>Of the hundreds of support requests I've responded to post-attack, all except one attack was carried out over TeamViewer.
And my experiences with repeatedly calling these guys had different results, that's fine.
>A tech support scam attacker would have many first-time connections to many other first-time TeamViewer users who are generally seniors instructed to run the TeamViewer app over the phone. While they may use a pool of computers/TeamViewer IDs, and a pool of IPs, there's limits to the cost-effectiveness of scaling that variation, and a pattern should definitely be visible.
And then the scammers will just switch to VMs and socks5 proxies. (They probably already use the socks, considering they're buying them in bulk)
>"Assuming proper rate limiting" seems like a large assumption, given that the possible attack vectors are guessing the random alphanumeric passwords and testing password dumps for account pairs from other services that work with TeamViewer.
The mere fact that this all happens over the network is a plenty of ratelimiting.
>Defaulting to accepting any connection from anywhere seems like a great example of poor security configuration by default.
And my experiences with repeatedly calling these guys had different results, that's fine.
>A tech support scam attacker would have many first-time connections to many other first-time TeamViewer users who are generally seniors instructed to run the TeamViewer app over the phone. While they may use a pool of computers/TeamViewer IDs, and a pool of IPs, there's limits to the cost-effectiveness of scaling that variation, and a pattern should definitely be visible.
And then the scammers will just switch to VMs and socks5 proxies. (They probably already use the socks, considering they're buying them in bulk)
>"Assuming proper rate limiting" seems like a large assumption, given that the possible attack vectors are guessing the random alphanumeric passwords and testing password dumps for account pairs from other services that work with TeamViewer.
The mere fact that this all happens over the network is a plenty of ratelimiting.
>Defaulting to accepting any connection from anywhere seems like a great example of poor security configuration by default.
This specifically isn't the default though.