The automated calls feature a computer-generated voice that tells the victim to visit a specific website, which often is selling bogus security software. The scam websites have usually been live on the Internet just a few hours, Adrian Asher, Skype’s chief security officer, said in a phone interview Monday.
The scammers are abusing a feature in Skype that by default allows users to receive unsolicited calls from any other Skype user. Skype considered changing the default setting, but a sampling of users polled found they didn’t want it to change for convenience reasons, Asher said.
That has left Skype to undertake other technical means to stop the problem. But the peer-to-peer nature of Skype in which calls are routed from a person’s computer through other Skype users’ computers makes it difficult to control, Asher said. At any one time, there may be as many as 47 million people logged into Skype, which makes the small percentage of scammers hard to detect.
The type of scam has gone through a few iterations. Initially, scammers contacted victims over Skype’s instant messenger, sending malicious links, but Skype controlled the problem by changing its instant messenger settings, Asher said.
The scammers also have approached people directly by sending contact requests, which Skype has also been able to control as well, in part by making it difficult for scammers to see if a person has accepted their request, Asher said.
Asher said he isn’t sure how scammers are harvesting user names, but anyone with a Skype account has access to the service’s user search function, which can return dozens of user names at a time.
It’s also not exactly known how the automated calls are set up. Asher said he suspects the scammers are running multiple Skype clients on either real PCs or virtual machines. Skype relies in part on users to report scam calls, so the suspect accounts can be deactivated. The best way to stop the calls is tochange Skype’s privacy settings to only allow communications from vetted contacts.
Asher said Skype is hoping to decrease the amount of time it takes to excise those malicious users from “tens of seconds” to just a single second. Faster reaction times raise the bar for scammers, who have to adjust their tactics and inevitably increases their costs.
“It’s technically complex and actually expensive for these people,” Asher said. “My belief is they can’t be making money off of this.”
Overall, the security measures have caused the number of scam calls to fall, but there are some occasional spikes.
“Sometimes they catch us off guard,” Asher said. “I’m happy we’re getting to the point where we see it eradicated or it is at a very small level.”