Yeah, yeah, yet another coldcall scam post, but featuring a ploy I haven't come across before, intended to convince you that the scammer really knows something about your system, so that you're likelier to fall for the scam.

Rebecca Herold reports for InfosecIsland that she was contacted by one of those helpful "support desk" people who call you up to help you with problems you didn't know you had such as malware you don't have. (Hat tip to @FSecure for the pointer to the article.) She reports that the caller was from a company calling itself EProtectionz and using what looks like a New Jersey number. However, I notice that company's web site also has phone numbers for Australia and the UK, so it looks as if the usual English-speaking populations are being targeted, using ammyy.com and logmein.com to get remote access to your system - there's actually an ammyy.com link on their web site, which is registered in Illinois, though Herold's caller had the Indian accent we've come to expect from this kind of scam.

The really interesting feature, though, is the way that the scam seems to have moved on from giving you your address (which they get from a telephone directory)and a fake IP number to convince you that they can really see your system. According to Herold (and a quick google indicates that others are experiencing much the same thing) the scammer now asks you to check a CLSID.

A CLSID is a Class Identifier stored in the Windows Registry -- at HKEY_CLASSES_ROOTCLSID, but I don't recommend that you go digging into the Registry unless you really know what you're doing. Fortunately (from the point of view of interfering with Registry entries), the scammer doesn't need you to edit the registry to find the CLSID he's looking for. He simply has to persuade you to run the ASSOC command. It's easy to do: you click on the Start button, Run, type in CMD to get to the command prompt (DOS prompt) and type ASSOC. That runs through a long list of file associations, telling you (for instance) that ".xltx=Excel.Template".

Since it's a long file it scrolls straight to the bottom, but if you're really interested in seeing exactly what it contains, you can get it to go through page by page by typing in "assoc | more": however, the scammer wants you to go straight to the bottom so that you'll see this entry:

ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

That's the CLSID on both the PCs open on my desk at the moment. Amazingly, it's also the one that the scammer quoted to Herold. And I bet that if you have a recent version of Windows and go through the same steps you'll find that you have it too. In other words, the scammer can't see your CLSID or anything else on your PC, including your Event Viewer logs. Unless, of course, you fall for the scam and give him remote access with AMMYY or LetMeIn.

Event Viewer? That's the tool he uses to persuade you that the transitory errors inevitably flagged in its logs are "evidence" of a system problem or malware infection. Of course, they're no such thing. See http://www.eset.com/us/resources/white-papers/Hanging-On-The-Telephone.pdf for more information.

The good news, though, is that if they're using a local number and other local presence, you may have some legal recourse if they insist on phoning you even though you're signed up to a Do Not Call registration service. I don't know anyone who's gone that route yet, though, so no promises. All the scam calls I've had (and there've been many!) have been international.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow