The Scam Hunter: What It's Like to Track Internet Bad Guys For a Living

These days, new malware scams are a dime a dozen. Phony email links, misleading URLs, fake call centers; if you haven't already stumbled across one yourself, chances are you know someone who has. But what's stopping all this malicious code from running rampant and turning every last corner of the internet into a kill zone?

It's not what but who. Specifically, it's malware hunters like Jérôme Segura, a security analyst who's tasked himself with taking on some of the internet's sleaziest scammers to make the world a better place.

The Game

Segura works at Malwarebytes, a software security company, where he specializes in zero hour threats—the latest and greatest in malware trickery, which Segura traps using something called a honeypot. While these bits of hacker bait can vary depending on the endgame, Segura's purposes dictate a honeypot that simulates a typical (generally clueless) user experience. Since the entire thing is automated, though, Segura can analyze any malicious code that comes in without coming to any actual harm himself—code that, for the most part, comes in the form of standard-issue spam emails and drive-by downloads from infected websites.

Segura's real passion, however, lies in hunting down a more evolved form of internet scammer. We're not talking your everyday, down-and-out millionaire Nigerian princes. Segura's adversaries go to some insane lengths to take you for all you've got. In 2013, for instance, Segura uncovered the first case of browser-based ransomware, which would later be called "browlock" by other antivirus companies.

In this particular case, anyone searching Bing for "Taylor Swift" (which, basically everyone, right?) would find themselves at the very fake and equally terrifying "FBI" page. Leaning hard on any potential shame the user might be feeling after such a search, the malware assures its victim that "all activities of this computer have been recorded" and that you've been caught doing one of several naughty things. The only way to regain access to your browser and avoid any legal ramifications? Cough up $300, of course.

The media latched onto the story because of the Taylor Swift tie, and it didn't take long for Swift's reps to contact Segura for help.

The Scam Hunter: What It's Like to Track Internet Bad Guys For a Living

Looking at the page now, it's hard to imagine how anyone could take the scam to be legitimate. But to an unsuspecting eye in the heat of the moment, these carefully crafted frauds can have some pretty grim consequences. In a conversation with Gizmodo, Segura explained:

I got my first call when I was at home a little over a year ago, and I've gotten a lot of feedback from victims that have been conned into spending several hundred dollars. Some of the stories are really heartbreaking. You're talking about single moms or people who are unemployed who end up handing over money that they barely even have to begin with. So that's what really kept me going—trying to identify who is doing what to not only bring awareness to people, but also expose the scammers publicly.

In the case of browser-based ransomware, Segura offers aid by explaining how to remove the malware, explaining how to avoid becoming a victim in general, and raising awareness to have sites like this taken down—a pretty standard solution. Replace all that automated scamming with a cold-hearted human though, and things get a hell of a lot more tricky.

The Hunt

The worst scams Segura deals with are also the most personal. Often, scammers (who are usually located in countries outside the US) will pour through phonebooks, calling people up at random and claiming to be an IT guy sent to service that person's computer over the phone—totally unsolicited, of course. And because these scammers only call landlines (which generally means they're reaching somewhat older, less tech-savvy residents), they're more likely to hit those most vulnerable to falling for fraud. The scammers chat over the phone, gain the victim's trust, and eventually weasel their way into gaining remote access to their target's machine. From there, the destructive possibilities are practically endless.

Segura first became aware of the tech support scam when he started receiving multiple calls from its victims, all of whom complained of similar rogue "Microsoft IT" guys. Once Seguara started at Malwarebytes, where he works remotely form home, it wasn't long before he started getting the highly suspicious calls himself. Segura commenced his investigation.

When I got the first one, it didn't take me too long to realize what was going on. I let them into a virtual machine I had and just started to play along, letting them tell me everything that was wrong with it before pulling out at the last minute. Well, they got pretty mad at me for wasting their time and went on a rampage to try to disable my machine. They removed all the documents, locked it up, removed vital drivers, and then they called me an asshole.

The Scam Hunter: What It's Like to Track Internet Bad Guys For a Living

Scammers have developed quite a few ways of scaring their victims to the point where they'll believe pretty much anything the nice, knowledgable IT man on the phone has to say. In another case Segura was researching, the fake tech support rep on the other end went a little whiteboard-happy explaining what was "wrong" with his machine.

The Scam Hunter: What It's Like to Track Internet Bad Guys For a Living

Segura doesn't just watch these tech support scammers destroy his virtual desktop, though; he's fast at work collecting information about them while he has them on the line. Once, a scammer told Segura he was going to turn Segura's screen black to "run a scan." Unfortunately for him, Segura's trap was ready.

The problem for him was that he was trying to install the black screen on a virtual machine, so the video card driver wasn't the right one. But he had no idea it didn't install properly. I could see everything.

He started trolling my desktop and was quick to steal some fake banking documents I'd left lying around for him. Obviously he had no idea that, not only were these documents fake, but they were also bait. So when he opened them, I knew exactly where he was, his latitude and longitude, IP address—everything. They really constantly surprise you. They've even tried to activate my webcam before.

Disguising a virtual machine's settings to pass as something real is just one page out of Segura's playbook. As one might expect given his line of work, he has to disguise himself in other ways as well..

I've switched about two dozen different phone numbers. I used to call from various Google accounts using Hangouts, but a few times they realized that they'd seen the number before. I had to stop and actually use a real phone number, but obviously I can't use the same one twice.

There seems to be a connection between the different companies, most likely a type of gang with a central database. A few times I've called and had them say, "Um, you called before and your name was Richard, not Mark." So I just have to be like, "Oh, maybe that was my brother..."

Of course, most of these scammers' victims aren't so prepared, and often leave themselves exposed for hours, giving bad guys ample time to rifle through their unsuspecting desktops for everything from banking files and credit cards to photos and personal information that can be resold and used for identify theft.

Essentially, these scammers can ruin their victims' lives and leave them totally blind to the fact that they opened the front door.

An Elusive Endgame

Unfortunately there's not too much that Segura can do other than simply raise awareness of active threats. Just putting in calls to the necessary authorities can occasionally shut down the phony sites, many of which operate out of India and pay workers more than they'd see in more legitimate jobs. Thanks to the efforts of Segura (and other security experts like him), the FTC launched a major crackdown on these very same tech support scams just a few years ago.

But while surges of enforcement are certainly helpful, the effects don't last long. Speaking with Gizmodo, Segura explained:

The crackdown really just shuts down some of [the scammer] domains or freezes some of their assets, and then these guys will just start on new websites the next day. It's not like they're going to jail, so they're just constantly switching between the dozens and dozens of websites that they register every day.

I think part of the problem is that some of the local police can be bribed, so [the scammers] have very little to worry about. And if something does happen, they can always just say it was a bad technician in their crew who's now fired. We won't do it again. And that's it.

And even though there's some personal satisfaction to be found in messing with these fake call centers a few times, you're playing a dangerous game:

A few [scammers] will get pissed off easily because some guys on the internet think they're avengers, so they'll ridicule them and waste their time on purpose. When they've been trolled by all sorts of people, they just don't have the patience and will just trash your computer. So I'm always cautious to keep it nice and clean with them; I don't want to insult them. I'd rather do it the proper way. But of course, they're still criminals. They're still scammers.

So at the end of the day, it pays to be kind. That's the only way Segura can get all the information he needs to expose their nefarious practices far and wide.

Almost as quickly as Segura an expose a scam, though, a new one will pop up in its place. A recent variant of the tech support scam actually attempts to convince unsuspecting Netflix users to call in to the fake hotline themselves—after entering their Netflix login information. If followed, this dastardly little trick could hit you pretty much anywhere it hurts, stealing money for fake services and your identity. And now, this same style of scam comes in way more flavors than just Netflix.

The bad guys keep innovating, but thankfully, Segura and others like him will always be on guard to raise the alarm. In the meantime, just be careful what you click—and who you let into your virtual home.