What is a tech support ad scam?
A tech support scam is a type of fraud disguised as a legitimate technical support service. Tech support ad scams use social engineering techniques to convince victims that they have a problem on their computer or device and lead them to “fix” the problem by installing malicious software. Publishers must identify ad scams on the pre-impression level, block them, and refresh the ad unit, serving a safe creative before users fall victim to them.
Tech support scammers use a variety of tactics to achieve their goals, including a fake pop-up warning designed to resemble an error message from a trusted tech company or other types of pop-up windows. Cybercriminals also advertise phone numbers on landing pages that supposedly lead to technical support services from real tech companies. The fake computer technician who answers these calls will often request remote access to the user’s computer. When victims provide access, the tech support scammers install malware on the user’s computer or mobile device.
Why are tech support scams effective?
Figure 1: Tech Support Scam
Technical support scams are effective because they combine several elements that have a strong impact on users
They use innocent-looking ads on unrelated topics, so users don’t suspect anything malicious. Tech support scammers often target older adults with ads on topics like “10 hobbies for older people”.
After users click the ad, they forcefully take over a user’s entire computer screen while disabling basic browser features, including the user’s ability to exit full-screen mode or close the browser tab.
Tech support scams use icons and logos from legitimate tech companies (such as Apple or Microsoft) to make the security pop-up warnings seem like trustworthy system alerts or part of the operating system of trusted companies. They usually use strong red colors for added psychological impact.
These scams tell users a disturbing story about a critical malfunction or security issue on their computer and offer a clear path to solving the problem, by downloading and installing a fake program.
They avoid using tactics that can raise the victim’s suspicions such as an unsolicited call from a phone number without caller ID or a credit card company, a text message from an unrecognized phone number, or direct requests for sensitive information.
Tech support scam attack flow
In most cases, the flow of a tech support scam is as follows:
1. An ad request is sent and returns an ad tag containing malicious code. The code is like a diagnostic test that confirms that the victim is a real user who can be attacked. This process, called fingerprinting, allows attackers to collect client data that is later used to tailor the tech support experience, for example using the logos of the user’s actuual operating system.
2. An ad is served to the user, often for something that has nothing to do with tech support to reduce suspicion. In other cases, the ad suggests that something is wrong with the computer, setting the stage for the tech support scam that is launched once the ad is clicked.
Figure 2: Clickbait Ad
3. Once they click the ads, users are redirected to an aggressive landing page that looks like part of a legitimate website from a well-known company. User data collected in the fingerprinting stage is used to design an alert message or pop-up tailored to the user’s operating system. Windows systems can be particularly vulnerable. For example, for a period of time Microsoft Edge News Feed was flooded with ads pushing a Microsoft support phone number that were malvertising scams.
4. Landing pages often display warnings in a full-screen pop-up window, deactivating the user’s ability to exit full-screen mode on their computer. They usually include a phone number the user can call to get technical help and release the computer lock.
Figure 3: Pop-Up Window
5. Unlike other attacks, such scams often include tech support phone scams. The landing page or pop-up instructs victims to call a fake support center where someone impersonating a computer technician convinces them to install malicious code disguised as security software or antivirus software, give the tech support scammer remote access to their computer or task manager, or take action that allows the scammer to phish their personal data or activate other malware.
What are the risks of tech support scams?
Tech support scams expose users to a variety of privacy risks, ransomware schemes, and phishing attacks.
Users who fall victim to a technical support scam and enable remote access to their computer or install malware disguised as security software risk having their computer or mobile device unknowingly exploited for cryptocurrency mining or having their privacy and security compromised by sniffers and keyloggers who go after their usernames, passwords, payment information, debit card or credit card information, and other personal or financial information.
Many scammers demand ransom for releasing the block on a computer, often in the form of gift or cash reload card, or other forms of payment that are difficult to trace, although they may also request a simple money transfer or wire transfer from a bank account. Ransom payments allow a tech support scammer to earn easy money without appearing on the radar.
How to detect a tech support scam ads?
Tech support ad scams can be detected by identifying code-based elements such as the pre-click fingerprinting process, landing pages that open in full-screen mode, and cross-checking data points from multiple malware detection engines.
Figure 4: Tech Support Scam On iOS Device
Technical support scams are difficult for publishers to detect because scammers often cloak ad campaigns, only serving malicious scams to specific users. When the campaign is switched off, non-targted users are sent to clones of legitimate landing pages that don’t do anything detrimental. Since the campaigns don’t always install malware, they often stay under the radar of security mechanisms.
Different code-based elements of an attack, such as the pre-click fingerprinting process of the victim’s computer or some of the functional mechanisms that run on the landing page, can indicate a scam. For example, if an ad uses the logo of an operating system but doesn’t lead to the operating system’s domain. Landing pages that open in full-screen mode prompts to phone numbers that don’t have caller ID, and certain types of texts can also be an indicator.
None of these indicators alone are sufficient to verify an ad scam. It’s important to cross-check data points from multiple detection engines, including text analysis, image analysis, and other machine-readable information extracted from the pop-ups, landing page, and ad creative in order to issue a reliable verdict.
How to block tech support scams?
The most effective way to block tech support scams is by blocking the ads that lead to them.
Unlike scams through unsolicited phone calls and text messages, simply reporting tech support scams or trying to raise awareness isn’t enough for publishers to protect their audiences. When a pop-up appears, and phone calls to tech support call centers posing as legitimate companies have already taken place, it can be hard to prevent damage to a user. The only real way to avoid tech support scams is to prevent exposure to them.
Therefore, like with other ad-based scams, the best way to keep users safe is to ensure your audience isn’t served malicious ads. Real-time ad quality protection identifies ads that lead to fake tech support scams on the pre-impression level and blocks them before malicious ads appear on publishers’ pages.