#RSAC
SESSION ID: HUM-F01
TECH SCAMS: IT’S TIME TO RELEASE THE HOUNDS
Erik C. Wahlstrom Sr. Program Manager Microsoft – Windows Active Defense (WiAD) Definition: Technical Support Scam (AKA: Tech Scam) #RSAC
A social engineering attack to trick a user that their device is compromised or broken. Victims are directed to a “call center” and scared or coerced into purchasing fake tech support services.
2 The tech support ecosystem #RSAC Helpful
Official support channels e.g. https://support.microsoft.comYour cousin
Our Focus Impact that used to Fraudulent Unsolicited emailLead generation workLegitimate in Cold Calls “ Tech” Fake Anti-virus /Security Browser locksoftware ups
Destructive Why should we care? #RSAC
~50% of surveyed $250-$450 Among Microsoft’s ~13,000 reports consumers report top three customer being impacted average loss support call types monthly
87% think 46 law 300+ identified companies like enforcement targets Microsoft are actions responsible #RSAC
CASE STUDY: JEN
Abusing the Browser Case Study: Jen #RSAC
Jen opened an internal home page: http://msw Something had changed since yesterday
#RSAC
CASE STUDY: JIM
How the calls unfold Case Study: Jim #RSAC
#RSAC
CASE STUDY: GAIL
Payment Case Study: Gail #RSAC
I am a nursing instructor and I have to have an operational and secure computer to use for two jobs. . . . I purchased a Lifetime Warranty for my computer and technical services good for my lifetime on any device, which also included any new Microsoft/Windows updated programs e.g. Windows 11. The cost for these was $1249.99. . . . When I initially tried to use my credit card to pay MS Infotech on their site, it “mysteriously” would not take my card number. The technician suggested I could do a . . . . one-time bill pay. He assured me he could not see my codes or numbers and that the bank was secure. . . . I believe they trick you into having to use your bank account bill pay as opposed to a credit card so you can’t block the charges when you discover they are a scam. #RSAC
THE FULL ATTACK CHAIN The Full Attack Chain #RSAC
Search Cold Call Engine
Call Make the Online Ad Web Site Payment Center “sale”
Phishing Malware Mail Machine Learning to detect malicious websites #RSAC
URL Reputation •Registration Changes Windows Defender •Age SmartScreen™ currently uses OS Events •TLD JavaScript • Close Tricks many of these signals as ML Window • Full Screen features • Stop script • Audio Web Page Reputation The latest version of Windows Page 10 moves these models inline to Direct contents Customer •Phone numbers address new classes of threats Feedback •Trademarks Visual •Signatures Similarity The Full Attack Chain #RSAC
Search Ranking/ Cold Call ??? Engine Relevance
Call Make the Online Ad Fraud Web Site Payment Detection Center sale
Phishing ScanningMalware / Anti-Virus Mail Detonation The Common Pattern #RSAC
Complete Establish Install Display the Payment the call RAT tools “threats” “sale”
Potentially Highly Potentially Highly detectable detectable detectable detectable Machine Learning to detect cold calls #RSAC
Browser Many of these events are Activity currently detected today Financial Software activity Installations We are currently tuning ML Social detection models based on Engineering these signals (and others) Attack? External Connection OS Events attempts Use of obscure tools •Msconfig.exe •Netstat.exe Now what? #RSAC
Behavior People don’t want modification is to be informed difficult
Ramping up notifications is We can block but exactly the wrong should we? thing to do A Gentle Reminder? #RSAC
It looks like you AUTHENTICATOR Jim Philippsare being would now socially like to install “Im- engineered.SECURITY BREACH A-ScamNeed Remote some Access Tools”help? on “Jim’s Desktop”.Your security software detected a WouldYes you likemaliciousNo to actor using a trusted authorize this?application. This connection has been rejected and closed. The application hosting this threat will be disabled for 72 hours to protect you. #RSAC
DISRUPTING THE CALL CENTER Disrupting the Call Center #RSAC
Search Cold Call Engine
Call Make the Online Ad Web Site Payment Center sale
Phishing Malware Mail Affiliate Programs #RSAC Cold Call Detection (888) 595-4323 (xxx) xxx-xxxx Browser Detection (866) 649-2816 (xxx) xxx-xxxx (xxx) xxx-xxxx Customer Submission (855) 784-2431 Remote Call call (xxx) xxx-xxxx forwarding Center (xxx) xxx-xxxx Totally Legit (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx (xxx) xxx-xxxx “Virus Total for Phone Numbers” #RSAC
Law Enforcement
1(888) 595-4323 3rd party has received reports of dialer app suspicions activity Phone Reputation in the past 72 Service hours. 3 reports in Last 72 hours
Call Cancel
Other Edge/IE Telecom Browser “Apply” Slide #RSAC
Educate: “Microsoft does not make unsolicited phone calls to fix your computer”. Technology: Use strong web filtering technologies and other blocking technologies to avoid scams. Most modern browsers ship with these installed. Use them. And provide feedback! Partner: With Microsoft, other platform vendors, search engines, telecoms, and governmental organizations to address Tech Scams and social engineering attacks.
32 #RSAC