Don't call us...
Only last week I blogged at ESET regarding the Australian Communications and Media Authority plan to impose harsh financial penalties on support desk scammers who ignore opt-out or "do not call" lists by cold-calling. Unfortunately, I think the effectiveness of this approach will be quite limited: Although the scam calls are sometimes routed via local phone numbers, the scammers themselves are usually situated well out of the jurisdiction in which the potential victim is resident. I've recently become aware of far more cases in North America than I've seen publicized, though most of the specific cases I've tracked personally have been in Australia, the UK, or Ireland. The callers, however, seem almost invariably to be in India. Frankly, Bengal and Kolkata seem to have become to support scams what Nigeria and Lagos are to 419s.
Penalty shoot-out a penalty washout
Much as I'd love to see some of these people take a hit to their bottom line, I don't see much hope of a solution based on financial penalties – not, at any rate, in the short term.
In fact, from personal experience. I strongly suspect that more-or-less legitimate organizations are deliberately using foreign call centers to get around opt-out lists, like the UK's Telephone Preference Service or the United States' National Do Not Call Registry.
Today, however, my friend Aryeh Goretsky alerted me to a thread on Reddit, also focused on the Australian branch of the Dishonorable Society of Support Scammers. In fact, I've seen quite a few threads like this in the last week or two, but this one led me to a useful Australian resource called SCAMwatch, which, in turn, alerted me to a couple of twists that I haven't observed in the UK yet.
In this instance, it appears that previous victims are being contacted by callers claiming to represent a foreign state or law enforcement or even the victim's own bank, offering help to reclaim the money of which they've been defrauded. There is, of course, a fee for this service. The impudence would almost be amusing if so many people hadn't lost money.
And yes, a very similar approach has been used on occasion by 419 scammers.
The long arm of the scofflaw
One of the posters to the Reddit thread observes that the scammers will, at some point in the process, ask the victim to install TeamViewer so that they can access the machine remotely. That's also kind of interesting: About.com's Mary Landesman, who has discussed the problem relative to reports from America, refers to them as ammyy.com spams, after the alternative Remote Access Software that she sees them using. However, the European scams I've been tracking seem to be tied to LogMeIn. Clearly, any RAS (remote access software) is considered fair game.
Keep the customer satisfied
Meanwhile, Steve Burn (who has supplied me with a great deal of useful information on this and other security problems) has drawn my attention to an epidemic of email and comment spam from characters claiming to be “satisfied customers” of websites associated with this kind of scam. Unfortunately, bolstering a fraudulent site with fake recommendations on other sites and in spam is a long-established practice.
As Steve points out on his blog, Urban Schrott, Jan Zeleznak and myself recently published a comprehensive paper on this kind of support scam on the ESET White Papers page. It also includes copious links to other resources and commentary.