How do scammers reap more than $9.5 million with phony pop-up ads or blinking alerts warning of a crippling computer virus or security problems?
Their scareware success usually starts with “malvertisements” (malicious online advertising intended to damage or disable computers), which are designed to trick their prey into believing the bogus bug and calling a designated “support line” for help. It usually ends with a victim-made call lasting 17 minutes and a request for an average $291 to supposedly “repair” the feigned problem.
And the intriguing in-betweens? It’s all part of a new study, reported as the first analysis of its kind, by researchers at the National Security Institute (NSI) at Stony Brook University, who spent eight months studying the tactics of tech support scammers.
First, they built a tool — ROBOVIC, short for Robotic Victim — to automatically crawl the web to find the scammers. After collecting some 25,000 domains and thousands of phone numbers used in these schemes, the three researchers made 60 calls to various scammer-provided numbers displayed in pop-up warnings, posing as recruited “victims.” What they learned:
- To spread malware that generates the bogus pop-up warnings — sometimes disguised with a Windows blue-screen background to make it more believable — fraudsters obtain thousands of low-cost domain names, such as .space and .xyz (which, after .com, .net and .org, is the fourth most-registered global top-level domain name on the internet).
- Most scammer-run domains have a life span of only 11 days, with about half of scam domains operating no longer than three days. Con artists frequently use URL shorteners, to better hide on legitimate websites.
- In addition to bogus warnings, these scams sometimes use intrusive programs and other techniques so computer owners can’t close their browsers or leave the “Call this number” page.
- Of some 5 million pages visited, ROBOVIC discovered about 22,000 tech support scam pages hosted at roughly 8,700 domains. With previous research on fake antivirus scams indicating about 2 percent of targets fall for such ploys, the researchers estimate that each domain generates $2,000 per day.
- Once targets call, swindlers usually follow a script. First, they say they need to learn more about what could have caused the alert, leading prey to a designated website to “run tests.” There, a remote administration tool is loaded so scammers can access their computers. Asking would-be victims about recent usage, they offer “all is not lost” assurances to incentivize callers to pay for bogus repair services.
- In backtracking the scammers’ connections to their PCs, the Stony Brook team determined that the overwhelming majority of these con artists (some 85 percent) operate in India. About 10 percent work in the U.S., and about 5 percent in Costa Rica.
- Although 15 telecommunications providers were used, more than 90 percent of scammer-controlled support-line numbers were routed through four VoIP services — Twilio, WilTel, RingRevenue and Bandwidth.
- Scammer call centers employ an estimated 11 tech support fraudsters.
- Prices for rip-off repairs ranged between $70 and $1,000, but the average price was $291. All told, the research teams estimated that $9.7 million in profits were made from these scams.
- The bottom line, according to lead researcher Nick Nikiforakis: “Don’t trust what your browser tells you about the safety and security of your system. People need to understand there’s no legitimate scenario where your computer will start beeping and ask you to call a toll-free number.”
For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.
Photo credit: iStock/daboost