Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support Scammers

Abstract: Technical Support Scams (TSS), which combine online abuse with social engineering over the phone channel, have persisted despite several law enforcement actions. Although recent research has provided important insights into TSS, these scams have now evolved to exploit ubiquitously used online services such as search and sponsored advertisements served in response to search queries. We use a data-driven approach to understand search-and-ad abuse by TSS to gain visibility into the online infrastructure that faci… Show more

“…Tech Support Scam We observed 20 tech support scam domain names that displayed fake virus-infection messages and telephone numbers of support centers to urge users to call. StraySheep reached the scams from sequences of web pages starting from the search engine's results and social media postings, which are not observed with other systems [23,29]. Fake Browser History Injection We found 16 Fake browser history injection attacks domain names, which injected URLs into browser's history to force users to redirect to another SE page when the browser's back button is clicked.…”

“…Social engineering (SE) psychologically manipulates people to perform specific actions. Modern web-based attacks leverage SE for malware infections [24,25] and online frauds [17,23,29], which are called web-based SE attacks (or simply SE attacks). Attackers skillfully guide a user's browser interaction through attractive web content or warning messages to make users download malware or leak sensitive information.…”

“…Common systems to automatically collect SE attacks involve accessing web pages collected from search engines [17,27,29]. These systems use a web browser to crawl web pages and identify a particular SE attack by extracting features only from each web page.…”

“…The second idea is to extract features from reached web pages as well as an entire sequence of web pages. Unlike previous approaches that extract features from a single web page they have visited [17,29] or identify malicious URL chains automatically caused without user interactions (i.e., URL redirections) [22,30,32], StraySheep extracts features from the entire sequence of web pages it has actively and recursively followed. That is, StraySheep analyzes image and linguistic characteristics of reached web pages, browser events (e.g., displaying popup windows and alerts) that occurred before reaching the web page, and browser interactions that lead users to SE attacks.…”

“…SE is used to manipulate people into performing a particular action by exploiting their psychology and has been widely used in various types of web-based attacks, such as malware downloads [25,35], malicious browser extension installs [16,33,36], survey scams [17], and technical support scams [23,29]. Malware downloads and malicious browser extension installs are achieved by masquerading as legitimate software.…”

To Get Lost is to Learn the Way: Automatically Collecting Multi-step Social Engineering Attacks on the Web

“…Tech Support Scam We observed 20 tech support scam domain names that displayed fake virus-infection messages and telephone numbers of support centers to urge users to call. StraySheep reached the scams from sequences of web pages starting from the search engine's results and social media postings, which are not observed with other systems [23,29]. Fake Browser History Injection We found 16 Fake browser history injection attacks domain names, which injected URLs into browser's history to force users to redirect to another SE page when the browser's back button is clicked.…”

“…Social engineering (SE) psychologically manipulates people to perform specific actions. Modern web-based attacks leverage SE for malware infections [24,25] and online frauds [17,23,29], which are called web-based SE attacks (or simply SE attacks). Attackers skillfully guide a user's browser interaction through attractive web content or warning messages to make users download malware or leak sensitive information.…”

“…Common systems to automatically collect SE attacks involve accessing web pages collected from search engines [17,27,29]. These systems use a web browser to crawl web pages and identify a particular SE attack by extracting features only from each web page.…”

“…The second idea is to extract features from reached web pages as well as an entire sequence of web pages. Unlike previous approaches that extract features from a single web page they have visited [17,29] or identify malicious URL chains automatically caused without user interactions (i.e., URL redirections) [22,30,32], StraySheep extracts features from the entire sequence of web pages it has actively and recursively followed. That is, StraySheep analyzes image and linguistic characteristics of reached web pages, browser events (e.g., displaying popup windows and alerts) that occurred before reaching the web page, and browser interactions that lead users to SE attacks.…”

“…SE is used to manipulate people into performing a particular action by exploiting their psychology and has been widely used in various types of web-based attacks, such as malware downloads [25,35], malicious browser extension installs [16,33,36], survey scams [17], and technical support scams [23,29]. Malware downloads and malicious browser extension installs are achieved by masquerading as legitimate software.…”

To Get Lost is to Learn the Way: Automatically Collecting Multi-step Social Engineering Attacks on the Web

The “Game Hack” Scam

Web Runner 2049: Evaluating Third-Party Anti-bot Services