Windows support scams: Here's how we're taking down fraud kingpins, says Microsoft

Faced with skyrocketing complaints about tech-support scams, Microsoft is turning to artificial intelligence to identify the masterminds behind the fraud.

Besides prettying up iPhone photos and blitzing Ms Pac-Man, Microsoft's AI is helping fight the real-world problem of tech-support scams, whose operators are increasingly using the web to automate the fraud with pop-up ads that lock browsers to a bogus but seemingly legitimate security warning.

These so-called 'browser lockers' aim to frighten victims into calling a support center at a number listed on the pop-up. Victims who do call are bullied into buying software to fix non-existent problems.

Sadly, the tactics work often enough for some of the larger operations to generate millions in revenue. Microsoft's US operations received 120,000 complaints about such scams between May 2014 and October 2016. Some 20,000 victims in the US that it knows about paid the scammers.

But, as Microsoft boasts in a new blog, the Federal Trade Commission's recent crackdown on major support-scam operators was in part the result of its computer vision, and image- and text-recognition technologies identifying slippery fraud kingpins.

The AI tools were developed by Microsoft researchers and used by its Digital Crimes Unit to hunt for clues on the web that would lead to the "biggest fish" of the support-scam world.

Microsoft explains that few victims capture screenshots of the original pop-up ads that scammed them, while operators of the fraud often use temporary numbers and short-lived IP addresses.

A model developed by Microsoft principal researcher Chris White, a former DARPA program manager with experience in counter-fraud technologies, helped fill the void of clues.

One of the tricks scammers use to give the impression of a locked browser pop-up is using ads that refresh in microseconds. White created a model that targeted this signal, which the Digital Crimes Unit used to scan the web. Once it captured these sites, it used computer vision to pull out phone numbers and other clues pointing to the attack's origin.

"What we're able to do is address the problem at the scale it's happening, and provide the mechanisms for us to do something about it," White said.

The company also used its data-visualization tools to offer government officials an easy way to view the scale of the problem and the states that were being hit hardest.

However, scammers are continuing to "innovate". Malwarebytes, a security firm that also helped the FTC's recent bust, recently discovered that a campaign aimed at Internet Explorer users in the US had started using numeric domains like "6473819564947657419.win".

An advantage of using these domains over alphabetic domains is that browser lockers become more difficult for the user to bypass. Malwarebytes researcher Jérôme Segura notes the only way to close the pop-up is by killing its process in Windows Task Manager.

The attack on Internet Explorer is using "mouse events" to load the popup each time the user mouses over a certain area of a page. However, the same attack for Chrome on Windows is "by far the most disruptive", according to Segura, as it freezes the browser by using up all the hardware's memory and CPU.

More on Microsoft and security

• Microsoft warns of 'destructive cyberattacks,' issues new Windows XP patches
• Microsoft: Latest security fixes thwart NSA hacking tools
• Microsoft's new Middle East chief: Why cloud and security are our big focus
• Microsoft fixes 'critical' Office Word security flaw under active attack
• Microsoft finally fixes 'critical' Windows security flaw after patch delay
• Microsoft Office malware: Banking trojan downloads if you hover over PowerPoint hyperlink