used with permission from Microsoft Secure
by Erik Wahlstrom
Social engineering attacks like tech support scams are so common because they’re so effective. Cybercriminals want to bilk users’ money. They can spend a great deal of time and energy attacking the security of a device—brute-force passwords, develop custom and sophisticated malware, and hunt down vulnerabilities to exploit. Or they can save themselves the trouble and convince users to freely give up access to their devices and sensitive information.
Microsoft has built the most secure version of its platform in Windows 10. Core OS technologies like virtualization-based security, kernel-based mitigations, and the Windows Defender ATP stack of security defenses make it much more difficult for exploits, malware, and other threats to infect devices. Every day, machine learning and artificial intelligence in Windows Defender ATP protect millions of devices from malware outbreaks and cyberattacks. In many cases, customers may not even know they were protected. Windows 10 S, a special configuration of Windows 10, takes this even further by only running apps from the Microsoft Store, effectively preventing the vast majority of attacks.
The Windows 10 security stack greatly increases the cost for attackers. Many cybercriminals instead choose to target the humans in front of the PCs. It can sometimes be easier to convince users to willingly share their passwords, account info, or to install hazardous apps onto their device than to develop malware and steal info unnoticed.
Scammers continue to capitalize on the proven effectiveness of social engineering to perpetrate tech support scams. These scams are designed to trick users into believing their devices are compromised or broken. They do this to scare or coerce victims into purchasing unnecessary support services.
To help protect customers from scammers, we continue to enhance antivirus, email, URL blocking, and browser security solutions. However, given the scale and complexity of tech support scams, how can the security industry at large work together to deal a major blow to this enduring threat?
Still a growing global problem
In 2017, Microsoft Customer Support Services received 153,000 reports from customers who encountered or fell victim to tech support scams, a 24% growth from the previous year. These reports came from 183 countries, indicating a global problem.
Approximately 15% of these customers lost money in the scam, costing them on average between $200 and $400. In some cases, victims pay a lot more. In December 2017, Microsoft received a report of a scammer emptying a bank account of €89,000 during a tech support scam in the Netherlands.
In a 2016 survey sponsored by Microsoft, two in three respondents reported experiencing some form of tech support scam in the previous 12 months, with nearly one in ten losing money.
However, as with many social engineering attacks, it’s tricky to put an absolute number to the problem. The figures above represent reports to Microsoft. The problem is so much bigger, given that tech support scams target customers of various other devices, platforms, or software.
An organized cybercriminal enterprise
Tech support scams come in several forms, but they share a common attack plan:
Scammers initiate these social engineering attacks in many ways, including:
- Scam websites that use various tactics including browser dialog traps, fake antivirus detecting fake threats, and fake full-screen error messages. Scammers lead potential victims to these websites through ads, search results, typosquatting and other fraudulent mechanisms.
- Email campaigns that use phishing-like techniques to trick recipients into clicking URLs or opening malicious attachments
- Malware that’s installed on computers to make system changes and display fake error messages
- Unsolicited phone calls (also known as cold calls), which are telemarketing calls from scammers that pretend to be from a vendor’s support team
The complete attack chain shows that these attacks lead to the same goal of getting customers in contact with a call center. Once connected, a fake technician (an experienced scammer) convinces the victim of a problem with their device. They often scare victims with urgent problems requiring immediate action. They instruct victims to install remote administration tools (RATs), which provide the scammers access to and control over the device.
From this point on, scammers can make changes to the device or point out common non-critical errors, and present these as problems. For example, scammers are known to use Event Viewer to show “errors” or netstat to show connections to “foreign IP addresses”. The scammers then attempt to make the sale. With control of the device, scammers can make a compelling case about errors in the device and pressure the victim to pay.
An industry-wide problem requires industry-wide action
The tech support scam problem is far-reaching. Its impact spans various platforms, devices, software, services. Examples include:
- Tech support scams targeting specific platforms like Windows, macOS, iOS, and Android
- Tech support scam websites that imply a formal relationship or some sort of approval by well-known vendors
- Fake malware detection from programs or websites that mimic various antivirus solutions
- Customized tech support scams that tailor messages and techniques based on geography, OS, browser, or ISP
As in many forms of social engineering attacks, customer education is key. There are tell-tale signs: normal error and warning messages should not have phone numbers, most vendors don’t make unsolicited phone calls to fix a device, etc. To help protect and educate Microsoft customers, we have published blogs, websites, videos, and social media campaigns on the latest tech support scam trends and tactics. We have also empowered customers to report tech support scams.
Beyond customer education, the scale and complexity of tech support scams require cooperation and broad partnerships across the industry. The Microsoft Digital Crimes Unit (DCU) works with law enforcement and other agencies to crack down on scammers.
We have further built partnerships across the ecosystem to make a significant dent on this issue:
- Web hosting providers, which can take down verified tech support scam websites
- Telecom networks, which can block tech support scam phone numbers
- Browser developers, who can continuously thwart tech support scam tactics and block tech support scam websites
- Antivirus solutions, which can detect tech support scam malware
- Financial networks, who can help protects customers from fraudulent transactions
- Law enforcement agencies, who can go after the crooks
We seek to continue expanding and enriching these partnerships. While we continue to help protect customers through a hardened platform and increasingly better security solutions, we believe it’s high time for the industry to come together and put an end to the tech support scam problem. Together, we can make our customers’ lives easier and safer.