in

FBI informant provides a glimpse into the inner workings of tech support scams

Image: ZDNet

US authorities have charged three suspects involved in a large-scale tech support scam operation after FBI agents arrested one of their co-conspirators and turned him into an informant.

Evidence provided by the informant along with court documents filed in the case provide an in-depth glimpse at the techniques and inner workings of a modern-day tech support scam, from its earliest stages to the methods crooks use to launder funds obtained from defrauded victims.

Of the three suspects named in the case, one has been arrested earlier this year, and he pleaded guilty earlier this week.

It all started with an informant

However, while charges were filed in January this year, the investigation into this group began in May 2019, when the FBI arrested an Indian national on fraud-related charges.

According to court documents obtained by ZDNet today, the suspect (hereinafter “the informant“) agreed to cooperate with investigators and become an informant for the FBI, seeking leniency from US authorities in his case.

The informant admitted to FBI agents that he was an active member of a tech support scheme and gave up the names of three of his collaborators, all three Indian nationals.

Two of the suspects owned call centers in India, while a third lived inside the US, where he acted as a money mule by receiving funds from victims into his US bank accounts, and then transferring the money to the call center operators.

Publishers, brokers, and call centers

The informant said that his role in the scheme was as a “broker,” and he sold “call traffic.” According to the informant, brokers are the second category/stage in an online tech support scam scheme.

The first category is what the informant described as “publishers.” These are criminal groups that create the actual tech support websites that show misleading error messages and popups urging users to call a toll-free number.

Publishers then ran online ads on platforms like Facebook, for various topics, such as travel and more, but redirected users who clicked on the ads toward their malicious sites.

Brokers, such as the role which the informant played, operated as intermediaries between the publishers and the call centers. Brokers managed telephony servers through which they sold “call traffic” to a call center operator willing to buy it, based on their respective capacity, or to other brokers, who had active clients (call centers) with free capacity.

The informant, which agreed to provide the FBI with access to his device and have calls recorded, said that most of these negotiations took place via WhatsApp and other online chat applications.

Call center owners would get in touch with brokers, agree to a price per batch of calls, and provide a number to which the broker would re-route incoming calls from tech support scam victims.

WhatsApp chat showing the informant selling “call traffic” from tech support scam site publishers to an Indian call center.

The scheme in which the informant was involved used tech support pages that posed as Microsoft security alerts.

The alerts told visitors they’d been infected with malware and that they had to call a phone number for further assistance from a Microsoft employee.

Victims listed in the indictment were all elderly citizens who lacked technical skills to determine that the security alert was fake.

Call center operators would often gain access to bank accounts

Past IM chat logs and phone calls recorded by the FBI also allowed agents to learn how the scheme continued once victims connected to the call center.

Per court documents, call center employees would operate by convincing callers they needed to download and install a version of the SupRemo remote control software on their computers.

This software would allow call center operators to connect to the victim’s computer and resolve the supposed “technical issue.”

At the end of this operation, victims would be asked to pay for the technical assistance they received, usually through a bank transfer or through gift cards acquired from local stores.

According to a recorded phone call the informant had with one call center owner, call center operators would often ask victims to connect to their bank accounts while the operator would still have access to their systems, allowing the operator to collect bank account credentials.

Conversation between the informant and a call center owner, with the call center owner admitting they had access to victims’ bank accounts.

Similar experiences were also reported by past victims, which the FBI contacted during their investigations.

Sample case cited by the FBI in court documents where the call center operator had direct access to the victim’s bank account.

Money received as payments, or surreptitiously stolen from victims’ bank accounts, would usually be transferred to intermediary bank accounts controlled by money mules.

Informant also served as money mule

At the FBI’s request, the informant also agreed to serve as a money mule, and operated one of these intermediary bank accounts, which the FBI then used to track payments and the entities involved in these scams.

Court documents list only a few of the victims who lost money as part of these scams, with estimated losses around tens of thousands of US dollars. However, the true losses from this operation are believed to be in the millions of US dollars, as the scheme appears to have been going on since at least 2017, and most likely involved many more other victims beyond the ones cited in court files.

US authorities filed formal charges in January 2020 against three suspects the informant identified.

The call center operators are still at large in India, but one money mule was arrested in February this year while trying to board a flight from New York to India.

Named Abrar Anjum, the money mule pleaded guilty on Monday, according to a DOJ press release and court documents. He’s scheduled to be sentenced in October, and faces a maximum prison sentence of up to 20 years.


Source: Information Technologies - zdnet.com

Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites

Russian arrested for trying to recruit an insider and hack a Nevada company