By Hook or by Crook: Exposing the Diverse Abuse Tactics of Technical Support Scammers

Technical Support Scams (TSS), which combine online abuse with social engineering over the phone channel, have persisted despite several law enforcement actions. The tactics used by these scammers have evolved over time and they have targeted an ever increasing number of technology brands. Although recent research has provided insights into TSS, these scams have now evolved to exploit ubiquitously used online services such as search and sponsored advertisements served in response to search queries. We use a data-driven approach to understand search-and-ad abuse by TSS to gain visibility into the online infrastructure that facilitates it. By carefully formulating tech support queries with multiple search engines, we collect data about both the support infrastructure and the websites to which TSS victims are directed when they search online for tech support resources. We augment this with a DNS-based amplification technique to further enhance visibility into this abuse infrastructure. By analyzing the collected data, we demonstrate that tech support scammers are (1) successful in getting major as well as custom search engines to return links to websites controlled by them, and (2) they are able to get ad networks to serve malicious advertisements that lead to scam pages. Our study period of 8 months uncovered over 9,000 TSS domains, of both passive and aggressive types, with minimal overlap between sets that are reached via organic search results and sponsored ads. Also, we found over 2,400 support domains which aid the TSS domains in manipulating organic search results. Moreover, we found little overlap with domains that are reached via abuse of domain parking and URL-shortening services which was investigated previously. Thus, investigation of search-and-ad abuse provides new insights into TSS tactics and helps detect previously unknown abuse infrastructure that facilitates these scams.

[1]  Tyler Moore,et al.  Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade , 2011, USENIX Security Symposium.

[2]  Wei Wang,et al.  Discovery of emergent malicious campaigns in cellular networks , 2013, ACSAC.

[3]  Nicolas Christin,et al.  Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem , 2015, USENIX Security Symposium.

[4]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[5]  Shachi Sharma,et al.  HiCHO: Attributes Based Classification of Ubiquitous Devices , 2011, MobiQuitous.

[6]  Evangelos P. Markatos,et al.  A Systematic Characterization of IM Threats using Honeypots , 2010, NDSS.

[7]  Stefan Savage,et al.  Spamscatter: Characterizing Internet Scam Hosting Infrastructure , 2007, USENIX Security Symposium.

[8]  Andrew W. Moore,et al.  X-means: Extending K-means with Efficient Estimation of the Number of Clusters , 2000, ICML.

[9]  Aurélien Francillon,et al.  Using chatbots against voice spam: Analyzing Lenny's effectiveness , 2017, SOUPS.

[10]  Jr. G. Forney,et al.  The viterbi algorithm , 1973 .

[11]  Aurélien Francillon,et al.  Inside the SCAM Jungle: A Closer Look at 419 Scam Email Operations , 2013, IEEE Symposium on Security and Privacy Workshops.

[12]  Vern Paxson,et al.  @spam: the underground on 140 characters or less , 2010, CCS '10.

[13]  Dawn Xiaodong Song,et al.  Design and Evaluation of a Real-Time URL Spam Filtering Service , 2011, 2011 IEEE Symposium on Security and Privacy.

[14]  Yin Zhang,et al.  ViceROI: catching click-spam in search ad networks , 2013, CCS.

[15]  Markus Jakobsson,et al.  Scambaiter: Understanding Targeted Nigerian Scams on Craigslist , 2014, NDSS.

[16]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[17]  Damon McCoy,et al.  Dialing Back Abuse on Phone Verified Accounts , 2014, CCS.

[18]  Roger Piqueras Jover,et al.  Crime scene investigation: SMS spam data analysis , 2012, IMC '12.

[19]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[20]  Michael McGill,et al.  Introduction to Modern Information Retrieval , 1983 .

[21]  Manos Antonakakis,et al.  Understanding Cross-Channel Abuse with SMS-Spam Support Infrastructure Attribution , 2016, ESORICS.

[22]  Nan Jiang,et al.  Greystar : Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks using Grey Phone Space , 2013 .

[23]  Chris Kanich,et al.  Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context , 2010, USENIX Security Symposium.

[24]  Nick Nikiforakis,et al.  Dial One for Scam: A Large-Scale Analysis of Technical Support Scams , 2016, NDSS.