Authorities in India Disrupt Cybercrime Ring Impersonating Microsoft Tech Support

This script, when run on a compromised website, creates an official-looking pop-up warning in Japanese, instructing users to call a fake support number.

Infrastructure and Automation

The network behind this scheme was highly compartmentalized, with different groups responsible for specific aspects of the operation:

• Pop-up Creators: Used generative AI to rapidly prototype and deploy new pop-ups in multiple languages.
• Search Engine Optimizers: Ensured malicious sites appeared prominently in search results for terms like “Microsoft support number.”
• Lead Generators and Call Centers: Used lists of potential victims, sometimes scraped from public forums or purchased on underground markets.
• Technology and Logistics Providers: Supplied infrastructure, including call routing, VoIP systems, and digital devices for call center operatives.
• Payment Processors: Managed the laundering of proceeds using cryptocurrency and other anonymized payment methods.
• Talent Providers: Sourced multilingual speakers to handle calls and automate language translation.

Global Collaboration and Technical Response

The Microsoft DCU, in collaboration with JC3, provided critical intelligence that enabled the identification and disruption of the network. JC3 supplied actionable indicators for malicious pop-ups and call centers, which were integrated into Microsoft’s threat intelligence pipeline at the Microsoft Threat Intelligence Center (MSTIC). This allowed for proactive detection and takedown of malicious domains and URLs.

Since May 2024, Microsoft has taken down approximately 66,000 malicious domains and URLs globally using these indicators, integrating the intelligence into Microsoft security services to block future abuse.

Example: Identifying Malicious Indicators

Intelligence teams often identify malicious activity using indicators of compromise (IOCs) such as:

• IPv4/IPv6 addresses: Used to host fraudulent websites and call centers.
• Domain names: Fraudulent domains like support-microsoft.jp, microsoft-fix.com, etc.
• URL patterns: Used in redirects and pop-up scripts.

A sample YARA rule (used for pattern matching in threat intelligence) might look like:

textrule support_scam_popup
{
    strings:
        $popup_title = "警告: ウイルスが検出されました" nocase
        $support_number = "0120-XXX-XXX" wide ascii
        $microsoft = "Microsoft" wide ascii
    condition:
        all of them
}

This rule helps security analysts detect malicious pop-ups mimicking Microsoft security alerts in Japanese.

Evolving Threats and Ongoing Commitment

The evolution of cybercrime-as-a-service has enabled increasingly sophisticated fraud operations, with cybercriminals leveraging generative AI to automate victim identification, pop-up creation, and language translation. This has allowed the rapid targeting of new demographics, especially older adults who are less familiar with digital threats.

According to the FBI’s Internet Crime Complaint Center, tech support fraud was the top reported crime for Americans over 60 in 2023, with nearly $590 million in losses. In Japan, the Global Anti-Scam Alliance found that most scams target adults over 45, a trend consistent with this operation.

Microsoft’s DCU and its partners are committed to disrupting criminal networks from the top down, targeting the technical infrastructure and financial backbones of these operations.

With ongoing collaboration, advanced analytics, and artificial intelligence, law enforcement and private sector partners are better equipped to protect the most vulnerable from the evolving threat landscape.

Key Takeaways for the Public

• Microsoft will never send unsolicited messages or make unsolicited calls asking for personal or financial information.
• Report suspected tech support scams via Microsoft’s official reporting tool: microsoft.com/reportascam.
• Stay informed and cautious: Verify support requests through official channels before taking action.

The recent operation in India is a powerful example of how international collaboration and technical innovation are essential for meaningful cybercrime disruption.

As criminals continue to evolve their tactics, the global community must remain vigilant, adaptive, and united in its efforts to safeguard digital citizens worldwide.