, then, it’s not surprising that support centre operators generally seem to prefer to cold-call in countries where English is the first language (US, UK, Australasia, Republic of South Africa, and so on) and to stick to English even where it isn’t the first language. (In the latter case, the countries where we see a significant volume of support scam reports tend to be those European countries where you might expect to see a high percentage of people speaking English, though not usually as a first language.)

Of course, India has long been a home to legitimate, offshored call centres, and I would imagine that a percentage of operators in those call centres are specifically employed for their knowledge of non-Indian languages. This single comment might be just an isolated case of an operator with some knowledge of Spanish using his or her initiative, albeit not in the most desirable way. Even so, it does suggest that those support centres where this scam is being run may be recognizing a need to cast their linguistic nets wider as the number of English speakers who’ve learned to recognize the scam increases, and those English-speaking regions have been, so to speak, massively over-phished.

Meanwhile, back at Virus Bulletin

While I haven’t had much to say recently about support scams myself, I’ve been keeping an eye on what other researchers have had to say and flagging them on the AVIEN support scam resources page. In particular, Jérôme Segura, who has been actively researching this area for over a year now, and generated some excellent commentary. He recently supplemented those observations with the paper Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam, which he just presented at Virus Bulletin 2014. His blog about the paper also includes a link to a PDF of the slide deck.

Not So Ammyyable

I was less impressed by the recent suggestion that a known flaw in Ammyy Admin 3.5 could be used as a means of attacking a machine used by a support scammer, and said so on the AVIEN blog. The idea is that since Ammyy software is often used by support scammers to get access to a victim’s machine. Matthew Weeks suggested that ‘the primary users at risk of compromise [from his zero day exploit] are the scammer groups.’ Just the use of the phrase ‘primary users at risk’ suggests the possibility of a secondary group of (presumably innocent) users, and that possibility in itself puts this approach beyond the pale as far as I’m concerned.

Clearly, the average technologically-disadvantaged computer user who falls for support-scammer social engineering isn’t going to have access to (or the will and ability to use) a Metasploit module in pre-emptive retaliation. There are many people who delight in wasting a support scammer’s time and some might enjoy the opportunity to waste his system instead, despite the legal inconvenience that for most people trashing someone else’s system is illegal, however much they deserve it. But while the operators who initiate the scam calls tend aren't always the brightest pixels on the monitor, some of the guys who think up the gambits those operators make use of are certainly smart enough to patch or update systems, or simply switch to the other remote access systems available.

* OK. I admit it. We've used more or less the same joke before. You have to admit, it was worth reviving, like many another Monty-Python-derived wisecrack.

** Not to be confused with Scandi Noir (or Nordic Noir), a Scandinavian school of hardboiled novels and TV programmes to which I’m so addicted that I can’t resist the pun.

David Harley
ESET Senior Research Fellow