Another year, another fine Virus Bulletin conference come and gone. And some of us even got long-service badges. (My first VB was in 1996, and my first VB presentation in 1997, but there are people like our own Righard Zwienenberg whose attendance record goes back way further.)

(Yes, it did rain the last day or two, but this particular cityscape isn't shimmery because of raindrops, but because I had rather an interesting view of the CBD from my hotel room reflected in a nearby building.)

Perhaps one or two of my colleagues will give your their own views of the conference, hopefully missing out the bit about my cursing my iPad when I couldn't get it to move on to my next page of speaker notes. But as I'm preparing to move on to another event, you'll have to wait for mine.

In the meantime, though, as I know we get lots of interest in the whole issue of PC support scams and gambits like the misrepresentation of the CLSID as some kind of unique license identifier, I thought I'd let you know that the paper I presented with Martijn Grooten, Steve Burn and Craig Johnston is now up on the ESET white papers page. It's a pretty comprehensive review of the evolution of the scam, so I hope people will find it useful.

(Hopefully, we'll get lots of researcher interest in a specialist working group we - well, Martijn, primarily - are in the process of establishing: I hope to have more news on that in the near future.)

Here is a link to the full paper My PC has 32,539 errors: how telephone support scams really work. What follows is an abstract:

Fake security products, pushed by variations on Black Hat SEO and social media spam, constitute a highly adaptive, longstanding and well-documented area of cybercriminal activity. By comparison, lo-tech Windows support scams receive far less attention from the security industry, probably because they're seen as primarily social engineering not really susceptible to a technical 'anti-scammer' solution. Yet, they've been a consistent source of fraudulent income for some time, and have quietly increased in sophistication.

In this paper, we consider:

  • The evolution of the FUD and Blunder approach to cold-calling support scams, from 'Microsoft told us you have a virus' to more technically sophisticated hooks such as deliberate misinterpretation of output from system utilities such as Event Viewer and Assoc.
  • The developing PR-oriented infrastructure behind the phone calls: the deceptive company websites, the flaky Facebook pages, the scraped informational content and fake testimonials.
  • Meetings with remarkable scammers: scammer and scam-victim demographics, and scammer techniques, tools and psychology, as gleaned from conversational exchanges and a step-through remote cleaning and optimization session.
  • The points of contact between the support scam industry, other telephone scams, and mainstream malware and security fakery.
  • A peek into the crystal ball: where the scammers might go next, some legal implications, and some thoughts on making their lives more difficult.

I'm hoping to get some more of our VB papers onto the conference papers section of our resources page, and perhaps some of the presentations as well.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow