We’ve encountered many a tech support scam over the years, and the story is usually the same: a fake Blue Screen of Death says your computer is packed with viruses, and to call “tech support” at a handy 800 number.

At this point the scammers remote into your system and can do anything from load malware to steal your credit card information. But who are these people, really?  How do they hide their ill-gotten gains? And how do these scam sites keep cropping up in your Google results?

The answer is that tech support scammers are just one node in a scam ecosystem. Successfully fleecing a target requires SEO so that they’ll be more likely to encounter the fake BSOD, a call center to take the target’s payment details, and a payment processor to get the payment successfully back to the scammer’s account, wherever it may be.

So where do I as an aspiring criminal go to hook into a professional criminal network?  Let’s start with LinkedIn. (Disclaimer: LinkedIn poses a number of serious privacy and safety risks.  Make sure to never connect with people you don’t know.)

Linkedin

Looks like one of my friends is a known tech support scammer.  (I’m a very friendly person.)

jaydevkundu

This gentleman was found running hxxp://tour-foryou.info/sfp/?idtech=11795, a pretty standard tech support scam with a BSOD, along with several fake tech support companies.  (Don’t worry – we’ve blocked his sites.) I wonder who he’s connected with?

connections

We can see some expected results, like owners of similarly dubious businesses, as well as an account rep for Logmein, a remote administration tool quite popular with tech support scams. But there’s also four people involved with ad sales and marketing, none of whom look quite like the stereotypical con artist.

Scammers frequently rely on “legitimate” ad networks to get their websites seen by potential victims.  Sometimes they’ll outsource their marketing to an SEO expert, as seen here:

RaviKumarSEO

These folks specialize in getting web traffic directed towards scam sites via blog spam, Youtube videos, fake comments, and the traditional BSOD.  While they present themselves as quite professional, if we dig into his profile, we can see the following

SEO Manager

Mr. Kumar, like many other “SEO experts” has found a niche – getting a scam on as many screens as possible.  So we’ve seen that I as a scammer have access to a number of professional services offering to help me steal your money more efficiently.

But what if I want to socialize with other criminals, and brainstorm on how to be more evil? Let’s go back to LinkedIn.

tssgroup tssgroupmembers

Looks like Mr. Kundu is in a tech support call group with about 300 members.  Again, we can see the stereotypical scammers, but mixed with advertising and finance professionals from a variety of countries.

Social networks of this type provide a one stop shop to set up a scam website, drive traffic to it, promote it through legitimate ad networks, and handle ill-gotten gains. So while we as security professionals can identify and block a malicious website, a large, resilient, and very profitable network is waiting to get the site owner back on his feet as soon as he can pay.

Tune in next time to get a little more personal with some scammers and their friends.

IOCs:

  • iamjaydev992@gmail.com
  • hxxp://tour-foryou.info/sfp/?idtech=11795