DOCSLIB.ORG

Tech Scams: It’S Time to Release the Hounds

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Tech Scams: It’S Time to Release the Hounds #RSAC SESSION ID: HUM-F01 TECH SCAMS: IT’S TIME TO RELEASE THE HOUNDS Erik C. Wahlstrom Sr. Program Manager Microsoft – Windows Active Defense (WiAD) Definition: Technical Support Scam (AKA: Tech Scam) #RSAC A social engineering attack to trick a user that their device is compromised or broken. Victims are directed to a “call center” and scared or coerced into purchasing fake tech support services. 2 The tech support ecosystem #RSAC Helpful Official support channels e.g. https://support.microsoft.comYour cousin Our Focus Impact that used to Fraudulent Unsolicited emailLead generation workLegitimate in Cold Calls “ Tech” Fake Anti-virus /Security Browser locksoftware ups Destructive Why should we care? #RSAC ~50% of surveyed $250-$450 Among Microsoft’s ~13,000 reports consumers report top three customer being impacted average loss support call types monthly 87% think 46 law 300+ identified companies like enforcement targets Microsoft are actions responsible #RSAC CASE STUDY: JEN Abusing the Browser Case Study: Jen #RSAC Jen opened an internal home page: http://msw Something had changed since yesterday #RSAC CASE STUDY: JIM How the calls unfold Case Study: Jim #RSAC #RSAC CASE STUDY: GAIL Payment Case Study: Gail #RSAC I am a nursing instructor and I have to have an operational and secure computer to use for two jobs. I purchased a Lifetime Warranty for my computer and technical services good for my lifetime on any device, which also included any new Microsoft/Windows updated programs e.g. Windows 11. The cost for these was $1249.99. When I initially tried to use my credit card to pay MS Infotech on their site, it “mysteriously” would not take my card number. The technician suggested I could do a . one-time bill pay. He assured me he could not see my codes or numbers and that the bank was secure. I believe they trick you into having to use your bank account bill pay as opposed to a credit card so you can’t block the charges when you discover they are a scam. #RSAC THE FULL ATTACK CHAIN The Full Attack Chain #RSAC Search Cold Call Engine Call Make the Online Ad Web Site Payment Center “sale” Phishing Malware Mail Machine Learning to detect malicious websites #RSAC URL Reputation •Registration Changes Windows Defender •Age SmartScreen™ currently uses OS Events •TLD JavaScript • Close Tricks many of these signals as ML Window • Full Screen features • Stop script • Audio Web Page Reputation The latest version of Windows Page 10 moves these models inline to Direct contents Customer •Phone numbers address new classes of threats Feedback •Trademarks Visual •Signatures Similarity The Full Attack Chain #RSAC Search Ranking/ Cold Call ??? Engine Relevance Call Make the Online Ad Fraud Web Site Payment Detection Center sale Phishing ScanningMalware / Anti-Virus Mail Detonation The Common Pattern #RSAC Complete Establish Install Display the Payment the call RAT tools “threats” “sale” Potentially Highly Potentially Highly detectable detectable detectable detectable Machine Learning to detect cold calls #RSAC Browser Many of these events are Activity currently detected today Financial Software activity Installations We are currently tuning ML Social detection models based on Engineering these signals (and others) Attack? External Connection OS Events attempts Use of obscure tools •Msconfig.exe •Netstat.exe Now what? #RSAC Behavior People don’t want modification is to be informed difficult Ramping up notifications is We can block but exactly the wrong should we? thing to do A Gentle Reminder? #RSAC It looks like you AUTHENTICATOR Jim Philippsare being would now socially like to install “Im- engineered.SECURITY BREACH A-ScamNeed Remote some Access Tools”help? on “Jim’s Desktop”.Your security software detected a WouldYes you likemaliciousNo to actor using a trusted authorize this?application. This connection has been rejected and closed. The application hosting this threat will be disabled for 72 hours to protect you. #RSAC DISRUPTING THE CALL CENTER Disrupting the Call Center #RSAC Search Cold Call Engine Call Make the Online Ad Web Site Payment Center sale Phishing Malware Mail Affiliate Programs #RSAC Cold Call Detection (888) 595-4323 (xxx) xxx-xxxx Browser Detection (866) 649-2816 (xxx) xxx-xxxx (xxx) xxx-xxxx Customer Submission (855) 784-2431 Remote Call call (xxx) xxx-xxxx forwarding Center (xxx) xxx-xxxx Totally Legit (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx “Virus Total for Phone Numbers” #RSAC Law Enforcement 1(888) 595-4323 3rd party has received reports of dialer app suspicions activity Phone Reputation in the past 72 Service hours. 3 reports in Last 72 hours Call Cancel Other Edge/IE Telecom Browser “Apply” Slide #RSAC Educate: “Microsoft does not make unsolicited phone calls to fix your computer”. Technology: Use strong web filtering technologies and other blocking technologies to avoid scams. Most modern browsers ship with these installed. Use them. And provide feedback! Partner: With Microsoft, other platform vendors, search engines, telecoms, and governmental organizations to address Tech Scams and social engineering attacks. 32 #RSAC.
Load more

Recommended publications
  • The Madoff Investment Securities Fraud: Regulatory and Oversight Concerns and the Need for Reform Hearing Committee on Banking
    S. HRG. 111–38 THE MADOFF INVESTMENT SECURITIES FRAUD: REGULATORY AND OVERSIGHT CONCERNS AND THE NEED FOR REFORM HEARING BEFORE THE COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS UNITED STATES SENATE ONE HUNDRED ELEVENTH CONGRESS FIRST SESSION ON HOW THE SECURITIES REGULATORY SYSTEM FAILED TO DETECT THE MADOFF INVESTMENT SECURITIES FRAUD, THE EXTENT TO WHICH SECURITIES INSURANCE WILL ASSIST DEFRAUDED VICTIMS, AND THE NEED FOR REFORM JANUARY 27, 2009 Printed for the use of the Committee on Banking, Housing, and Urban Affairs ( Available at: http://www.access.gpo.gov/congress/senate/senate05sh.html U.S. GOVERNMENT PRINTING OFFICE 50–465 PDF WASHINGTON : 2009 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512–1800; DC area (202) 512–1800 Fax: (202) 512–2104 Mail: Stop IDCC, Washington, DC 20402–0001 VerDate Nov 24 2008 08:33 Jul 07, 2009 Jkt 048080 PO 00000 Frm 00001 Fmt 5011 Sfmt 5011 S:\DOCS\50465.TXT JASON COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS CHRISTOPHER J. DODD, Connecticut, Chairman TIM JOHNSON, South Dakota RICHARD C. SHELBY, Alabama JACK REED, Rhode Island ROBERT F. BENNETT, Utah CHARLES E. SCHUMER, New York JIM BUNNING, Kentucky EVAN BAYH, Indiana MIKE CRAPO, Idaho ROBERT MENENDEZ, New Jersey MEL MARTINEZ, Florida DANIEL K. AKAKA, Hawaii BOB CORKER, Tennessee SHERROD BROWN, Ohio JIM DEMINT, South Carolina JON TESTER, Montana DAVID VITTER, Louisiana HERB KOHL, Wisconsin MIKE JOHANNS, Nebraska MARK R. WARNER, Virginia KAY BAILEY HUTCHISON, Texas JEFF MERKLEY, Oregon MICHAEL F. BENNET, Colorado COLIN MCGINNIS, Acting Staff Director WILLIAM D.
    [Show full text]
  • Mobile Telephony Threats in Asia Black Hat Asia 2017, Singapore
    Mobile Telephony Threats in Asia Black Hat Asia 2017, Singapore Dr. Marco Balduzzi Dr. Payas Gupta Lion Gu Sr. Threat Researcher Data Scientist Sr. Threat Researcher Trend Micro Pindrop Trend Micro Joint work with Prof. Debin Gao (SMU) and Prof. Mustaque Ahamad (GaTech) Marco’s 9th BH Anniversary :-) 2 Click to play recording [removed] 3 Wangiri Fraud, Japan 4 Fake Officials Fraud, China 5 This is your Telco calling, UAE 6 Police Scam, Singapore 7 BringBackOurCash, Nigeria 8 Why is Happening? • Lack of users’ awareness • Users publicly disclose their mobile numbers • Expose themselves and the organization they work for! 9 Current Defeat Strategies • Telcos • Crowd sourced – FTC, fraud complaints – 800notes open datasets • Proprietary 10 10 Missing Caller's Details 11 No Actual Timestamps 12 Perception v/s Reality 13 Not all Fraudulent Calls are Reported • Compared both FTC and 800notes against each other for a certain set of numbers 14 Delay in Reporting Fraudulent Calls 15 Any Solution? 17 Using SIP Trunks IP-192.168.1.11 Tel. ext - 83345 IP-192.168.1.12 Call Call Manager/ PBX Switch Tel. ext - 83351 SIP Trunk Telephone Rules Destination no. Destination IP 192.168.1.10 Exchange Incoming call 88800 - 88899 192.168.1.10 Tel. Range - Incoming call 83345 192.168.1.11 88800 to 88899 Incoming call 83351 192.168.1.12 IP-192.168.1.13 Incoming call 88346 192.168.1.13 Tel. ext - 88346 Call Manager table Honeypot 18 Using GSM/VoIP Gateways 19 Mobile Telephony Honeypot 20 Mobile Telephony Honeypot 21 Example of Call Recording Example of SMS Recording • 确认了哈,位置还留起的 之前在等qq消息,我刚才电话问 了,给我转款吧。建 行四川分行第五支行5240 9438 1020 0709,户名:王玲。 (I have confirmed.
    [Show full text]
  • Detecting Malicious Campaigns in Obfuscated Javascript with Scalable Behavioral Analysis
    Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis 1st Oleksii Starov 2nd Yuchen Zhou 3rd Jun Wang Palo Alto Networks, Inc. Palo Alto Networks, Inc. Palo Alto Networks, Inc. [email protected] [email protected] [email protected] Abstract—Modern security crawlers and firewall solutions for malicious scripts [4], [10], [13]. However, proposed sys- have to analyze millions of websites on a daily basis, and tems usually require additional instrumentation and resources significantly more JavaScript samples. At the same time, fast that are unsuitable for near real-time analysis on a large static approaches, such as file signatures and hash matching, often are not enough to detect advanced malicious campaigns, population of URLs. Moreover, such approaches use machine i.e., obfuscated, packed, or randomized scripts. As such, low- learning models, which must be trained and calibrated to overhead yet efficient dynamic analysis is required. minimize false positives. In contrast, there is lack of research In the current paper we describe behavioral analysis after in terms of lightweight behavioral detection methods and indi- executing all the scripts on web pages, similarly to how real cators of dynamic script execution that conclusively determine browsers do. Then, we apply light “behavioral signatures” to the malicious behavior. To the best of our knowledge, we are the collected dynamic indicators, such as global variables declared during runtime, popup messages shown to the user, established first to present a systematic case-study on detecting modern WebSocket connections. Using this scalable method for a month, malicious campaigns with such scalable dynamic analysis. we enhanced the coverage of a commercial URL filtering product In this paper, we describe behavioral analysis that exe- by detecting 8,712 URLs with intrusive coin miners.
    [Show full text]
  • Telephone-Based Social Engineering Attacks: an Experiment Testing the Success and Time Decay of an Intervention
    Telephone-based social engineering attacks: An experiment testing the success and time decay of an intervention Jan-Willem Bullee´ a, Lorena Montoya a, Marianne Junger a and Pieter H. Hartel a a University of Twente, Enschede, The Netherlands Abstract. The objective of this study is to evaluate the effectiveness of an infor- mation campaign to counter a social engineering attack via the telephone. Four dif- ferent offenders phoned 48 employees and made them believe that their PC was distributing spam emails. Targets were told that this situation could be solved by downloading and executing software from a website (i.e. an untrusted one). A total of 46.15 % of employees not exposed to the intervention followed the instructions of the offender. This was significantly different to those exposed to an intervention 1 week prior to the attack (9.1 %); however there was no effect for those exposed to an intervention 2 weeks prior to the attack (54.6 %). This research suggests that scam awareness-raising campaigns reduce vulnerability only in the short term. Keywords. Awareness, Decay, Scam, Social Engineering, Retention, Telephone, Time, Training 1. Introduction Since 2008 a scam has been carried out by employees claiming to belong to Microsoft’s technical department [1]. A phone call is received unexpectedly at home; the caller intro- duces himself and proceeds to inform the home owner that there is a virus on the PC or that the PC is distributing spam emails. To verify the claim from the caller, the victim is persuaded to open a remote desktop session to review some warnings in the system log files.
    [Show full text]
  • Why We Should Partially Privatize the Barney Fifes at the SEC Mark Klock†
    LESSONS LEARNED FROM BERNARD MADOFF: Why We Should Partially Privatize the Barney Fifes at the SEC Mark Klock† TABLE OF CONTENTS I. INTRODUCTION........................................................................................ 2 II. BACKGROUND: THE LARGEST PONZI SCHEME IN HISTORY ..................... 3 A. The Chronology of Public Revelations About Madoff .................... 3 B. The Chronology of the SEC’s Internal Investigations .................... 5 III. FINDINGS OF IINCOMPETENCE IN THE MADOFF EXAMINATIONS .............. 6 A. The 1992 Opportunity to Stop the Scam ......................................... 6 B. SEC Examinations and Non-Examinations from 2001 to 2008 .... 11 C. A Digression on Options and Madoff’s Claimed Hedge Strategy 22 IV. THE ROLE OF AUDITORS AND MADOFF'S AUDITOR ............................... 27 A. The Auditing Function in Capital Markets ................................... 27 B. Madoff’s Auditor David Friehling ................................................ 33 V. OTHER FINANCIAL SCANDALS OF THE LAST DECADE ........................... 37 VI. SECONDARY LIABILITY TO PROMOTE A CULTURE OF INTEGRITY .......... 42 VII. A CALL FOR MORE FINANCIAL LITERACY IN LEGAL EDUCATION ......... 47 VIII. CONCLUSION ........................................................................................ 51 † B.A., The Pennsylvania State University, 1978; Ph.D. in Economics, Boston College, 1983; J.D. (with honors), University of Maryland, 1988; admitted to the Maryland Bar, 1988; admitted to the District of Columbia Bar, 1989;
    [Show full text]
  • Using Web-Scale Graph Analytics to Counter Technical Support Scams
    Using Web-Scale Graph Analytics to Counter Technical Support Scams Jonathan Larson Bryan Tower Duane Hadfield Darren Edge Christopher White Microsoft AI & Research Microsoft AI & Research Digital Crimes Unit Microsoft AI & Research Microsoft AI & Research Microsoft Microsoft Microsoft Microsoft Microsoft Silverdale, WA, USA Silverdale, WA, USA Redmond, WA, USA Cambridge, UK Redmond, WA, USA [email protected] [email protected] [email protected] [email protected] [email protected] Abstract—Technical Support Scams delivered through Support Scams. While the design of the tool was based on the malicious webpages and linked advertisements are an endemic investigative tradecraft that contributed to 16 major enforcement problem on the web. To avoid detection, scammers systematically actions taken by the FTC against scam organizations and their vary the URLs, web page designs, and phone numbers of scam owners in 2016 [7], its subsequent deployment from 2016-2018 delivery. We describe a web-scale pipeline powered by Cloud AI has led to further actions by Indian law enforcement on Delhi- services that continuously detects and links evidence of such based call centers and helped to drive a global 5-percent decline scams. By integrating this evidence in a graph structure and in consumer exposure to ad-based Technical Support Scams [2]. exposing it for forensic analysis in a user interface, we enable investigators and law enforcement partners to track the evolving scope and sophistication of scam operations. This approach automates and scales investigative tradecraft that contributed to major enforcement actions by the FTC in 2016. From 2016-2018, it helped reduce consumer exposure to such scams by 5 percent.
    [Show full text]
  • Consumer Protection Report: February 1 –28, 2014
    CONSUMER PROTECTION REPORT: FEBRUARY 1 –28, 2014 This newsletter is the fourth of a monthly circulation that describes consumer protection activity announced by state attorneys general. This information was gathered solely from attorney general press releases. It makes no effort to prioritize or analyze the impact of any of these cases and initiatives. The following press releases are organized by state and multistate activity. In addition, certain Medicaid fraud cases that touch on consumer protection and advocacy initiatives have been included. If an office would like their activity to be included in subsequent newsletters, please notify [email protected]. To sign up for the monthly consumer protection report, please click on the link below and enter your contact information. Newsletter sign up: http://stateag.us4.list- manage.com/subscribe?u=9c3bb47bb6aba00473adb0c58&id=fdba3bae7b The National State Attorneys General Program at Columbia Law School is a legal research, education, and policy center that examines the implications of the jurisprudence of state attorneys general. Working closely with attorneys general, academics, and other members of the legal community, the program is active in the development and dissemination of legal information used by state prosecutors in carrying out their civil and criminal responsibilities. For more information about the National State Attorneys General Program and resources, please visit our website www.stateag.org. 1 TABLE OF CONTENTS CONSUMER PROTECTION CASES, SETTLEMENTS AND
    [Show full text]
  • Dial One for Scam: a Large-Scale Analysis of Technical Support Scams
    Dial One for Scam: A Large-Scale Analysis of Technical Support Scams Najmeh Miramirkhani Oleksii Starov Nick Nikiforakis Stony Brook University Stony Brook University Stony Brook University [email protected] [email protected] [email protected] Abstract—In technical support scams, cybercriminals attempt In this paper, we perform a three-pronged analysis of to convince users that their machines are infected with malware the increasingly serious problem of technical support scams. and are in need of their technical support. In this process, the First, we build a reliable, distributed crawling infrastructure victims are asked to provide scammers with remote access to their that can identify technical support scam pages and use it to machines, who will then “diagnose the problem”, before offering collect technical support scam pages from websites known their support services which typically cost hundreds of dollars. to participate in malvertising activities. By deploying this Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from infrastructure, in a period of 250 days, we discover 8,698 unique everyday users of the web. domain names involved in technical support scams, claiming that users are infected and urging them to call one of the In this paper, we report on the first systematic study of 1,581 collected phone numbers. To the best of our knowledge, technical support scams and the call centers hidden behind them. our system is the first one that can automatically discover We identify malvertising as a major culprit for exposing users hundreds of domains and numbers belonging to technical to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of support scammers every week, without relying on manual labor phone numbers and domains operated by scammers.
    [Show full text]
  • Security News Digest January 23, 2018
    Security News Digest January 23, 2018 Be a Security Star in 2018 by taking the ‘Security New Year’ Quiz Tax Scams on Increase in Victoria, Police Say http://www.timescolonist.com/news/local/tax-scams-on-increase-in-victoria-police-say-1.23147658 Canada Revenue Agency scams are increasing in Victoria, say Victoria police. “So far in 2018 alone, losses reported to VicPD as a result of the scam have totalled $25,000,” police said in a statement on Wednesday. “Investigators are also seeing more spoofing [impersonating/ falsifying] of phone numbers where, in one investigation, the victim divulged his accountant’s information then moments later got a call from his ‘accountant,’ which really was one of the fraudsters.” These scams come in the form of unsolicited calls. Fraudsters are often aggressive, police said. Potential victims are told that they committed fraud on their tax returns and are facing legal action. “Often, the fraudster claims police are on their way to arrest the potential victim unless he or she pays an immediate reduced fine,” police said. “With the scammers often calling from overseas locations, once paid, victims are often left with little recourse to recover their lost funds.” The Canada Revenue Agency never contacts people over the phone to discuss fraud concerns, and never threatens arrest over the phone, say Victoria police fraud investigators. It also does not accept payment in Bitcoin, a digital currency. If you have concerns after being contacted by someone claiming to be from the CRA, you can call the CRA yourself at 1-800-959-8281.
    [Show full text]
  • Complaints Against False Windows Support Service
    Complaints Against False Windows Support Service Chrissy outjest lexically? Del usually computed crisscross or fossilises perseveringly when eterne Marten soothsaying clamorously and headlong. Is Peyton woodsy or antasthmatic after lame Fitz strummed so pithy? The mlm is being asked to be very noisy vacuum and never include offering a larger scan and working together with. The service support. Be used depends on your complaint of? Please sign of complaints that support scammers their own enforcement to normal system and complaints against false windows support service to. American number and run a bank failure folder often turns out to identify and understand issues are used to the subject of internet and trips with. If ads online ads found this site traffic, including what it was in case is set content. Data like funds from the user account number. Aol and windows and other firm from apple? What is Norton Virus Protection Promise? In the Maximum Service your Pool Size box, visit the maximum number of instances in the daily for example given service. Award winner was very angry and reputable computer is. Fraudsters are returned to stay on waking up your complaints against false windows support service pool to prevent further investigations may generate pdf settings. The signer certificates. The blue check for helping with two years but many ways for your complaints against false windows support service was against? They call up to increase your complaints against false windows support service to? Resource online complaints against false windows support service interacts with a check is a trademark compliance office supply chain.
    [Show full text]
  • Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support Scammers
    Track: Security and Privacy on the Web WWW 2018, April 23-27, 2018, Lyon, France Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support Scammers Bharat Srinivasan Athanasios Kountouras Najmeh Miramirkhani Salesforce.com Georgia Institute of Technology Stony Brook University Monjur Alam Nick Nikiforakis Manos Antonakakis Georgia Institute of Technology Stony Brook University Georgia Institute of Technology Mustaque Ahamad Georgia Institute of Technology ABSTRACT Technical Support Scams (TSS), which combine online abuse with social engineering over the phone channel, have persisted despite several law enforcement actions. Although recent research has pro- vided important insights into TSS, these scams have now evolved to exploit ubiquitously used online services such as search and t1 t2 sponsored advertisements served in response to search queries. We use a data-driven approach to understand search-and-ad abuse by TSS to gain visibility into the online infrastructure that facilitates it. By carefully formulating tech support queries with multiple search engines, we collect data about both the support infrastructure and Figure 1: The first search result on Bing.com on 02/02/2017 for‘mi- the websites to which TSS victims are directed when they search crosoft tech support’ points to domain 03d.gopaf.xyz which redirects online for tech support resources. We augment this with a DNS- to different types of TSS websites – passive (left) and aggressive (right) based amplification technique to further enhance visibility into this – depending on user context. abuse infrastructure. By analyzing the collected data, we provide new insights into search-and-ad abuse by TSS and reinforce some of the findings of earlier research.
    [Show full text]
  • Prepared Statement of the Federal Trade Commission on Protecting
    Prepared Statement of The Federal Trade Commission Before the Senate Judiciary Committee on Protecting Older Americans from Financial Exploitation Washington, DC June 29, 2016 Chairman Grassley, Ranking Member Leahy, and members of the Committee, I am Lois Greisman, Associate Director of the Division of Marketing Practices, in the Bureau of Consumer Protection at the Federal Trade Commission (“Commission” or “FTC”).1 I appreciate the opportunity to appear before you today to provide an overview of current trends concerning the financial exploitation of older Americans,2 specifically in the context of mass marketing fraud, and the Commission’s actions to address them. Combatting fraud is a critical component of the FTC’s consumer protection mission. All consumers are potential fraud targets, and older Americans are not necessarily defrauded at higher rates than younger consumers.3 However, certain types of scams are more likely to impact older Americans, such as prize promotion and lottery schemes4 and imposter schemes purporting to provide technical support to “fix” non-existent computer problems.5 As the 1 The views expressed in this statement represent the views of the Commission. My oral presentation and responses to questions are my own and do not necessarily reflect the views of the Commission or any individual Commissioner. 2 References in this testimony to “seniors,” or “older” or “elderly” individuals, means the population age 65 years and older, unless noted otherwise. Statistics in this testimony are generally captured and reported in 10 year age brackets (50-59, 60-69, etc.), but our law enforcement cases identify “older” Americans as 65 and over.
    [Show full text]