Support Scammers (mis)using INF and PREFETCH

Here's a quick summary of the PREFETCH and INF ploys I mentioned in a separate blog here. These are alternatives (or supplements) used by support scammers from India to the Event Viewer and ASSOC/CLSID ploys also used to "prove" to a victim that their system is infected with malware or has other security/integrity problems.

The "Prefetch" command shows the contents of C:WindowsPrefetch, containing files used in loading programs.

 The "INF" command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system.

INF and PREFETCH are legitimate system utilities: so how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something "prefetch hidden virus" or "inf trojan malware". When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type "inf elvish fantasy" or "prefetch me a gin and tonic" and you'd get exactly the same directory listing, showing legitimate files.

Neat trick: but don't you fall for it!

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Djl Boston

    While I knew of this scam in general, I just got a call like this. Windows-R “inf accker” was what I was asked to type. I started by telling them that I was sitting in front of my computer (a lie;no computer was online in my household) and then acted like an illiterate user while she led me through the steps. Made her describe multiple times what to do. (I was folding laundry and has my cell phone on hands free, so it wasn’t wasting my time). When we got to the point when she told me that someone was trying to take control of my computer, I fessed up. I said, “Yes, I knew that and it is you.” She protested, but when I said I was an IT Manager, she abruptly hung up. I’m glad I had the time to lead her on. It was enjoyable!

  • Philby

    I’m not an IT Manger but I too was aware of these calls and decided to have some fun. I strung the man along for quite a while asking him about casement vs. push-up Windows and what about Juliet when he wanted me to press Windows R as in Romeo. He eventually said he thought I was having fun with him and I fessed up. I told him I’m sure he was a very nice man but the people he worked for did not have my best interest in mind. I suggested he try and find a different job and that God loved him. (He does!) I had the time and thought it would be better for me to waste 10 or 15 minutes of his time that he might be scamming someone else! And yes! It was VERY enjoyable!

  • Not-that-gullible

    I pulled up this site while getting an unsolicited “Windows Support call.” The “Windows Guy” told me to press Windows R and then type in the run command window “inf location virus”. lol… even the fake command sounds bogus.

    Yes, he knew my phone number, town, and address–so what? Just look it up in the white pages. He had no other form of identification. When I asked for “proof of ID” he just went to scare tactic mode. “You’re computer could be infected! (Inset town name) was infected with a virus that shuts down your computer. Don’t you want to be safe?” He got really mad when I commented that I knew about the “inf scam” and tried to deny everything.

    Still not convinced it was a scam though? After I hung up, I checked the saved caller ID on my phone: 136-642-8888 and no country code. Oops! That’s not a phone number in the US, and certainly not a California phone number where he claimed ‘was’.

  • jane

    I got the call just this morning. They end up giving you a website http://www.help1.us which has no identifying marks and they want you to click on some “download…” button and that’s the point where, if you haven’t been saying it before, you get really concerned. I told them to call me back – and in the interim found this website to collaborate my concerns. Thanks much.

  • bob

    They’re still at it. Got the call this morning. I said i didn’t have my computer on and he told me to go turn it on. So I left him on that phone, got some coffee, then decided I’d let them “help” me.

    Fired up the laptop, got back on the phone. He told me to do the command R thing, told him nothing happened. Try it again, so I did, nothing happened. Said to open up Internet Explorer, I said I used Firefox, he said that’s ok. Sent me to http://www.help1.us and click on the “Download Ammyy Admin” link and open it. I did, file AA-v3.exe opened in Text Edit (a text file with gibberish), wasn’t what he expected.

    Finally he said look at the bottom left of my keyboard and look for the window icon. I told him I didn’t have a window, I had something else. He asked what it looked like, I said it looked like a flower. He asked if I was on a Macintosh, I said yes, he put me on hold and the call dropped.

    Oh dear, my support call was dropped! At least we had a few minutes when they weren’t bothering anyone else.

  • IanE

    I just had an Indian sounding chap call me from, ‘Windows Support Centre’. I immediately smelled a rat. He asked me to simultaneously press the windows key and ‘R’, so I did. Then he wanted me to type, ‘inf” then hit OK.
    I asked him what this was supposed to do – he said it would display all the infected files on my computer. I told him to hold on while I did a Google search to find out what this actually did. It took me a few seconds to find this site and I started reading some of the comments out to him. Amazingly, he stayed on the line and listened to it. Eventually, I told him that I knew it was a scam, not to call me back and hung up. Losers!

  • DrWerna

    My parents, who are retired and not very tech savvy, just got called by these scammers this week. They first called on Monday, but my Mom accidentally hung up on them while passing the phone to my Dad. They called back again Tuesday, and then spent 75 minutes on the phone with my Mom. Unfortunately, they did get her to click on the download from http://www.help1.us, which I believe loaded a LogMeIn module which then allowed them to take over her computer. The scammer then ran a processes utility from http://www.pchealthcheck.us for further “proof”. They wanted her to update a windows certificate for $179, but ultimately, she declined, and then I got called in to help them from there.

    I was able to retrace these actions by looking at the history in the Run module (which they don’t otherwise use). Coincidentally, they had just upgraded to Windows 8.1 the day before, which is what made them more gullible for the scam.

    I couldn’t find any traces of LogMeIn actually installed anywhere on the computer, and Norton didn’t pick up anything, so I’m assuming they were just fishing for credit card information.

  • Richard E. Armstrong

    You guys are missing all the “fun”. I string them along as long as I can, I act dumb, and amazed. The more time of theirs that I waste, the more fun it is. I end the call by telling them to go F*(&^ themselves, and they really don’t like that… but they call back every DAY!

  • Lily

    I just had an Indian guy call me claiming my computer needed “immediate attention” and that since I am a “valued Microsoft customer” that I needed to do as he says right now. My spammer alarm instantly went off (not that the loud noise in the background wasn’t an instant red flag or ANYTHING), but I played dumb and strung him along for as long as I could to see what he was up to. Then, when he took me to that shady website and asked me to click on the button for him to get control of my computer, I hung up. It’s too easy.

  • Tyler Peterson

    Just had an indian guy call me and try to get me to run “inf.” He taught me that “inf” stands for infection. I led him on as long as I could but I don’t have a windows computer and I eventually didn’t know what should have happened next. He got spooked and hung up.
    Salt Lake City, Utah

  • Sean

    My grandfather got the same call today, he said that he had to press windows R and type in inf then he told them that he didnt trust them, so he called me in and I looked it up and found this page!

  • Truthbro

    these people just dont give up…..they keep calling me i told them to stop they did…couple days letter they hit me with this plan i almost believed them too because they had my email and my name they called me from this number 786-374-2822

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
15 Mar 2012
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.