Support Scammers (mis)using INF and PREFETCH

Here's a quick summary of the PREFETCH and INF ploys I mentioned in a separate blog here. These are alternatives (or supplements) used by support scammers from India to the Event Viewer and ASSOC/CLSID ploys also used to "prove" to a victim that their system is infected with malware or has other security/integrity problems.

The "Prefetch" command shows the contents of C:WindowsPrefetch, containing files used in loading programs.

 The "INF" command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system.

INF and PREFETCH are legitimate system utilities: so how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something "prefetch hidden virus" or "inf trojan malware". When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type "inf elvish fantasy" or "prefetch me a gin and tonic" and you'd get exactly the same directory listing, showing legitimate files.

Neat trick: but don't you fall for it!

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Djl Boston

    While I knew of this scam in general, I just got a call like this. Windows-R “inf accker” was what I was asked to type. I started by telling them that I was sitting in front of my computer (a lie;no computer was online in my household) and then acted like an illiterate user while she led me through the steps. Made her describe multiple times what to do. (I was folding laundry and has my cell phone on hands free, so it wasn’t wasting my time). When we got to the point when she told me that someone was trying to take control of my computer, I fessed up. I said, “Yes, I knew that and it is you.” She protested, but when I said I was an IT Manager, she abruptly hung up. I’m glad I had the time to lead her on. It was enjoyable!

  • Philby

    I’m not an IT Manger but I too was aware of these calls and decided to have some fun. I strung the man along for quite a while asking him about casement vs. push-up Windows and what about Juliet when he wanted me to press Windows R as in Romeo. He eventually said he thought I was having fun with him and I fessed up. I told him I’m sure he was a very nice man but the people he worked for did not have my best interest in mind. I suggested he try and find a different job and that God loved him. (He does!) I had the time and thought it would be better for me to waste 10 or 15 minutes of his time that he might be scamming someone else! And yes! It was VERY enjoyable!

  • Not-that-gullible

    I pulled up this site while getting an unsolicited “Windows Support call.” The “Windows Guy” told me to press Windows R and then type in the run command window “inf location virus”. lol… even the fake command sounds bogus.

    Yes, he knew my phone number, town, and address–so what? Just look it up in the white pages. He had no other form of identification. When I asked for “proof of ID” he just went to scare tactic mode. “You’re computer could be infected! (Inset town name) was infected with a virus that shuts down your computer. Don’t you want to be safe?” He got really mad when I commented that I knew about the “inf scam” and tried to deny everything.

    Still not convinced it was a scam though? After I hung up, I checked the saved caller ID on my phone: 136-642-8888 and no country code. Oops! That’s not a phone number in the US, and certainly not a California phone number where he claimed ‘was’.

  • jane

    I got the call just this morning. They end up giving you a website http://www.help1.us which has no identifying marks and they want you to click on some “download…” button and that’s the point where, if you haven’t been saying it before, you get really concerned. I told them to call me back – and in the interim found this website to collaborate my concerns. Thanks much.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
15 Mar 2012
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.