82 comments

[ 3.3 ms ] story [ 285 ms ] thread
I was wondering if this was some tricky new scam, but after reading the notice it's probably nothing new for people on here--the infographic's first phase of the scam is: "Tech Support Imposter: Pretends to be technical support; Directs you to install software on your computer to allow them remote access". I sure hope no one on here would install software requested by unsolicited tech support!
> I sure hope no one on here would install software requested by unsolicited tech support!

All it takes is one browser 0-day that gets distributed on an ad network. A large segment of the HN crowd is still executing untrusted JS on their computers and opposed to blocking their source of income.

The people who run these scams build them around evergreen money-extraction strategies; buying a 0day just to hack some people they could already socially-engineer their way into the pockets of anyway, would just be a waste of money. Especially since the 0day would only be useful for a couple of days/weeks, and they don't have the in-house technical talent to automate any of what they're doing to run it faster.
> buying a 0day just to hack some people they could already socially-engineer their way into the pockets of anyway, would just be a waste of money.

At least back in the day when Flash was still a thing, it was a common issue for "enterprising" people to buy advertising slots, even on reputable media, and spread all kinds of malware via them.

Yes, but those are separate groups with separate capabilities and motives. Scammers are not hackers, though both can and will steal your money.
A huge part of this is target selection. They don’t want to waste time with anyone who isn’t going to buy it whole hog.
These days I’d be worried about something like the libwebp 0-day; JS execution is well protected these days.

Also, 0-days are generally hard to come by in browsers these days, the libwebp one was initially developed by NSO for example; and tech support scams are not that profitable.

My ex needed printer support. The person on the other end had her install remote access software. I forgot how she cleaned up the mess.

It's too simple. People don't know who's trustworthy. And I don't make house calls hundreds of miles away.

Business opportunity for a "Local Trustworthy Techs"? Heck, the Goon Guys will search your drive for illicit material, and if they don't find any, they'll install some (If I recall some horror stories correctly).

If your ex called the tech support number that came with the printer, that's a bit of a different matter. Still not great to install the remote access but I can see how that's practical for the printer support person. Have you ever tried to talk a non-technical person through a multi-step task on the computer when you can't even see their screen?

Hopefully they uninstalled the software once the printer was working.

same. very confused how this made it to the front page - it sounds like just a classic run of the mill scam. nothing particularly novel here. nothing remotely more sophisticated or harder to detect.
Just Sunday things on here. Different vibe on the weekends!
I had an older family member who fell victim to a very similar scam. Once she installed their remote software, they connected and used her browser to transfer a large sum, from one of her bank accounts into her main bank account.

They then convinced her that they had "deposited" the money into her account by mistake. She could clearly see the extra money in her main account and so believed them. The person pleaded with her to return the money via transfer, and keep it secret, or he would lose his job.

Being a good person, she wanted to help him and not cause a problem.

Fortunately, the teller at the bank recognized it as a scam, but it was a close call.

taken straight out of a kitboga vid. can't believe this stuff actually works.
To be frank, it is all extremely believable to me that a normal person who had never encountered that type of scam or doesn’t someone who had (which is a massive number of people) would fall for it.

I am just happy my mother fell into the pattern of messaging me instantly when she has an even slight suspicion. Had a few false positives, but overall i am very happy with how well this approach has been working out for her. Saved a ton of trouble down the road for both of us.

A friend of my wife’s fell for this exact thing, and lost her life’s savings.

She’s not a stupid person; has a masters degree and writes children’s books.

Kitboga, Harvey Denttt, Scam Sandwich and numerous other youtubers seek out these scammers and use virtual machines, elderly voice filters and other special effects to lead them on, sometimes for hours. It’s very satisfying.

It’s almost always a senior citizen. Older seniors are essentially mentally disabled by varying degrees given their genetics, lifestyle, and age which is why they are so vulnerable to these scams.

In low trust societies (both developed & developing) this is largely mitigated with family clans, where multiple generations of a family are living under the same roof. The problem in many developed high trust societies is that families have weaker links and adult children rarely live with their elderly parents. Maybe this will change in high trust societies if real estate continues to be unaffordable for most Millennials?

My sister got bit by one of these when she googled a name brand PC support company that she had used before. The search results included a phone number that connected her to these hackers. From there, they pretty much followed the steps outlined. She lost pretty much a full month's income. Because she withdrew the money herself (to transfer to bitcoin), the bank fraud department wouldn't get involved. (No idea if she contacted the state agencies I recommended.)
I almost listened to someone scam my mom in realtime when he had a flight delay issue. She was calling American Airlines support, but apparently she googled something like "American Airlines delay support" and clicked on the first ad. I overheard her begin reading her credit card information and stopped her and took the phone. They probably would have done the whole remote access scam thing but we were at the airport without any computers.
This is why in-line search ads are simply evil. They get their click through rate from fooling people, not from convincing them to click an ad on purpose. Which, aside from that being evil already, also makes them super-useful to scammers, since a high percentage of clicks are from people who think they clicked an organic search result.
Yeah fraudulent ads are a huge issue for scams, I had my entire family install ad blockers not to stop advertising but to stop scams!
By default when you receive any calls involving money you need to hang up and call the bank directly to re-initiate the issue.
(comment deleted)
So many of these scams start the same way: when the victim is contacted by a random person. Phones, email, social media, and postal mail tend to allow this by default (being contacted by a rando anywhere in the world). But maybe the default should be that users' inboxes and incoming "ports" on such services are locked down for the average user, such that only a few trusted senders, to whom the user has previously given access (maybe with a per-sender access code) can contact that user. Marketing and customer service departments, security researchers with honeypots, and adventurous individuals may want to leave such incoming "ports" open, but the average person probably doesn't need or want to have their communication network accessed or unwittingly expanded by others. They probably only want to communicate with their existing, trusted contacts and to be able to add new contacts organically, but don't really want or need to allow anyone to "slide into their DMs" without prior authorization from the recipient's end. (Special emergency protocols may be needed to allow verified, vetted incoming communication in the case of true emergencies, in order to give people the reassurance that they're not missing out by locking down their incoming "ports".)

Communication technologies have made the world small and flat, but maybe we need to enlarge it and unflatten it unidirectionally, on the sender's (and scammer's) side. Some people already do this manually on their phones, by refusing to answer calls from random, unknown numbers. Maybe such defense measures should be enabled by default for the public at large, with the option of carefully and partially disabling them, if desired.

I like this line of thinking, but I think education is the key. Even with good filters you have to be able to smell bullshit.

I enabled iOS “silence unknown callers” option as soon as they added it, but found I miss important calls sometimes. I rely on voicemail for those. There’s no way to completely whitelist your personal communications in this world.

I do get scam voicemails and emails sometimes, but am good at detecting them.

> I like this line of thinking, but I think education is the key.

My 90 year old mother gets less and less able to think clearly each passing month. She always is calling me telling me that "her computer is completely dead" and it takes my 10 minutes to realize it's just her mouse that's not working becasue she forgot to charge it.

No amount of education will save her. Fortunately, she has no on-line bank or credit card accounts.

Yeah she probably shouldn’t be managing her finances lol
Not everyone has a B.S. detector and even sophisticated users can be vulnerable to sophisticated scams. Education can be helpful, but I'd prefer to rely primarily on structural solutions that could even protect the woefully uneducated.
isn't there a technology that wants to replace email that does this? I can't remember the name.
A bunch of geniuses have wanted to replace email, but somehow that never seems to happen. Making email more secure may be very difficult, but still seems much easier than replacing it.
This works until it doesn't. A classic example of someone that would want this 99.99% of the time but find the remaining 0.01% a showstopper might be a new parent. Blocking all the solicitors, scams, strangers, salespeople et al sounds great - until your kid is lost, finds a friendly adult with a cell phone, tries to call you, and can't get through because nobody that isn't on the whitelist can reach you. (Yes, we still have our kids memorize our phone numbers, or write them on labels with the kid.). It also doesn't really get better as you get older - if you're 70 years old and your 40-year-old kid is in a car accident and the doctor's trying to reach you, you would probably want to know.
The issue is identity not phone numbers.

Most (all?) protocols conflate the two. But the real world doesn’t speak in phone numbers, ip addresses, and private keys.

This is immaterial here. If your loved one is in a hospital unconscious, it's a random doctor or a police officer who is going to contact you.

Group identities could help though. Let through emails and calls that are signed by a "official medical use" key, or "official federal police use" key. The public keys for those should be publicly available and easily verifiable.

User-level PKI is hard, and trust is shaky. Few well-known signature keys should be much easier. The infrastructure could, of course, be used for whatever other keys you choose to track and trust, e.g. your employer's org, your kid's school, etc. The problem of responsible stewardship remains, but is likely solvable in serious organizations with a dedicated IT department, like a hospital, or a police force.

Humans currently speak a different language than our technology.

You're moving closer to a human solution by mapping unstable identifiers (private keys, signatures) to human identifiers.

At the core, humans want to say "ignore everything that isn't from a friend or family member, unless it's an emergency"

Expressing that with technology is hard, especially when people try to solve for identity with technology. Identity is a social construct, it lives outside of cryptographic proof. The systems we build do very little to try and map cryptographic proof back outside the system to identity.

School clubs, hospitals, governments, family, names, friends, etc. are all social constructs. Some social constructs are stronger than others (hospitals and governments have a lot of steps involved in making the social construct!) but they're all still social constructs.

Identity is fiat. There is no way around it.

Spoon boy says it best:

> Do not try to bend the spoon. That is impossible. > Instead, only try to realize the truth. > There is no spoon. > Then you'll see it is not the spoon that bends, it is only yourself

This could easily be solved if everyone called the police when they found a lost child and let them sort it out. Also any doctor could have "break through" access along with the hospital they are at has it as well.
I’m not sure that’s an efficient solution at all. If a kid gets hurt/lost in my neighborhood, I’d much rather be able to call their parents than add an entire extra step of calling the police and having the police call the parents.
Calling 911 could generate a misdemeanor or felony charge (neglect or abuse) for the parents. Use it if you believe the situation warrants it, but at least in the US its better to avoid involving the police just due to social liability.
Given the current state of phone network security, "You can trust I'm a real doctor because your phone rang when I called you" doesn't seem like a good solution.
That is precisely why one or more emergency communication protocols are necessary. They need to be carefully designed to reduce the risk of infiltration by scammers. As with all forms of security, some level of convenience will need to be sacrificed.

I considered your examples to describe two different kinds of scenarios, which might merit different kinds of security measures.

1. Incoming communication from a young child (or a person who is very dependent on you): you'll probably want your phone line to stay fully open. Hopefully in the case of young children, this means that their parents are relatively young and will have grown up with skepticism toward incoming communication from strangers.

2. Incoming communication about a younger, adult relative. Maybe for many people, such communication could bear the introduction of a bit of slowness by security measures. Probably in most cases, there's little that the older relative can do for the younger, temporarily incommunicado relative. They might not need to get a message about them right away. In many cases, the message will be bad news anyway, something that the older parent can do nothing about. Such bad news can probably wait a few hours, even a day or two to be delivered, and it's not too bad for the older relative to be none the wiser for a bit, if such temporary impotence protects them from the increasingly present threat of serious, life-altering scams.

As with all security measures, there's a tradeoff between convenience/immediacy/cost and security. It will likely be hard to design reliable, secure, and accessible emergency communication protocols, but I hope (and optimistically suspect) that it's indeed possible. Attempting to design such protocols is a worthy endeavor for us to undertake, given how many of our loved ones are increasingly vulnerable to randos who have no business getting to their front door so easily.

> Such bad news can probably wait a few hours, even a day or two to be delivered, and it's not too bad for the older relative to be none the wiser for a bit

That right there will be a deal breaker to many.

Your kid gets hit on their bike across town. Maybe you'll find out two days later?!

Or someone has hours left to live, and you're not trying to do anything at all - just be by their side.

Organ donation? High risk operations?

These questions can't wait days.

I'm still hopeful that a good emergency communication protocol or set of protocols could make quick, but well-verified emergency communication possible. In my earlier comment I wanted to communicate that a speed tradeoff would be involved when protecting ourselves from scammers. Maybe I was too dramatic when talking about waiting hours or days to hear from a loved one, but we'd likely need to give up near-instant incoming communication from strangers (and loved ones trying to contact us through strangers) if we seriously want to protect ourselves from scammers.

For many people, the tradeoff--even if in the order of minutes or an hour or two--will be unacceptable and they'll prefer to leave their incoming communication channels completely open and unsecured. However, others people may decide that a small tradeoff is worth it, when weighing their own vulnerability to destructive scams vs. a much lower probability of needing to help a loved one with the catastrophic examples you mentioned. This latter group should not be considered by society to be heartless. Though nobody dies right away when they lose their life savings to a scam, they may very well end up dying or ending up with a very miserable life as a result of that scam. They should not be blamed for reasonably protecting themselves (AND their loved ones, who'd also be affected indirectly by that scam.)

There is really nothing you can do immediately that will matter if your kid (whatever age) is in an accident and you aren't there. They aren't going to withold lifesaving care, or anything like that. Sure you want to know, but that's a you problem.

If your kid is lost, tell them to call 911. They'll most likely be able to help more quickly than you will.

911 might get them home but it can be a traumatizing experience
This is one of those answers that applies nicely in an orderly, developed world where circumstances and legal structures are the same. In many places in the world (that also widely use email, mobile phones and all sorts of digital communications with all the problems being discussed in this thread), you would most definitely want your loved one to at least have the option of contacting you before they call the authorities. Surprisingly often, their emergency problem might even be caused by those same authorities.
I largely agree with you, but in our metro the question isn’t whether a child has a cell phone, but whether or not it’s a smart phone or a dumb one. Having a smart phone also helps with location tracking.
In many graduate academic contexts, it is standard procedure for applicants to cold-email a PDF copy of their resume to prospective advisors, who then open said PDF and read it.

It blows my mind.

Presumably there would be a note in the email accompanying the resume that would give some context. But if PDFs are really so dangerous to open, then that should be fixed -- it is completely unreasonable to expect people not to open PDF documents.
The context is some unknown student applying to a department, which could easily be faked (ideal phishing target). PDF is a security nightmare, and while it's gotten better with e.g. sandboxed browser viewers, it still requires trust.

People need to be able to open PDF documents, but unless there's a prior professional or personal relationship, or a stable and identifiable corporate entity involved, it's a bad idea. That obviously doesn't apply to PDFs you go out and find from sources you trust.

In the case I'm referring to, the solution is to have a standard application process, usually involving a nominal fee. That adds intermediaries, as well as some standardization for fairness sake.

Academic application processes are often informal, because nobody wants to deal with university bureaucracy unless they absolutely have to. Even when there is a formal process, the standard practice is usually contacting the people first, to see if there is any point in subjecting yourself to the process.

Application fees can be substantial barriers to some people. The academia is international, and international payments are often difficult outside the trivial cases. For example, there are plenty of Iranian grad students around the world, but sanctions make many things difficult for them.

Even if informal, it should be standardized. For one thing, unless the field is really unpopular, I don't know how you'd sensibly review candidates cold applying at random times.

A standard application window, placing submitted materials in a cloud provider's infra (e.g., Google Drive), viewing materials with sandboxed web browsers rather than acrobat - these should be standard and well known methods. The poor hygiene of just getting sent documents by strangers and opening them needs to stop.

Is it convenient? No. Tough luck, it's 2023 and this is a well known vector for infection.

Nothing is standardized in the academia. There are too many traditions around the world, and people are not willing to abandon them just to satisfy some foreign bureaucrat's aesthetic sensibilities.

In some places, if you want to do a PhD, you apply to a school. If admitted, you take classes, do rotations in different labs, and pick a supervisor. In other places, you first have to find someone willing to supervise you, and maybe also secure funding. Once you have a supervisor and funding, the application process is just a formality that can be done at any time.

Reviewing candidates is the same in the academia and elsewhere. Maybe someone in your professional network already knows the candidate (the world is pretty small, after all), or maybe they already have experience and achievements to show. If there is nothing that makes them stand out, they probably wouldn't make it through the process anyway.

Also, it's easier to fix the technical issues with PDF than to get the academia to standardize on anything. Maybe create a safe subset without all the unnecessary features you would not expect in a printed document, and call it PDF. And then rename the full PDF to something appropriate, like "This will devour your soul and steal your children".

> So many of these scams start the same way: when the victim is contacted by a random person.

Actually, they often start when a user gotes to a malicious webset that tells him his computer is "infected" and to call a number.

These websites purport to have found a "virus" on your computer and you should call tech support. My 90 year old mother, fortunately, panics when she sees them and calls me. As she gets more and more confused, she may someday call the number. (Another fortuante thing -- she does NO online banking!)

And these pages are very common--and on legitimate domains! If your local plumber or hair salon doesn't keep its wordpress website up to date, you can visit their site and see one of these fake warning pages.

How did that user get to such a website in the first place? Through a link in an email message? The ability to receive such messages from random people should be locked down, if a user or their IT security guardian has so chosen. Through a website? Maybe that user or their IT security trustee would prefer for their browser to be locked down so they can only access a website from a whitelist that's been customized for them. Maybe they can still access their local hair salon's website, but not the site linked to fake warning page that shows up on that site.

Not every user needs to be able to go to any corner of the web on a whim. Maybe my elderly future self needs to have less freedom of inquiry, as much as it pains to think of that likely future.

> How did that user get to such a website in the first place? Through a link in an email message?

Nope. Through an expired domain of a once-legit site that was taken over, or through a mom-and-pop legit business that had their website taken over because of a wordpress bug. My brother mentioned to me the other day that he got to a "computer has been infected -- call this number" website from clicking on a Facebook ad!

(comment deleted)
So how would I sign up for a service like Spotify? I have to first login to my email and enter what, exactly? I go to Spotify and get their outbound email and copy it, then switch tabs, then switch back, then switch back, then switch back again?
Under one possible protocol, you'd generate and give Spotify a special key that they'd need to send you along with any of their message to you. (Spotify would include a field in their account-creation process and existing-account settings where you could specify such a key.) You'd either manually look for that key in any message you received from Spotify or (ideally) you'd set up your email client/service to reject any emails from Spotify unless they also include the special key you gave them. (Maybe such keys could be placed in a custom X-header specified by this protocol.)

If this were a common and popular protocol, it'd be easy to generate per-service-and-per-account keys, provide them to a service, and set them up for whitelisting in your email client/service.

You use OpenID which sorta does all of this for you.
This isn't hard.

1) Either your identity is blocked or your identity must be validated when it comes up on the phone.

Problem solved.

Phone companies know when they are selling to scammers and spammers. Hold them liable for fraud when companies are making misrepresentations.

2) "Identity theft" should be a verboten term and it should be called "financial fraud" and the banks that enable it held liable

Holding the banks liable for financial scams would cause the banks to identify things properly and spend the appropriate amount of money to stop them.

"Identity theft" seems very much a cop out and what I would call a "nomenclature scam" (new term, courtesy of me) which places the onus of security on individual customers, instead of on the financial institutions that would be much better equipped to prevent scams. It should not be possible for anyone to open up a new line of credit remotely, without physically showing up at bank office where they will be properly identified. Any such attempt should trigger a process which will (through a different channel) verifiably notify the person who is purportedly attempting to open a line of credit. Furthermore, I would personally like credit bureaus to let me turn on an optional setting that tells financial institutions that they must card, photograph, get a video of, fingerprint, and get a DNA sample from anyone who attempts to open a line of credit in my name.

There are other ways in which banks tend to make losing money way too easily. I should be able to lock down an account or a given sum of money in an account that would prevent that money from being transferred anywhere unless I first show up at a bank office, am properly identified, and remove that lock. Ideally bank officers would be forced to ask me a few basic questions that could help me realize that I may be falling for a scam. They could also inform me of the most common and newest forms of scams before finalizing the account unlocking process. If I so choose, I want to be able to NOT have the option of being to clear out my accounts through online banking sessions.

On a different note, why are bank and credit card account statements so nearly useless in identifying where one's money is transferred? It's high time to upgrade ancient banking networks! Banks should expand the amount of space available for describing each transaction, along with providing the recipient's account number, financial institution name and ID , state/province and country. As it is, I often have trouble identifying many legitimate purchases I made, much less potentially fraudulent transactions.

My solution to this would be to charge a small amount (say $0.01) to send an email to someone not in your contacts. You pay a dollar to onboard to the service, and each time you send an email to a random person it would charge a penny. If you receive a reply the penny is refunded (presumably because they were interested enough).

This works because it breaks the economics of spam. If one in a million people fall for your $1000 scam, that’s a profit of $0.001/email. Thats ok if emails cost nothing to send. But if they cost $0.01 to send, it doesn’t make sense to send them.

Is there also any truth to scammers calling you but not saying anything, in the hopes of recording your voice as you talk to train AI bots for future scams that use your voice? Or is that some urban legend/myth.

They are getting more and more creative.

I've gotten a few phone calls like that. A few years ago living abroad it seemed to be a targeted sales pitch for one gender (ex. makeup). Would hang up as soon as I answered, or pretend that they needed the number of my wife (I wasn't married).

More recently in the US I got a call where the other side didn't say anything and hung up after exactly one minute. Suspicious indeed.

Isn't it more likely that it's a call centre where each operator has multiple outgoing calls on the assumption that they will be on one call (on average) at any given time, but sometimes more than one call might be answered (e.g. they're still talking to another victim when you pick up the phone)?
[flagged]
Sadly people are and do. I got a text earlier saying that my bank (and they, by random chance or something more nefarious) named the bank in the communication AND they got lucky because I was just traveling nearby, AND before leaving home I had just opened a piece of mail that informed me that some piece of shit company that I got concert tickets through just had a data breach AND that a bunch of my stuff, including my credit card info, had been leaked. So I definitely had that moment of “oh shit, I should probably look into this” - and if I didn’t have my bank app on my phone I may have just fallen into the process. Scammers operate a simple sales funnel - they cast a wide net and hope they get someone in the same headspace as me but slightly more dumb. The only people who fall for this are, sadly, really dumb, but also really unlucky because they might not have fallen for it if the other coincidences didn’t align.
[flagged]
Reminder that our regulatory apparatus allows these people to have phone numbers and make and receive phone calls without being able to be held accountable.
This is just a symptom of a bigger problem. Once you get to a certain age, you essentially become mentally disabled to varying degrees. Society at large is still pretending that this isn’t a problem
Crazy idea. 2 factor authentication for the elderly where the second factor is, where applicable, a younger family member. It's socially irresponsible to allow the tech-illiterate to move their live savings around on the internet by themselves.
Much easier is to have banks to call the client and verify an abnormally large transaction by phone.
No it isn’t, a “bank” calling to verify a transaction is a major vector for these sort of attacks.
Why don't banks have a list of verifiable phone numbers ?
Sometimes I'll try to waste the time of the tech support scammer, just to keep them from calling someone else. ("Okay, I've got my credit card out now. Say, what city are you calling me from? Really? How's the weather there...")
Thank you for your service!
I find that answering tech support scams with "I don't have a computer" tends to make them shut up pretty quickly.
Why don't banks/police track down where the money went to? It's a wire transfer after all, not a crypto transaction. All account details are well known to both sending and receiving banks.
Because the receiving account was either opened with a stolen identity (darks) or was simply compromised itself. Once the funds hit, the clock is ticking and the fraudster needs to quickly extract as much value as possible before the account is frozen. This is often achieved by using a connected debit card to buy crypto [1]. The "merchants" who take debit cards typically use merchant accounts opened under stolen identities as well, and make up for the fact the accounts get hammered to death with chargebacks by taking huge volumes at very bad exchange rates for the time they're able to. Another method is selling macbooks/iPhones ordered online to be delivered to local fences, who then pawn them off on Craigslist or eBay and take the risk.

[1] https://paxful.com/sell-bitcoin/with-any-payment-method/?pay...