Indian Tech-Support scammers as Child Pornographers

The scam most commonly referred to as the ‘Indian Tech Support’ scam is revealed to most people when they receive a call from a long overseas phone number and upon answering encounter a person with an Asian sub-continent accent purporting to be from Microsoft, or it may also be Eir, Vodafone, or any of the tech providers that are out there. The caller will claim to be working on behalf of the company and claim that they have detected a virus or malware of some sort that is running on your computer and leaking your personal data out to scammers on the Internet. Ironic, isn’t it? A person succumbing to such a call will engage in something of a tech-speak dance and invited to download a piece of software that will allow the ‘support advisor’ to work remotely on the supposedly sickly computer. The unfortunate victim then assists in the scam by downloading and installing this software (usually a reputable solution used routinely in business tech support) and this process culminates in the scammer having remote access to the victims computer. They will download a batch file or an executable that will generate a command box and throw some fancy looking rubbish that the scammer will point to as major flaws that they will fix. They will also show the victim their event viewer and point out the myriad of red notices that are ten a penny in the system, application and other event logs. Finally this all culminates in the victim making a payment to the scammer. A criminal (the scammer) getting access to the victims computer opens possibilities for not just stealing money. There can be an invasion of personal privacy through loss of data and photographs; invasion of other devices that may connected to the victims home or business networks; and the installation of an enduring shell program that resides on the victims computer and is digitally reachable when the victim connects to the Internet. These possibilities elevate the criminal to a different level of threat to victims and introduce the potential for all manner of damage that go far beyond a scam to get money. We have encountered cases where these criminals have connected to people’s personal data on local, network and cloud drives such as iCloud, Dropbox and Google drive through the infected computer because the victim has enabled that remote control program that is designed for technicians on help desks to take control of a computer, diagnose a problem and fix it. A criminal with this type of access can, and do, reek havoc and seek to further damage the victim by threat of blackmail or simply circulating damaging information that they find in personal files. We have seen cases where social media profiles were deleted, altered or hijacked allowing the criminal to instigate and verify false online accounts through which they transact financially or further their criminal activities by targeting others in a victim’s private and professional network. Cloud accounts are often administratively linked to mobile devices such as tablets, phones etc. If you log into your iCloud account for instance, you can access data being synced from your iPhone. You can attach a new iPhone to that iCloud account and if it is shared or accessed by other family members then there can be impact there too. If there are sensitive photos or other information including email; photos of very young children in the bath or playing on the beach with no clothes on; movies created in the family home setting that are never meant for public consumption; the prepubertal or younger teen girl in the bedroom or bathroom with friends getting ready for the birthday party and trying on each other’s clothes; anything in the free and frolicking world of children at play in a setting where they believe their privacy to be sacrosanct. That common garden cyber criminal is now a very different prospect and the threat they pose is significantly elevated above that of the common garden scammer. They may encrypt precious memories and sell them back to the heartbroken and frightened victims.
In the world of online CAM (child abuse material), anything that is rare gets noticed and becomes valuable. There has been a trend of collecting private images of children taken from parents social media pages and exchanging them through privately held illegal photo collections or publicly accessible illegal web sites. However, the invasion of private personal movies and images never meant for sharing outside of the family, and particular if they are created by children themselves are pearls to paedophiles. If this were not distressing enough, the most polished pearl of all is the identity and location of the children, entirely enhanced by contact information such as the family home phone number and children’s individual mobile phone numbers, their social media profiles, and Snapchat identity for good measure. The scenario being outlined in this blog post is NOT hypothetical. It is based on real world cases and events. If a criminal gets remote access to a computer that has saved credentials in browsers or keychains; or contains very sensitive personal or business information including email and other messaging; very personal images (particularly of children); then such a data breach requires attention. In cases where a break-in to an IT system occurs, the business will initiate a security protocol that isolates affected devices, investigates to discover what has occurred and if there are remaining threats, then takes action to protect the devices, network and data. The problem for the ordinary person at home who realises that this is occurring is that they will likely have no IT security unit within reach to isolate, investigate and secure a breach. As a victim you will likely want to delete whatever programs have been installed by the scammers and spend time looking into the computer where the breach has occurred. However you are looking in the wrong place and all the while, damage is occurring elsewhere.
If such an incident has occurred in the past and you did not realise what it was at the time then whatever was taken by the scammers is long gone. If you are receiving such a call and have gone as far as downloading and installing the remote control software and through unease or suspicion then make a call to whichever company the scammers are impersonating, you will be told to DISCONNECT your router immediately. Once done then the criminals cannot access the devices inside your home. If you have smartphones then disconnect data access to isolate them also from the internet. DO NOT switch anything off or reboot any device since a lot of information about the breach and what the criminals have got up to are visible in memory that will be destroyed if you shut down your operating system. NOW go to a neighbour and ask to use their computer and phone. IMMEDIATELY go to your cloud drives, email, social media and change your passwords. If you do not use 2 Factor Authentication such as Google Authenticator or options to receive codes through SMS for the likes of Twitter, Yahoo and Microsoft, then start using it right now. Contact phone support for the cloud operators that you use for data (Apple, Google, Dropbox etc) and make them aware of what has occurred and ask them to secure your data which they will do by disabling internet access and retaining a data set of transactions that have occurred since the scam began. They will be able to see where attempts have been made to access, copy, destroy, or other activities against your data and will be able to retain that information for investigation by police. Paypal, online banking and credit card operators: if your data is stored in browsers or keychain then you have to assume that it is compromised, and act accordingly by informing and allowing them to freeze your accounts until fresh credentials can be put together.
And now comes your biggest hurdle: reporting the incident to the police, and if applicable, your business. These are personal calls and only you as the victim will know potentially what has been compromised. The biggest issue with police initially is whom you encounter at the desk. It is difficult to police something of which you have little experience and all too often, policemen and women will not have specialist knowledge in the field of IT security and not really understand what has occurred. For instance if an officer assumes the the main issue is the money scam then in all likelihood they will say that they have little jurisdiction over the scammers and the best thing to do is change your passwords and wipe your phone or computer. DON’T WIPE YOUR DEVICE since all evidence of what has occurred will be destroyed to a greater or lesser degree depending on the method of deletion and overwrite. If you have sensitive data or photographs and believe that they have been moved, shared or copied by someone other than you, and you have been the victim of the tech-support scam, then you must persuade the police of your concerns and demand if necessary that they investigate those concerns. Only the police will have access to your mobile provider or ISP, social media and cloud providers, and they are best placed to make such an investigation. However, computer crime is rampant and is a component of anything from fraud to prostitution, crimes against children, drugs cases etc etc etc……. Police have finite resources and your case will go on the list. But what they can do in the very short term is collect data sets and securely store devices for later forensic scrutiny. There is no doubt that not every scammer gaining access to your computer or phone wants to remove your sensitive data or pictures, but there is equally no doubt that some do poke around when they get remote access, and equally there are some who are specifically looking sensitive or embarrassing information that can be used later for blackmail while you are being kept busy looking at the red icons and warnings in event logs. Your sensitive data is one thing, but sensitive or naked photos of your children is another. These photos are interesting to a certain audience and coupled with identifying and locating information are not good in the wrong hands. It is important to keep this blog post in perspective, but be aware of its significance also. Don’t be unnecessarily paranoid but absolutely avoid being naive either. The bottom line is this: if anyone gains access to your digital devices and you keep sensitive data and photos, and in particular of your children, then seek advice and help as soon as possible.