Exposing search and advertisement abuse tactics and infrastructure of technical support scammers

Bharat Srinivasan; Athanasios Kountouras; Najmeh Miramirkhani; Monjur Alam; Nick Nikiforakis; Manos Antonakakis; Mustaque Ahamad

doi:10.1145/3178876.3186098

Exposing search and advertisement abuse tactics and infrastructure of technical support scammers

Bharat Srinivasan
, Athanasios Kountouras
, Najmeh Miramirkhani
, Monjur Alam
, Nick Nikiforakis
, Manos Antonakakis
, Mustaque Ahamad

Computer Science

Salesforce.com, Inc.
Georgia Institute of Technology
Stony Brook University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

35 Scopus citations

Abstract

Technical Support Scams (TSS), which combine online abuse with social engineering over the phone channel, have persisted despite several law enforcement actions. Although recent research has provided important insights into TSS, these scams have now evolved to exploit ubiquitously used online services such as search and sponsored advertisements served in response to search queries. We use a data-driven approach to understand search-and-ad abuse by TSS to gain visibility into the online infrastructure that facilitates it. By carefully formulating tech support queries with multiple search engines, we collect data about both the support infrastructure and the websites to which TSS victims are directed when they search online for tech support resources. We augment this with a DNS-based amplification technique to further enhance visibility into this abuse infrastructure. By analyzing the collected data, we provide new insights into search-and-ad abuse by TSS and reinforce some of the findings of earlier research. Further, we demonstrate that tech support scammers are (1) successful in getting major as well as custom search engines to return links to websites controlled by them, and (2) they are able to get ad networks to serve malicious advertisements that lead to scam pages. Our study period of approximately eight months uncovered over 9,000 TSS domains, of both passive and aggressive types, with minimal overlap between sets that are reached via organic search results and sponsored ads. Also, we found over 2,400 support domains which aid the TSS domains in manipulating organic search results. Moreover, to our surprise, we found very little overlap with domains that are reached via abuse of domain parking and URL-shortening services which was investigated previously. Thus, investigation of search-and-ad abuse provides new insights into TSS tactics and helps detect previously unknown abuse infrastructure that facilitates these scams.

Original language	English
Title of host publication	The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018
Publisher	Association for Computing Machinery, Inc
Pages	319-328
Number of pages	10
ISBN (Electronic)	9781450356398
DOIs	https://doi.org/10.1145/3178876.3186098
State	Published - Apr 10 2018
Event	27th International World Wide Web, WWW 2018 - Lyon, France Duration: Apr 23 2018 → Apr 27 2018

Publication series

Name	The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018

Conference

Conference	27th International World Wide Web, WWW 2018
Country/Territory	France
City	Lyon
Period	04/23/18 → 04/27/18

Keywords

Advertisement abuse
Cyber crime
Omni/cross-channel scams
Search engine abuse
Social engineering
Tech support
Telephony fraud

Access to Document

10.1145/3178876.3186098

Cite this

Srinivasan, B., Kountouras, A., Miramirkhani, N., Alam, M., Nikiforakis, N., Antonakakis, M., & Ahamad, M. (2018). Exposing search and advertisement abuse tactics and infrastructure of technical support scammers. In The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018 (pp. 319-328). (The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018). Association for Computing Machinery, Inc. https://doi.org/10.1145/3178876.3186098

Srinivasan, Bharat ; Kountouras, Athanasios ; Miramirkhani, Najmeh et al. / Exposing search and advertisement abuse tactics and infrastructure of technical support scammers. The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018. Association for Computing Machinery, Inc, 2018. pp. 319-328 (The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018).

@inproceedings{ed68408eeaa94ee1b4e526502c763a91,

title = "Exposing search and advertisement abuse tactics and infrastructure of technical support scammers",

abstract = "Technical Support Scams (TSS), which combine online abuse with social engineering over the phone channel, have persisted despite several law enforcement actions. Although recent research has provided important insights into TSS, these scams have now evolved to exploit ubiquitously used online services such as search and sponsored advertisements served in response to search queries. We use a data-driven approach to understand search-and-ad abuse by TSS to gain visibility into the online infrastructure that facilitates it. By carefully formulating tech support queries with multiple search engines, we collect data about both the support infrastructure and the websites to which TSS victims are directed when they search online for tech support resources. We augment this with a DNS-based amplification technique to further enhance visibility into this abuse infrastructure. By analyzing the collected data, we provide new insights into search-and-ad abuse by TSS and reinforce some of the findings of earlier research. Further, we demonstrate that tech support scammers are (1) successful in getting major as well as custom search engines to return links to websites controlled by them, and (2) they are able to get ad networks to serve malicious advertisements that lead to scam pages. Our study period of approximately eight months uncovered over 9,000 TSS domains, of both passive and aggressive types, with minimal overlap between sets that are reached via organic search results and sponsored ads. Also, we found over 2,400 support domains which aid the TSS domains in manipulating organic search results. Moreover, to our surprise, we found very little overlap with domains that are reached via abuse of domain parking and URL-shortening services which was investigated previously. Thus, investigation of search-and-ad abuse provides new insights into TSS tactics and helps detect previously unknown abuse infrastructure that facilitates these scams.",

keywords = "Advertisement abuse, Cyber crime, Omni/cross-channel scams, Search engine abuse, Social engineering, Tech support, Telephony fraud",

author = "Bharat Srinivasan and Athanasios Kountouras and Najmeh Miramirkhani and Monjur Alam and Nick Nikiforakis and Manos Antonakakis and Mustaque Ahamad",

note = "Publisher Copyright: {\textcopyright} 2018 IW3C2 (International World Wide Web Conference Committee), published under Creative Commons CC BY 4.0 License.; 27th International World Wide Web, WWW 2018 ; Conference date: 23-04-2018 Through 27-04-2018",

year = "2018",

month = apr,

day = "10",

doi = "10.1145/3178876.3186098",

language = "English",

series = "The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018",

publisher = "Association for Computing Machinery, Inc",

pages = "319--328",

booktitle = "The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018",

}

Srinivasan, B, Kountouras, A, Miramirkhani, N, Alam, M, Nikiforakis, N, Antonakakis, M & Ahamad, M 2018, Exposing search and advertisement abuse tactics and infrastructure of technical support scammers. in The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018. The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018, Association for Computing Machinery, Inc, pp. 319-328, 27th International World Wide Web, WWW 2018, Lyon, France, 04/23/18. https://doi.org/10.1145/3178876.3186098

Exposing search and advertisement abuse tactics and infrastructure of technical support scammers. / Srinivasan, Bharat; Kountouras, Athanasios; Miramirkhani, Najmeh et al.
The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018. Association for Computing Machinery, Inc, 2018. p. 319-328 (The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Exposing search and advertisement abuse tactics and infrastructure of technical support scammers

AU - Srinivasan, Bharat

AU - Kountouras, Athanasios

AU - Miramirkhani, Najmeh

AU - Alam, Monjur

AU - Nikiforakis, Nick

AU - Antonakakis, Manos

AU - Ahamad, Mustaque

PY - 2018/4/10

Y1 - 2018/4/10

N2 - Technical Support Scams (TSS), which combine online abuse with social engineering over the phone channel, have persisted despite several law enforcement actions. Although recent research has provided important insights into TSS, these scams have now evolved to exploit ubiquitously used online services such as search and sponsored advertisements served in response to search queries. We use a data-driven approach to understand search-and-ad abuse by TSS to gain visibility into the online infrastructure that facilitates it. By carefully formulating tech support queries with multiple search engines, we collect data about both the support infrastructure and the websites to which TSS victims are directed when they search online for tech support resources. We augment this with a DNS-based amplification technique to further enhance visibility into this abuse infrastructure. By analyzing the collected data, we provide new insights into search-and-ad abuse by TSS and reinforce some of the findings of earlier research. Further, we demonstrate that tech support scammers are (1) successful in getting major as well as custom search engines to return links to websites controlled by them, and (2) they are able to get ad networks to serve malicious advertisements that lead to scam pages. Our study period of approximately eight months uncovered over 9,000 TSS domains, of both passive and aggressive types, with minimal overlap between sets that are reached via organic search results and sponsored ads. Also, we found over 2,400 support domains which aid the TSS domains in manipulating organic search results. Moreover, to our surprise, we found very little overlap with domains that are reached via abuse of domain parking and URL-shortening services which was investigated previously. Thus, investigation of search-and-ad abuse provides new insights into TSS tactics and helps detect previously unknown abuse infrastructure that facilitates these scams.

AB - Technical Support Scams (TSS), which combine online abuse with social engineering over the phone channel, have persisted despite several law enforcement actions. Although recent research has provided important insights into TSS, these scams have now evolved to exploit ubiquitously used online services such as search and sponsored advertisements served in response to search queries. We use a data-driven approach to understand search-and-ad abuse by TSS to gain visibility into the online infrastructure that facilitates it. By carefully formulating tech support queries with multiple search engines, we collect data about both the support infrastructure and the websites to which TSS victims are directed when they search online for tech support resources. We augment this with a DNS-based amplification technique to further enhance visibility into this abuse infrastructure. By analyzing the collected data, we provide new insights into search-and-ad abuse by TSS and reinforce some of the findings of earlier research. Further, we demonstrate that tech support scammers are (1) successful in getting major as well as custom search engines to return links to websites controlled by them, and (2) they are able to get ad networks to serve malicious advertisements that lead to scam pages. Our study period of approximately eight months uncovered over 9,000 TSS domains, of both passive and aggressive types, with minimal overlap between sets that are reached via organic search results and sponsored ads. Also, we found over 2,400 support domains which aid the TSS domains in manipulating organic search results. Moreover, to our surprise, we found very little overlap with domains that are reached via abuse of domain parking and URL-shortening services which was investigated previously. Thus, investigation of search-and-ad abuse provides new insights into TSS tactics and helps detect previously unknown abuse infrastructure that facilitates these scams.

KW - Advertisement abuse

KW - Cyber crime

KW - Omni/cross-channel scams

KW - Search engine abuse

KW - Social engineering

KW - Tech support

KW - Telephony fraud

UR - https://www.scopus.com/pages/publications/85062621522

U2 - 10.1145/3178876.3186098

DO - 10.1145/3178876.3186098

M3 - Conference contribution

AN - SCOPUS:85062621522

T3 - The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018

SP - 319

EP - 328

BT - The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018

PB - Association for Computing Machinery, Inc

T2 - 27th International World Wide Web, WWW 2018

Y2 - 23 April 2018 through 27 April 2018

ER -

Srinivasan B, Kountouras A, Miramirkhani N, Alam M, Nikiforakis N, Antonakakis M et al. Exposing search and advertisement abuse tactics and infrastructure of technical support scammers. In The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018. Association for Computing Machinery, Inc. 2018. p. 319-328. (The Web Conference 2018 - Proceedings of the World Wide Web Conference, WWW 2018). doi: 10.1145/3178876.3186098

Exposing search and advertisement abuse tactics and infrastructure of technical support scammers

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this