Updated April 23 to add link to Microsoft blog posting.
SAN FRANCISCO -- Microsoft is using machine learning to quickly identify tech-support scams, a Microsoft official said at the RSA Conference on Friday (April 20).
"We already have a web-verification mechanism called SmartScreen that will block known malicious websites," said Erik Wahlstrom, senior program manager with Microsoft's Windows Active Defense Team. "But the service has a relatively high latency -- it takes a while for bad sites to get noticed and listed. So we're using machine learning to detect these more quickly."
That's the easy part, Wahlstrom said, because scam websites display tell-tale behaviors that can be analyzed and identified. But Microsoft is also trying to detect and stop your interaction with tech-support-scam call centers; it can't detect the actual calls, but it can see when you give the phony technician access to your computer and when you go online to pay for the bogus service.
"Here's my definition of a tech-support scam," Wahlstrom said. "It's a social-engineering attack to trick users into believing devices are compromised or broken. Victims are directed to a call center where they're scared and coerced into purchasing fake tech-support services."
The call centers are the end point of an elaborate marketing scheme, some of it involving legitimate businesses, that uses online ads, bogus emails, cold calls, websites, "scareware" pop-up windows and paid search results to get potential victims on the line with a fraudulent technician.
"Once they get you on the phone, you are that much closer to being in a bad place," Wahlstrom said.
Two out of three Microsoft customers surveyed by the company reported encountering tech-support scams, he said, either in the form of a cold call or in a browser-lockup scenario. Those who fell for it paid an average of between $250 and $450, with some losses being much higher.
Microsoft gets about 13,000 complaints from customers every month about tech-support scams, Wahlstrom said. He added that that number was probably just a fraction of the true number of scam calls, as the Microsoft web page where you'd file such a report was hard to find.
"Why should Microsoft care?" he asked. "Eighty-seven percent of those surveyed think Microsoft and companies like Microsoft have to fix this."
You don't have to be technologically illiterate to become a victim of one of these scams, Wahlstrom pointed out. One of his own colleagues in the Microsoft antivirus team had her browser locked up by a malicious website that was posing as an internal Microsoft page. It directed her to call a toll-free number, and would go full-screen if you tried to escape the page.
"Regardless of how sophisticated you are, when your browser is locking up, you're stressed and ready to do anything to make it go away," he said.
Sometimes, the malicious pages take over the whole screen and make it look like a stop-error screen, aka the famous Blue Screen of Death -- but with a toll-free number to call.
"I can assure you we don't put phone numbers in our stop-error screens," Wahlstrom said.
A more serious case involved a woman who was tricked into paying $1,250 for a Microsoft "Lifetime Warranty" that included a promised upgrade to "Windows 11." (Neither actually exist.) Even worse, the scammer convinced the woman that something was wrong with her credit card and got her to make a electronic bank transfer directly from her bank account. Unlike a credit-card transaction, such a payment can't be reversed.
To stop tech-support scams, Microsoft has been working with law enforcement agencies both in the United States and around the world. Wahlstrom said that the company has worked with 46 different law-enforcement actions against the scammers.
"Regardless of how sophisticated you are, when your browser is locking up, you're stressed and ready to do anything to make it go away." - Erik Wahlstrom, senior program manager, Windows Active Defense Team
Two or three of these attributes doesn't mean that a site is part of a scam, but a lot of them make it pretty likely.
It's harder to stop the actual calls to and from call centers, as Microsoft can't scan telephone lines. Fortunately or not, Wahlstrom said, much of the actual process of luring a victim and collecting the payment -- the installation of the remote access tool that the phony technician uses to get onto and "diagnose" your machine, the displayed "threats" (usually benign activities), and even the online payment mechanism -- is, as Wahlstrom put it, "highly detectable" by Microsoft's tools.
The question is what to do after a tech-support scam has been identified. Do you notify the user? Wahlstrom thinks another window popping up onscreen alerting the end to a scam in the middle of a conversation with a tech-support scammer might just be confusing.
"Once you're in one of these situations, it's hard to know whom to trust," he said. "People don't want to be informed. Ramping up the notifications is exactly the wrong thing to do."
Blocking scam websites might not be the right thing to do either. Some purported "tech help" websites that forward people seeking computer assistance to tech-support scammers are legal, since the "help" sites define themselves as "lead generation" sites that will get a referral fee from the eventual seller of a tech-support service, whether or not that service is genuine.
Microsoft, which battled huge antitrust cases in the U.S. and Europe two decades ago, is also wary of blocking anyone lest the regulators get drawn out again.
The company does report known tech-support-scam toll-free numbers to telecom operators, but these numbers appear and disappear so quickly that by the time the operators move to disconnect a number, it's already gone.
There's also a more gentle approach, Wahlstrom said. Microsoft is educating consumers on what a tech-support scam looks like and reminding them that the company never makes unsolicited phone calls to customers. Modern detection technology in modern browsers and email clients also filters out many malicious websites and email messages.
However, cracking down directly on the call centers, which mostly seem to be located in India, doesn't work well, Wahlstrom said.
"The call centers may be in India, but the heart of the operation may be in Eastern Europe," he said. "You shut down the call center, which is often just a few people, and it will move next door."
[UPDATE: We don't remember Wahlstrom mentioning it during his presentation, but he put up an official Microsoft blog posting about tech-support scams (opens in new tab) that sheds even more light on the issue.]