Microsoft’s machine learning helped track down the “biggest fish” netted in a recent US crackdown on tech support scam operations.
The US Federal Trade Commission’s (FTC) recent bust on bogus tech support can in part be attributed to artificial intelligence that Microsoft’s researchers trained up for the task and gave to its Digital Crimes Unit (DCU).
The FTC in May announced over a dozen legal actions and arrests of key figures behind large tech support scams that used pop-up ads to mimic Microsoft security warnings.
While tech support scammers in some markets, such as Germany, still cold-call targets, for the most part the initial contact has moved to the web with browser locking pop-up ads that lure victims into calling a helpline. Calling the number exposes victims to a high-pressure pitch for unnecessary services, and often involves the victim giving the telemarketer remote access to their computer.
As Microsoft explains, the difficulty investigating tech support scams is finding evidence that can help lead investigators to the culprit. Victims often don’t provide evidence, such as screen grabs of the original pop-up scam, and scammers cover their tracks with temporary phone numbers and rotating IP addresses.
To overcome the problem of ephemeral clues, the DCU team tapped Microsoft principal research Christopher White, a former program manager at DARPA who’s developed counter terror and counter financial fraud systems for the US government.
The model he built targeted tell-tale signals of tech support scam pop-ads. So-called “browser lockers”, or pop-up ads that users can't easily close, often rely on ads that refreshed in microsecond frames to give the viewer the impression the pop-up is frozen to the screen. White and DCU created a tool to scan the web for sites displaying this signal, while a second computer vision-aided tool scoured the suspect ads for phone numbers and other details.
Using machine learning to sift through a mountain of unstructured data isn’t necessarily unique, however Microsoft's move could be well-timed given the more sophisticated techniques tech support fraudsters are using for initial contact with victims. Microsoft claims the DCU gets 10,000 complaints a month from victims and that the figure is probably just the tip of the iceberg.
Tech support scams already use malicious ads and bundled software to spread screen lockers and browser lockers, but they're also experimenting with novel techniques to improve automation.
This week security firm Malwarebytes found the fraudsters are using compromised websites to redirect victims to browser locking pop-up pages.
The site redirect was once favored by now dead exploit kits, such as Angler, Neutrino, and Blackhole, that targeted outdated browser plugins to infect PCs.
But support scammers have also started registering numeric domain names, such as “6473819564947657419.win”. These operate just like any other domains except for the fact that browsers make it more difficult to close pop-ups from these domains.
“Almost all browsers fail to mitigate the fake alert used by the numeric [domains], by not allowing you to normally close the page,” said Malwarebytes’ researcher Jérôme Segura.
In the case of Windows and a locked instance of Internet Explorer (IE), the only way users can close the pop-up is by going to Windows Task Manager and killing the process.
The attack on IE waits for the user to mouse over an area of the web page that will trigger a “mouse event” that loads the tech support scam dialog box. It can be closed so long as the user doesn’t move the cursor while using keyboard shortcuts, but most users wouldn’t know how to do this.
Windows 10 Edge does let the user simply close the page without going to Task Manager.
The attack on Chrome for Windows is by far the most disruptive, according to Segura, as it causes Chrome to chew up all of the PC’s available memory and processing power.