Scam Intercepters – some thoughts

Despite no longer being paid to provide consultancy to the IT security industry, I couldn’t resist catching up with an interesting BBC initiative called Scam Interceptors. Having been appalled in the past when Click actually bought a botnet*, thus feeding scammers in the name of investigative journalism and self-congratulation, I was relieved to see that Scam Interceptors is less ethically challenged. I have no problem personally with the idea of hacking malicious call centres in order to give a warning and advice to people who are in the process of being scammed, though – legally speaking – unauthorized access is an offence in most jurisdictions.

Of course, much of what we know about malware and scammers comes from deep surveillance and penetration by coalitions of law enforcement agencies and various security organizations and vendors.

AWS Builder Community Hub

Here’s section 3 of the UK’s Computer Misuse Act.

“(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data”

Unauthorized in this context usually means without the permission of the hacked system, though if a team or individual has the backing of a law enforcement agency (LEO), that’s probably not a problem even if it doesn’t constitute “authorization” Well, I’ll leave that particular can of worms to law enforcement and the legal profession. I don’t, of course, know if Scam Interceptors have some form of official backing or are simply relying on the latitude sometimes given to investigative journalists. That defence certainly seemed to work for Click, even though their botnet exploitation certainly involved unauthorized access to the victims’ systems, not the criminals’ system. My recollection is that the Crown Prosecution Service took no action against the programme.

I do have some concerns about the Scam Interceptors approach, even though I’m not in the least interested in defending the privacy of the criminals.

It worries me that potential victims might feel too reassured that there is someone out there looking out for them. I don’t doubt the good intentions of the SI team, and it’s encouraging to see that they do have some success in disrupting some scams, though I suspect that we don’t see their less successful attempts. Well, I guess their funding depends on an upbeat picture of a successful operation: let’s not be naive about this…

I’m pretty sure, though, that a lot of the time each rescue takes is edited out in the interest of keeping it interesting for the viewer, and that the total number of times they do succeed in disrupting a scam is infinitely smaller than the number of times per day that these scammers contact a potential victim. Series two seems to consist of seven episodes of around 45 minutes each. Typically, a couple of events are shown where the team are seen in the act of disrupting a scammer: the rest of the time tends to consist of links, interviews with potential victims or their relatives, basic advice from selected experts, and interaction between potential victims and experts. This is by no means valueless in terms of protecting these individuals (and probably doesn’t reflect all the work the team have done), and hopefully the audience also benefits from the advice given. But it’s a drop in a very big ocean.

The banks and other organizations such as Amazon that the scammers claim to represent are eager to assert that they are working with law enforcement and scambaiters and having success in reducing the number of scams taking place. No doubt their efforts are successful, but there are an awful lot of boiler shops and crooked call centres out there. Not many of them get closed down, and I imagine that most of those that are just spring up, hydra-headed, elsewhere.

More to the point, most of the work LEOs are doing is reactive, responding to reports received from victims after the event. While reports to Action Fraud and similar resources help by adding to the amount of information received about crime groups and techniques, there are too many individual cases for even the best-resourced agencies to investigate each one in depth, so they tend to focus on the cases where large sums are being stolen. That doesn’t mean you shouldn’t report a case, of course, to resources like Action Fraud as well as to the bank or other organization that the scammers have impersonated. They may be able to help you recover stolen money, and even if they can’t, the information they receive helps them to formulate and adapt policies and countermeasures.

Scambaiters have a lot of fun messing with the minds and wasting the time of scammers who call them, but they’re not doing that all the time, and I don’t think there are many proactive groups actively monitoring illegal call centres and intervening in their scams in the way Scam Interceptors do. Frankly, it’s not that easy and there aren’t that many of the people who are capable of doing it and are prepared to do it for free.

Anyone who makes presentations in public probably realizes that however concisely they put together their slides, most of their audience will at best only retain a few key concepts. Scam Interceptors seem to have taken this to heart: a few key concepts are repeated in an episode, and sometimes across several episodes. For instance these points (comments in square brackets are mine, not from the programme, or not made explicit in episodes I’ve seen) :

  • Authentic callers will not ask you for access details like passwords in a cold call.
    • [In fact, as a rule an administrator on the system they want you to log in to doesn’t need your login details, since administrators have ‘superuser’ access privileges. However, if you ring them, they will normally require you to authenticate yourself in some way. That said, the means of authentication in such a case will (or at any rate should) be different to the credentials you normally use to access an account.]
  • They won’t be offended – and indeed, should be encouraging – if you break off at some point and call them back on a phone number you know to be authentic, like the one on the back of your bank card.
    • [There is no reason to trust someone who calls you out of the blue. Even if you recognize the number they’re calling from as being apparently genuine, it’s all too easy for a scammer to ‘spoof’ a phone call so that it appears to come from a trustworthy phone number. Be aware also that if you ring back using a known authentic number, it’s sometimes possible for the scammer to make it appear that you’ve rung off by playing a fake dial tone, so that the connection isn’t actually broken. In such a case, a different scammer will speak to you, so that you think you’ve reached another department. In general, though, such a technique is less likely to work on most mobile phones or landline handsets with a graphical display resembling those found on cellphones. Be that as it may, it’s always safer to ring a known-authentic number from a different phone, where possible, not the one the scammer called you on.
  • Bank fraud investigators will not ask you to move your money into a special ‘secure’ account, either by electronic transfer, transfer in person at a bank branch (if you can find one!), or by withdrawing funds and posting them, while they investigate wrongdoing in their own branches. That’s a longstanding phishing fraud technique, and it’s depressing to see that people are still falling for it.A technique I saw mentioned in one episode of Scam Interceptors was to persuade victims to transfer to an individual who is claimed to be one of the ‘investigators’: in fact, the individual is a money mule, his account being used as staging post to transfer money from the  victim’s account to the scammer’s. I wrote at some length about money mules some years ago, for example here,when I still worked in IT security. Another way in which money mules are used are as a clearing house for goods ordered fraudulently using a victim’s credit card or bank account. This makes the mule more exposed to investigation than the scammer, but the scammer doesn’t worry about that.
  • Callers like banks won’t ask you to install software like Anydesk, which allows the caller access to your machine.
    • [That said, such remote access software is often used genuinely by corporate support teams internally, and might be used legitimately in other contexts, but it’s absolutely foolhardy to allow a random caller unlimited access to your phone, tablet and/or laptop when you haven’t taken every possible step to establish their bona fides.I’d also point out that the Scam Interceptor team seems to assume that one particular remote access program will be used by the scammer, but in fact there are many such programs that are or have been used by telephone scammers, such as Ammyy Admin, TeamViewer and LogMeIn products. This isn’t an area I’ve looked at recently: there may be many more current products that could be misused in this way, and are available on most Apple or Android smartphones.]
    • Scam Interceptor advises people to remove Anydesk (and, by implication, similar apps) when it’s been installed, which is more than fair enough, and often explains how to do it. However, unless part of the explanation of how to remove an app is edited out so as to save broadcasting time, the explanation they give is potentially misleading. Scam Interceptors always talk about ‘removing’ the app, but removing is not necessarily the same as uninstalling. Ideally, the victim needs to uninstall the app rather than leave it (hopefully) inactive by removing it. According to which version of Android (or iOS) you have, the procedure may be slightly different, and some versions of the app may be harder to get rid of, especially if they’ve been tweaked or counterfeited by the scammer.Sometimes swiping upward in the home screen and tapping and holding the app icon will offer a choice of ‘removing’ or ‘uninstalling’: you already know which I’m going to recommend. Sometimes you may have to tap, hold and drag the icon to see the uninstall option. You should also be able to remove an app by accessing it through Google Play, or via the Settings/Apps/Manage menu options. In iOS you should also get the option by tapping and holding from the home screen. If none of these work, you’ll probably need help from someone better acquainted with these systems than I am, I’m afraid.
      You should avoid trying to uninstall from within the app, as the scammers may still be connected to and controlling your device.
  • Scammers love gift cards. (So, as it happens, do some of those lovely people who try to plant ransomware on your system and then want you to pay them to allow you access to your own systems and data. Mind you, some of them prefer cryptocurrency, and some have no intention of restoring your data, however much you pay.) These forms of payment are the scammers’ friends because they make it difficult for legitimate organizations and individuals to block transactions and trace the people behind them.It would be very strange, however, for a reputable organization – or even Amazon! – to insist that you buy a gift card so that they can reimburse you for money taken from you ‘in error’ or fraudulently. (It’s strange how scathing scammers are about the scammers they invent to persuade you that your funds are in danger…)
  • While there is certainly such a thing as a fixed-penalty fine, law enforcement agencies do not, in general, impose fines on you online or by an unsolicited phone call and expect you to pay immediately, whether you’re “guilty” of something or not.
  • Scammers will try to gain your trust by sticking to tried-and-tested scripts, trying to show that they are on your side while playing on your fears of the type of scenario they present in order to panic you into taking decisions and revealing information that you might have been more careful about, if you’d had more time to think about it.
    • [Most of the tech support scammers that both irritated and entertained me a few years ago knew very little about the intended victim: they were simply working through lists of phone numbers, almost invariably landlines. While this often allowed them to ascertain minimum name and address information, which they sometimes used as a spurious way of establishing their bona fides. (Reading a directory doesn’t prove much…) You might think that even this minimal information is harder to find nowadays, as so many people use mobile phones and there are no universal mobile phone directories.In fact, it turns out that scammers are often better prepared than you’d think. They have (as often we all do) access to sites and services that are capable of finding information about the owner of a given phone number. Even more disturbingly, there is an increased tendency for people inside service providers to sell databases of customer information that may go much further than basic contact details. It’s probably easier to buy such information than it is to hack it, and  a reasonably competent scamming operation will often find it quite easy to inspire trust in an incautious victim.]
    • [I’m not altogether sure about the point about scripts, to be honest. I’ve actually found that scammers can sometimes be forced offscript by an unexpected question, and how they react clearly determines how effective they are in that particular instance. In my experience, in that position a scammer will often try to return to the script and by doing so undermine his or her efficiency by demonstrating that they don’t really know much about the victim’s account status, or the victim’s details, or the system they’re using. I particularly treasure the memory of a tech support scammer who told me he couldn’t tell me my IP address for security reasons, and another who gave me an impossible sequence of numbers. I offered (in jest) to give him a crash course in internet IP addressing, but he rang off. ]
  • During the heyday of the tech support scam, many people lessened their exposure to fraud by assuming that all scam calls came from India, and therefore putting the phone down on any caller with a noticeable Indian accent. It’s probably not too cynical to speculate that such resistance to an accent is one of the reasons that many organizations seem to have moved away from subcontracting support and sales calls to legitimate call centres in India.  However, there was already a trend towards scammers using people with strong American or English accents. It seems that trend has continued as the scammers have diversified into other scams.
  • Perhaps the most encouraging takeaway from this programme is that scammers seem to be sharing information about poor prospects. If you tell them that you’re not going to play ball and put the phone down, the chances are that they won’t call you back. Hopefully, the days when you would get a dozen calls a day from people trying the same scam are in decline, if not gone altogether. The corollary, though, is that someone who gets taken in once is likely to be called again, often by someone using information about the first scam to initiate another. Clearly, the fact that someone knows about an earlier scam doesn’t make them automatically more trustworthy: they may have those facts because it was their scam!

And so on.

One episode I saw veered off from intercepting scam to an issue I’ve already addressed in the context of Facebook hacking and account cloning. However, this extended the scope of the discussion to other social media platforms.

Not much of this is new – only the scope of the social engineering and some of the supporting technology has changed since I was devoting many of my working hours to trying to kill of tech support scams – but this is all (largely) helpful information. But how long after the programme will viewers still retain more than the barest details?

We resolve this question in the security industry – OK, I’m not paid by the industry any more, but I haven’t abandoned it altogether, it would seem – by making available presentation handouts and/or articles and papers such as conference papers. The BBC often makes science programmes in collaboration with the Open University, which makes available more permanent teaching materials,posters at least. However, SI doesn’t seem to work like this. Not unsurprisingly: while it has good intentions, it has to secure funding through impressive viewing figures. But if you suddenly get a scam call and SI isn’t watching your back by sending you SMS alerts or emails, will the scammer wait patiently while you sort through the SI series episodes on iPlayer? I did eventually find a brief interview with presenter Rav Wilding and ethical hacker Jim Browning, which includes some tips from Wilding. Again, basic stuff, and more focused on email scams than on phone scams, but not valueless. Still, I can’t help wishing they would make some more in-depth information and analysis available.

The BBC also has an Information and Support page for victims of crime that includes several potentially useful links.

In all my years writing about security, I found myself struggling to reconcile the need to cover all possible bases with the need to keep it short and simple for people who don’t have a nerdish disposition and in-depth knowledge of either psychology or technology. Scam Interceptors makes a decent stab at short and simple, and I’ve tried to boil most of that info down to a bullet list you could keep next to the phone, if you wanted, but neither SI nor my bullet list above can cover all the bases. There are innumerable variants and subvariants of phone scam, and the more you understand about the psychology and technology – but especially the psychology – the better-equipped you are to cut through the cheap frills of each variation and ask yourself the right questions. So I shall probably be returning to this in a future publication.

In the meantime, here are some of those questions boiled down to a bullet list.

  •  Am I sure that I’m talking to a legitimate caller?
    • Have you called them back on a known-to-be-genuine phone number? That’s the only way to be absolutely sure.
    • Did you hang up yourself, or did they tell you that they were going to? If they told you they did, you may still be connected.
    • Were you able to ring from a different phone?
    • Have they tried to persuade you to stay on the line rather than call a genuine number?
  • Has the person you’re talking to tried to frighten you by convince you that you’ve lost money, are in danger of losing money, or that you are in danger of being questioned or arrested as a result of being implicated in money laundering, a drug deal, or some other illegal act?
    • One of the ways in which they reel a victim in is by frightening them, then presenting themselves as the person who is able to help the victim disentangle himself or herself from this unpleasantness, whether it’s financial disaster or the threat of legal action. This kind of manipulation is often called social engineering, which I specialized in researching for several decades, and am considering as a book project.
    • If you think they might be genuine, find out exactly which agency or team they claim to represent, so that you can contact the real team to see if there’s any truth in what you’re being told. As before, the best way to establish bona fides is to make sure that you’ve initiated a phone call with a legitimate contact. Obviously, don’t assume that any contact information the cold caller has given you is correct.
  • Do they want you to install a piece of software so that they can ‘help’ you?
    • There are circumstances in which it might be helpful for someone to help you by using remote access software, though I can’t imagine that a bank or retail organization like Amazon would ever try to resolve a problem this way. IT teams in large organizations often do this, but that’s a very different situation. In general, it’s a terrible idea to let someone install software on your device (phone, tablet, laptop) when you can’t be sure who you’re talking to.
  • Do they want you to buy a gift card or other service?
    • At best, this is a sales ploy that might be used by a more-or-less legitimate marketer. But it doesn’t make sense to buy a gift card in order to have money returned to you. And if there is now software installed on your device that allows them to see the credentials with which you make payment, you’re in real trouble. Remember, if they were able to take money off you, then they’re able to credit you.
  • Do they claim to be some sort of authority such as a law enforcement agent or a tax official?
    • Don’t take their word for it. The chances are they’re going to manipulate you by threatening you with legal consequences, then pretend that they’re going to help you avoid such consequences. Which will always cost you, one way or another.
  • How much does the caller really know about you?
    • Scammers tend to be better prepared nowadays, having accessed information that you might not be aware is publicly available, not to mention information that shouldn’t be available like data bought illegally from people working in legitimate call centres, or from lists of data sold on by criminals who’ve hacked customer databases badly kept by financial and retail organizations. But they work a little like mentalists or fake psychics: they start from comparatively small bits of data or even vague generalities and build on your responses to those to get a clearer picture.Even if you think you’re talking to a genuine caller, make them work for it. Let them give you information they should know. If you’re ten minutes into the conversation and they’re still asking you what accounts you have, something is definitely wrong: they should have all that information a few keypresses away if they’re genuine.

This article is maybe a bit loose and untidy, but I plan on revisiting it for a book project. Watch this space. 🙂 In the meantime, I’m going back to another project for a bit.

David Harley

*In fact, the Click experiment was particularly dubious in that the unauthorized access, however well-intentioned, was to victim systems, not the systems owned by the people behind the botnet. Mark Perrow’s description and defence of the experiment is here, and is still worth reading, though I’m not saying you should be convinced by it. In fact, I presented my arguments against it in the comments (comment 14) below the article, and many others presented similar views, but this is what I said:

This is a somewhat evasive blog: no wonder some of the people who posted comments have missed the point.

No-one, as far as I know, has accused you of teaching botnet exploitation for beginners. No-one has a problem with your bringing the botnet problem to a wider audience: I’m sure that you’ve brought the issue to the attention of more people in the past few days than I have in many years of writing books, blogs and conference papers, and that’s fine, even if you did get some of the detail wrong.

But you haven’t explained why it’s in the public interest for you to put money into the pockets of professional criminals.

You haven’t explained why it’s OK for you to use malicious software and techniques by hijacking systems to which you have no right of access, in defiance of the Computer Misuse Act, when you could have got the same result on a closed network using your own resources, or paid someone better qualified to do it for you. You certainly haven’t explained how your definition of “intent” varies so dramatically from the definition within section 3 of the CMA. [Quote from the CMA omitted, as I’ve quoted it in the main body of the article. – DH]

You haven’t explained why a dummy spam mailout is a “real” demonstration and more “in the public interest” than the dozens of other ways you could have made the same points.



*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: