Tech Scams: It’S Time to Release the Hounds

#RSAC

SESSION ID: HUM-F01

TECH SCAMS: IT’S TIME TO RELEASE THE HOUNDS

Erik C. Wahlstrom Sr. Program Manager Microsoft – Windows Active Defense (WiAD) Definition: Technical Support Scam (AKA: Tech Scam) #RSAC

A social engineering attack to trick a user that their device is compromised or broken. Victims are directed to a “call center” and scared or coerced into purchasing fake tech support services.

2 The tech support ecosystem #RSAC Helpful

Official support channels e.g. https://support.microsoft.comYour cousin

Our Focus Impact that used to Fraudulent Unsolicited emailLead generation workLegitimate in Cold Calls “ Tech” Fake Anti-virus /Security Browser locksoftware ups

Destructive Why should we care? #RSAC

~50% of surveyed $250-$450 Among Microsoft’s ~13,000 reports consumers report top three customer being impacted average loss support call types monthly

87% think 46 law 300+ identified companies like enforcement targets Microsoft are actions responsible #RSAC

CASE STUDY: JEN

Abusing the Browser Case Study: Jen #RSAC

Jen opened an internal home page: http://msw Something had changed since yesterday

#RSAC

CASE STUDY: JIM

How the calls unfold Case Study: Jim #RSAC

#RSAC

CASE STUDY: GAIL

Payment Case Study: Gail #RSAC

I am a nursing instructor and I have to have an operational and secure computer to use for two jobs. . . . I purchased a Lifetime Warranty for my computer and technical services good for my lifetime on any device, which also included any new Microsoft/Windows updated programs e.g. Windows 11. The cost for these was $1249.99. . . . When I initially tried to use my credit card to pay MS Infotech on their site, it “mysteriously” would not take my card number. The technician suggested I could do a . . . . one-time bill pay. He assured me he could not see my codes or numbers and that the bank was secure. . . . I believe they trick you into having to use your bank account bill pay as opposed to a credit card so you can’t block the charges when you discover they are a scam. #RSAC

THE FULL ATTACK CHAIN The Full Attack Chain #RSAC

Search Cold Call Engine

Call Make the Online Ad Web Site Payment Center “sale”

Phishing Malware Mail Machine Learning to detect malicious websites #RSAC

URL Reputation •Registration Changes Windows Defender •Age SmartScreen™ currently uses OS Events •TLD JavaScript • Close Tricks many of these signals as ML Window • Full Screen features • Stop script • Audio Web Page Reputation The latest version of Windows Page 10 moves these models inline to Direct contents Customer •Phone numbers address new classes of threats Feedback •Trademarks Visual •Signatures Similarity The Full Attack Chain #RSAC

Search Ranking/ Cold Call ??? Engine Relevance

Call Make the Online Ad Fraud Web Site Payment Detection Center sale

Phishing ScanningMalware / Anti-Virus Mail Detonation The Common Pattern #RSAC

Complete Establish Install Display the Payment the call RAT tools “threats” “sale”

Potentially Highly Potentially Highly detectable detectable detectable detectable Machine Learning to detect cold calls #RSAC

Browser Many of these events are Activity currently detected today Financial Software activity Installations We are currently tuning ML Social detection models based on Engineering these signals (and others) Attack? External Connection OS Events attempts Use of obscure tools •Msconfig.exe •Netstat.exe Now what? #RSAC

Behavior People don’t want modification is to be informed difficult

Ramping up notifications is We can block but exactly the wrong should we? thing to do A Gentle Reminder? #RSAC

It looks like you AUTHENTICATOR Jim Philippsare being would now socially like to install “Im- engineered.SECURITY BREACH A-ScamNeed Remote some Access Tools”help? on “Jim’s Desktop”.Your security software detected a WouldYes you likemaliciousNo to actor using a trusted authorize this?application. This connection has been rejected and closed. The application hosting this threat will be disabled for 72 hours to protect you. #RSAC

DISRUPTING THE CALL CENTER Disrupting the Call Center #RSAC

Search Cold Call Engine

Call Make the Online Ad Web Site Payment Center sale

Phishing Malware Mail Affiliate Programs #RSAC Cold Call Detection (888) 595-4323 (xxx) xxx-xxxx Browser Detection (866) 649-2816 (xxx) xxx-xxxx (xxx) xxx-xxxx Customer Submission (855) 784-2431 Remote Call call (xxx) xxx-xxxx forwarding Center (xxx) xxx-xxxx Totally Legit (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx “Virus Total for Phone Numbers” #RSAC

Law Enforcement

1(888) 595-4323 3rd party has received reports of dialer app suspicions activity Phone Reputation in the past 72 Service hours. 3 reports in Last 72 hours

Call Cancel

Other Edge/IE Telecom Browser “Apply” Slide #RSAC

Educate: “Microsoft does not make unsolicited phone calls to fix your computer”. Technology: Use strong web filtering technologies and other blocking technologies to avoid scams. Most modern browsers ship with these installed. Use them. And provide feedback! Partner: With Microsoft, other platform vendors, search engines, telecoms, and governmental organizations to address Tech Scams and social engineering attacks.

32 #RSAC