What happened when Cisco conducted an experiment that involved them following the instructions of a fake tech support company?
15,000 words later my Masters dissertation on the linguistics of Microsoft support call scams was complete. What I wasn’t finished with was getting to the bottom of how these scams operate and fool their victims. Giving me another perspective on the matter was a blog written by Cisco Talos which I would like to share with you here. They conducted an experiment where they called a fake tech support company to carry out some reverse social engineering.
So, what are tech support calls? These types of calls are made to victims claiming they have a virus or a lack of security on their computer and instruct them that action must be taken. Callers exploit their victims into parting with money to pay for technological support to fix their computer. Though, of course, it does not need fixing. These scams have been described as “mosaic crimes” because small payments made by each victim quickly add up to huge profits. The National Fraud and Cyber-crime Reporting Centre released figures of 12,000 reported telephone scams in June 2014 to November 2014, the total loss being £691,446.
Cisco Talos has been scouring the web for new websites belonging to fraudulent tech support companies. Such websites claim that viruses have been detected on a user’s computer necessitating a call to a listed tech support number. Cisco called one of these numbers with their caller, let’s call him Tom, feigning a low level of technological competency and recorded the audio (this can be found here http://blog.talosintel.com/2015/11/tech-support-scammers.html). The call-taker, Kelly Thompson, assured them she could help, despite Tom affirming he had a Toshiba and not a Macbook as the error message referred to Macs.
Kelly then referred Tom to a website where he could download TeamViewer through which they could exercise remote control of his computer, a common tactic used by these types of scammers. Now having remote access to their computer, Kelly displayed a variety of harmless processes that she presented as evidence of viruses and other malicious activity. She even opened up a command prompt and recursively listed all the files in the administrator directory, although she claimed this was actually a security scan looking for malware. At the end of the lengthy list, she actually typed the words “Trojan Virus,” which she presented as evidence she had found a Trojan on Tom’s computer!
Tom was then taken to a Wikipedia page on Trojans so that he fully understood the nature of the problem. Kelly then said it would cost Tom £100 for the removal of the Trojan, a clean of the computer and the fixing of his security drivers. Tom hung up and watched via TeamViewer as the scammer changed various settings on the computer and downloaded programmes to enhance security.
Kelly called back the next day to ask Tom if he was happy with their services and then offered him a warranty on the computer for £80 a year.
Next steps: Tracking the scammers…
After the phone call, Cisco decided to find out more about the people behind the scam. Kelly had given them her payment details which offered Cisco a gateway to their investigation.
The name of the company Kelly told Tom to make the check out to, Essential Services Worldwise, matches an LLC based in Delaware. Their Yellowpages listing provides a company website, onlyforsupport.com, which offers remote tech support and also employs the TeamViewer software. The IP address for this website also refers to a number of other domains offering similar services for AOL, Hotmail and PCs and at least one of these websites was also found to host a malicious executable.
Through looking at the job posting on the other websites associated with the same IP address, it is clear that Essential Services recruits telemarketers who disguise themselves as tech support for the other websites resolving to that IP.
Sharad Goel, aged 32 from New Dehli, appears to be the man behind Essential Services, with his name attached to many of the job postings and was the managing director since 2011.
So, it appears that Sharad Goel and a number of tech support websites under his control through Essential Services are linked to Tom’s scammer, Kelly, through their payment instructions. As well as Sharad, other culprits were also found including a money handler for the operation.
Talos managed to get the number they called shut down and also contacted TeamViewer to alert them of the abuse by Essential Services. Moreover, the FTC (Federal Trade Commission in America) prosecuted several fake tech support companies for violating the FTC act.
Fake tech support companies are continuing to build websites that frighten susceptible people into employing their useless and potentially harmful services.
Studies such as this one by Cisco Talos and also the research I conducted myself all contribute to raising awareness amongst the general public and provide ammunition for the cyber-security industry to defend its credibility. However, this is just a starting point.