RedMarlin Research Labs Blog

RedMarlin / RedMarlin Research Labs Blog (Page 2)

Tech support scams have been around for several years now but there are no signs of them going away. A recent crackdown by the Federal Trade Commission revealed that one Florida-based scamming company alone, victimized over 40,000 users between November 2013 and 2016. This resulted in these victims losing a total of $25 million. Another report published by the FBI, reveals there were 10,850 tech support scam complaints in 2016 alone, resulting in a loss of $7.8 million. These victims reported fraud from 78 different countries, highlighting how far and wide do these scammers cast their net.

A survey conducted by Microsoft gave deeper insight into these scams. 2 out of 3 people experienced tech support scam in 2016, nearly 1 in 10 lost money, 17% of those who continued with a fraudulent transaction were older than 55 and surprisingly, 50% were between 18 and 34.

Anatomy of a scam

A tech support scam typically begins through any of the following techniques:

1) User gets a cold call from the scammer.

2) User visits a site that maliciously redirects them to the scam site or pops up another window through embedded links on the source page.

3) User mistypes the URL in a browser and the scammer controls the incorrectly typed domain.

Once the user visits the scam site, it hangs the browser using various Javascript tricks and by consuming all the resources of the computer. The idea behind hanging the browser is to make the user believe that something indeed is very wrong with their computer.

The video below shows how interacting with the webpage can get very painful and how at the end, the browser hangs completely. Notice how the page in fullscreen mode, has a background image with address bar that shows Microsoft’s secure support website. This is obviously an attempt to trick users into believing it’s the real Microsoft site.

Users who fall for such scam, end up calling the phone number listed on the website. The scammer then takes control of the user’s computer, shows them some benign files – calling them malicious, and then asks for money to fix it. The monetary transaction typically happens through services like PayPal or simply by asking user’s credit card information over phone.

Another variant of the scam is when the scammer says they want to refund the money from a previous call to the same victim. The scammer then takes control of the computer again, asks user to open their bank account and transfers money from within their bank accounts (between checking and savings etc.). Even though the transfer was made within the same user’s accounts, the scammer claims they made the transfer. Then they claim that they transferred more than what they were supposed to, by mistake, and that the victim should wire the extra money back the scammer.

Victims typically report losing a few hundred dollars on average.

Analysis of the latest scam sites

Even though the crackdown by law enforcement in U.S. and other countries have shut down several offenders, tech support scams are far from over. A study for a month (Jun ’17 – Jul ’17) with URL data collected from large-scale email honeypots and several other data sources, revealed the following:

  • On an average, about 50 new scam sites are registered each day. Almost all of the scam URLs are from newly registered sites with very few coming from older, hijacked websites.
  • A newer top level domain (TLD) .online was used the most by scammers to register these sites. 43% of all domains were registered on .online.
  • Other popular TLDs were .info, .tech and .xyz. .com was fifth in terms popularity with scammers, followed by .site and .club. The use of these TLDs were presumably because of their low cost.
  • Scammers sometimes adapt their scare tactics based on malware attacks that are popular in the news, for example, “Ransomware” alerts or “Zeus trojan” alerts.
  • The scam sites were not just abusing Microsoft’s Windows brand. There were several variants targeting Apple’s Mac users and Google Chrome users with site content tailored for each variant.

We provide details below of top 10 scam phone numbers and IP addresses associated with tech support scam sites. The phone numbers listed comprised of 31% of all scam sites while the IP addresses were associated with 38% of all scam sites. All the IP addresses listed below are located in the USA.


Scam phone numbers

IP addresses





















Full list of phone numbers can be seen here.

The screenshots below highlight some of the scam variants:

This slideshow requires JavaScript.


Stay vigilant to thwart these scams

Even though tech support scams can be sophisticated, the scammer still largely relies on the user to fall for it. Therefore, user awareness is the key to identify and thwart such scams. It begins with knowing how to identify them:

1) If you get an unexpected call claiming your computer is infected, it’s a clear sign of scam and you should hang up immediately. It is not advisable to rely on called ID as often times, it is spoofed to make it look like the call originated from a legitimate company. The caller also typically pretends to be from a well-known company like Microsoft and uses a lot of technical terms to bait the user.

2) A pop-up on your computer screen warning you of “malware infection” or similar alerts, is fake and you should close the window immediately. Often times, these scam sites will hang your browser if you wait for even a few seconds. If that happens, you can close the browser using Activity/Process Monitor application of your Operating System.

In addition to the above, if you have a concern about your computer, you should call your security software company directly, whose details you can get from the company’s website. Do not call the number listed on the pop-up website. You should also never share passwords or give remote control of your computer to anyone.

For more tips, check out FTC’s official guidance on tech support scams.

Tools and Resources

It takes work from various parties to fight the menace of Tech Support scam.

If you wish to lookup whether a URL is a scam site, you can use these freely available tools: CheckPhishVirustotal.

If you are a researcher, and would like to find out who the abuse contact for the offending IPs are, you can use a handy tool querycontacts to find out the email address where you can report.

If you wish to report to FTC, use their official complaint form at ftc.gov/complaint under the Internet Services, Online Shopping, or Computers section.



About the author: Shashi Prakash is the Chief Scientist at RedMarlin – a brand monitoring and anti-phishing company. He has been a security researcher for the past 7 years working at the intersection of email/web security and AI. He has worked at various big and small security companies, most recently at Cisco Talos, doing threat intelligence work in email security. He holds a Masters in CS from the Johns Hopkins University and Bachelors in EE from the Indian Institute of Technology.

At RedMarlin Labs, we monitor various brands that are target of online abuse through attacks like phishing. Our URL scanning technology enables us to not only classify a page as phishing but also to assign a brand to it automatically. This helps us classify URL data at scale and derive interesting patterns from the data with respect to brands. In this blogpost, we summarize the data we have from a 1-month period for most phished brands.

Google continues to be the most targeted brand in phishing. We saw about 20% of unique phishing links that we scanned leading to a Google phishing page. These usually contain variants of the Google single sign on page that users see when they login to any Google service. More details of other brands can be seen in the chart below:

top-phished brands

We usually expect Google, Paypal and Microsoft (Outlook/Office) to be the most targeted brands from what we’ve observed over the last few months but in May-June, we saw an uptick in Dropbox related phish. There were several variants of Dropbox phish, sometimes also with other brands like Gmail/Yahoo/Outlook combined in one page.

One interesting thing to note was that we saw a rise in DocuSign related phishing after a breach was reported last month. It was the ninth most phished brand in the data we collected.

When it comes to banking/financial services, PayPal continues to be the most targeted brand. We saw relatively fewer traditional big banks being targeted compared to PayPal. Chase and Bank of America were still the most popular brands targeted by phishers but we also saw newer targets like Santander Bank rising to sixth position in our list of more phished brands. It is also worth mentioning that several banks from Europe and Latin America show up in our data but they are usually low in volume and therefore are not included in the chart above.

If you would like to get deeper insight into how your brand is being targeted by bad actors and how RedMarlin can help you mitigate such abuse, please reach out to us through this contact page.

We’ll be back with more insights on brand abuse in our next monthly report.

There has been quite a bit of talk lately in the media around Homograph attacks following the disclosure of a browser vulnerability by Xudong Zheng. The technique itself is not new as we’ve seen several talks in the past at security conferences, from as early as 2012. The good news is most modern browsers have mechanisms in place to limit homograph attacks and Zheng’s proof-of-concept exploited a very specific vulnerability as you can read in his post.

A quick primer on Punycode before we go further: Punycode is a way to convert Unicode characters to a subset of ASCII – consisting of letters, digits and hyphens. The encoding is primarily used in creating domain names in non-ASCII characters, also known as Internationalized Domain Names (IDN). As you can imagine, IDNs serve a clear purpose of letting people in different parts of the world register domains with characters in their native languages. As you can also probably imagine, bad actors figured out a way to abuse IDNs by registering very similar looking domain names as that of popular websites mostly for the purpose of phishing unsuspecting users.

As threat researchers, we decided to go hunting for such suspicious domains and document techniques we used along the way. We hope they help other researchers as well.

Searching for newly-registered domains

We can find various free and commercial services that provide a daily update of newly added and deleted domains in every zone. We use a handy tool provided by domainpunch.com to search for newly registered domains in the past 30 days. They also provide an IDN filter which made searching for our target domains quite simple. Here is an image showing sample domains from 20th April with IDN filter set.

Searching by ASCII characters also returns IDN domains with Punycode characters

Image1: Searching by ASCII characters also returns IDN domains on domainpunch.com

You can see in the image above a few obviously suspicious domains that look like icloud.com (Apple’s popular cloud service). We went ahead and looked for more domains in the past 30 days and here is a list of what we found searching by two characters “ou”:

Domain Added on
outloơk[.]com 25-Mar-17
youtưbe[.]com 25-Mar-17
icłouđ[.]com 27-Mar-17
inc-ìcloud[.]com 30-Mar-17
îcloud[.]com 1-Apr-17
ícḷoud[.]com 1-Apr-17
ịclouḍ[.]com 2-Apr-17
icḷouḍ[.]com 9-Apr-17
lclọud[.]com 15-Apr-17
lclouḍ[.]com 17-Apr-17
outıook[.]com 17-Apr-17
ĭcloud[.]com 19-Apr-17
icloụd[.]com 19-Apr-17
ƴoutube[.]com 19-Apr-17
support-ícloud[.]com 19-Apr-17
îcloud[.]com 20-Apr-17
ȋcloud[.]com 20-Apr-17
icloùd[.]com 20-Apr-17
iclöud[.]com 20-Apr-17
íclóùd[.]com 21-Apr-17
ıcıoud[.]com 22-Apr-17

There are few points worth noting from the table above:

  1. Suspicious domains infringing on popular domains have existed for as long as we search in the past. We limited our search to 30 days but there are most likely many domains that were registered in the past. This makes it again worth noting, that homograph attack techniques are not new.
  2. We see several new icloud.com variants since 15th April- a day after Zheng’s blog post came out. There is a possibility such attacks can increase in near future as more bad actors get aware or get reminded of the technique.
  3. Expanding search based on more combinations of letters will likely lead to many, many more domains as we found 21 domains with just 2 letters “ou”.
Digging deeper using Passive DNS and URL resources

Once we have a list of possibly suspicious domains, we can look for more clues to ascertain maliciousness of the domain. One such technique is using Passive DNS to discover more evidence on activities of bad actors. As an example, we take the last domain in the list above: ıcıoud[.]com. A quick DNS look up reveals the A record as (at the time of writing this blog post). When we plug this into VirusTotal’s Passive DNS lookup tool, we find more evidence of domains registered likely for the purpose of phishing and an associated URL, blocked already by three blacklisting services.


VirusTotal's Passive DNS lookup

Image2: Passive DNS lookup on Virustotal

Lastly, if we analyze the URL http://icld[.]info, we find more details on behavior of the website. Apparently, it just redirects a visitor to www.icloud.com, Apple’s original icloud website. More details on URL analysis here: http://urlquery.net/report.php?id=1493029021928. We also see very similar behavior with URL containing IDN:  http://ıcıoud[.]com. It is safe to assume that all the above domains listed in Passive DNS are part of the same attack – most likely registered for phishing users. It is also worth monitoring all such IDN domains for extended period of time, for example a week or two, as they tend to go online several days after being registered.

We hope that the techniques listed above help threat researchers uncover more malicious actors and help the security community take them down.

Happy hunting!


P.S. – Another handy tool: convert punycode to ASCII using https://www.punycoder.com/