How to recognize a PC support scam

A while ago, I responded to a blog comment promising some thoughts on how to recognize a cold-calling PC support scam. Unfortunately, I wasn’t able to do that immediately, and then I was on vacation with no Internet connectivity (I should do that more often!). But then, since the problem isn’t going to disappear any time soon, I guess advice on how to recognize it before you hand over any cash isn’t going to pass its best-by date too soon, either.

  • If you have caller-ID enabled on your phone display, you may see International or Number Withheld. That doesn’t, of course, guarantee a scam. But if you’re not accustomed to receiving international calls and you share my dislike of businesses that call without showing the number they’re calling from, it is at least a warning to be on your guard. On the other hand, it’s far from unusual for a scammer to use what looks like a local number (which may or may not be spoofed).
  • India is a major provider of legitimate call-centre services to many parts of the world, so you can’t assume that a caller with an Indian or Asiatic accent is a scammer, just as you can’t assume that all Nigerians are 419 scammers (or even that all 419s are Nigerian in origin). Nonetheless, the moment, nearly all the reports of support scams that I’m seeing note that the caller sounds Indian, and almost all of the sites and domains we’ve been able to trace (and in some cases, block) have had an Indian connection.
  • If you’re on a national “do-not-call” register, pointing that out early in the conversation is a pretty good way of whether a call is likely to be from the same region. If, as often happens, they take no notice, it’s probably a good time to put the phone down.
  • The caller is likely to claim to represent or to be affiliated with a well-known name – Microsoft, Cisco and Dell (and, more recently, BT) are frequently mentioned, though the nature of the affiliation is often vague. These are companies that are very unlikely to contact an end-user directly about a virus problem: frankly, it’s pretty time-consuming to trace individual users who may have a security issue. The fact that the caller may know your correct name, address and telephone does not mean they have access to any information about your PC. They’re guessing, and if you know enough about your own system to ask how they have the information they claim, their answers make no sense at all. And if, as is often the case, they don’t have your correct contact details, how can they possibly know anything about the status of your PC?
  •  Most scam calls are reliant on the scammer “proving” that he or she can identify problems with your system: in a moment, we’ll look at the ways in which they misuse and misrepresent standard Windows utilities as some kind of malware diagnostic, but even before that, they may tell you that they already know you have a security problem because:
    • Microsoft, or your ISP, or some other “authority” told them so. The circumstances under which this might be true are very limited indeed: if you think it’s possible that it might apply to you, check directly with the “authority”. It’s naive to take the word of someone who just called you out of the blue. If they’re evasive about the exact nature of their relationship with Microsoft (or whoever), I’d suggest you save yourself the bother and just put the phone down.
    • The details of your system are on some imaginary database.
    • There are spam or virus reports associated with your IP address. Or your phone number. Or, more vaguely, “your computer”. Take with a very large pinch of salt.  If you don’t understand the caller’s explanation of how they identified your system, assume that you’re being misled. If you think you do understand the explanation, that’s probably a tribute to the social engineering talents of the scammer, not a reliable indicator of a bona fide support call.

So what about the ways in which they try to prove to you that your machine is infected by walking you through standard Windows utilities? It’s likely that scammers will come up with variations on this approach, but these are the ones that we see most often.

  • Event Viewer is a tool that keeps a system log. A scammer is likely to tell you to go to the Run menu and type in eventvwr. That will take you to a screen that shows you various system events, some of which will indeed be problems, though they’re usually transient problems that have already come and gone. When you see the Event Viewer screen, say something rude and put the phone down, if you’ve let them get that far.
  • Microsoft tells us that ASSOC “Displays or modifies file name extension associations.” However, scammers tend to use one of the items near the bottom of the list it outputs that looks like this:

 .ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

What that ASSOC command actually tells us here is that the .zfsendtotarget extension file is associated with the compressed (zipped) folder form in Microsoft windows. However, the scammer will usually tell you that this is the unique identifier of your PC, as proof that he can see that there is a problem uniquely associated with your PC. Or he may tell you that CLSID stands for Computer License ID, and that you need to renew the license. Either way, he’s lying to you. Tell him where to stick his license and put the phone down.

  • INF and PREFETCH are legitimate system utilities: The “Prefetch” command shows the contents of C:WindowsPrefetch, containing files used in loading programs. The “INF” command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system. So how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something “prefetch hidden virus” or “inf trojan malware”. When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type “inf elvish fantasy” or “prefetch me a gin and tonic” and you’d get exactly the same directory listing, showing legitimate files. Time for another rude word.

For the scammer, there are two other critical steps.

  • The whole point of the exercise (and they’ll probably want you to do it before they actually “fix” your system) is to get you to give hand over credit card details. Make it clear from the start that you’re not going to give that information to anyone you can’t validate as genuine. In some cases, they may simply give up at this point, or they may try to persuade you that they’re genuine by giving some information about themselves (or, more to the point, their company). Tell them you’ll call them back and get in touch with the authorities, or even us. Unfortunately, there’s a good chance that they’ll call you back eventually if you don’t ring them back: they really do want your money. Tell them you’ve talked to the police, or to a security company, or even to Microsoft, and the chances are they’ll give up sooner or later, though they may bluster for a while.
  • The other is to persuade you to download remote control software (most often from logmein.com or ammyy.com) so that he can demonstrate to you that he’s downloading utilities (usually these are free versions of genuine software, but of course they could in principle be anything…) and fixing your imaginary problems. Don’t go there: why would you give someone who just rang you up out of the blue access to your system?

Of course, we can’t guarantee that they’ll use any particular approach, and in fact you may get threatening or abusive behaviour before they give up. Nonetheless, the earlier in the process you disengage and make it clear you’re not interested, the less hassle they’re likely to give you: at least, in terms of that specific phone call. The advantage to that approach, of course is that it tends to work for other scams (some of which may come from the same call centres): mortgage scams, fake surveys (usually a precursor to a sales pitch or even to a follow-up scam call, tailored according to your responses) and so on.

See also ESET’s white paper Hanging on the Telephone.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • ikie driss

    i wish I had read this yesterday, because that's exactly what happened to me last night! I did manage to collest names and phone numbers and am in contact with both my Ips and my credit card. I think I will add the State Attorney General to this list. Keep spreading the word! Thank you
     

  • Marsha Jones

    I received a call like this yesterday.  I told the man I thought it was a scam and hung up.  He called again this morning.  I hung up again.  He called back a third time and after I objected to the call saying I was sure it was a scam, he gave me the phone number (44-161-408-46-55) so I could call back to make sure they were legit.  He also gave me a website name ; I still insisted it did not sound legit and he referred me to his supervisor who wanted to know if my computer was on and I asked her for a phone number. She gave me the number 1215-633-3110. I told her that her staff person gave me another number and  that just confirmed to me that it was a scam. She got angry and said "Go to Hell" and hung up.  They haven't called back in an hour, so maybe they will give up.

  • ikie driss

    I recieved an email from paypal today concering my account. I don't have one, Plus it was set up using a email address I don't have with a ISP I don't have any account with. I contacted my bank….no problem there . I contacted my credit cards, no problems, until I talked to Am Ex and sure enough there was a charge for $156.15, Thank god they we're great about removing the charge and issuing me a new card immediately. How they got this information I will probably never know. Please continue spreading the word, I know I will! Thank you again, Ikie Driss

  • ikie driss

    An update: I just recieved a call frm the same scammer telling me he wanted to refund my money. Meanwhile he was asking for more informayion. I called him out as the scammer,cheat & thief that he is, and told him I had contacted my bank, all my credit cards and the State Attorney General fraud Division. That's when he started the insults & hung up on me!

  • ikie driss

    These people do not give up,,,We must Fight Back!
     

  • azhure

    i dont know when this word scam started but one thing is for sure, scammers are widely observe now a days when there is a boom in online transactions and online way of making money thus you can consider that those scammers are maybe desperate for some reason…

  • MIKE

    THEY CALLED ME AGAIN THIS MORNING, IASKED HIM IS THIS AVANEESH PC SUPPORT SCAM AGAIN AND HE SAID NO, IF WE WANT TO WE COULD HACK INTO YOUR PC AT ANYTIME, I ASKED HIM TO WAIT, (WHILS'T I SET UP RECORDING, HE HUNG UP, BEWARE OF INDIAN COLD CALLING PC SUPPORT SCAMS ARE ALL FAKE, 5 MONTHS AGO , I GOT SCAMMED BY AVANEESH, BUT NEVER AGAIN, EWARE AND SMART PEOPLE.

  • George

    I am really curios to meet these people that actually do the cold-calling it amazez me that someone can do that. Just like lie that :) and I sure they manage to convince some people.
    They have to have some skills, I wonder if they would do leggit jobs:)

  • david hayes

    i am based in uk and i dont know whats wrong with the people they are not scammers they fixed my computer online and every time i face any kind of issue i just simply called them they have a registerd website .
     

    • David Harley

      No-one is saying that there aren’t genuine, non-scamming support sites. It’s safe to assume, though, that if someone rings you up to tell you that you have computer issues – especially viruses and similar problems – they’re almost invariably scammers.

  • Brian Bard

    We recieved several phone calls today from this same identity, he proclaims himself to be from the national computer security.  I felt scam from the beginning but I wanted to know his ploy, he had already tried to extract info from my teenage son(15) but very computer savey(too many gaming hackers for friends). The caller called w/o giving name but caller id showed (4-905-512-3123) however when told he was being traced, he gave a number (510-314-4990)(person not available). They try to convince you that any caution or failed service history notices are dangerous hackers.  Don't delete but talk w/ their tech reps and they will tell you what to do.  My oppinion, bad idea.  My neighbor is w/ cyber crimes for our city, I'll ask his help and have my compuiter checked out by a local reputable source.

  • Jonathan

    I got several calls from this weird NODID caller ID wich isn’t what my phone usually displays when I get an anonymous caller id. And today I was home and answered to this guy who sounds like he is from india, telling me he works for PC support and that my computer is sending them online error reports. It seemed obvious it was a scam so I told him to stop calling me because I am not interested in whatever he had to offer. He then asked if I thought it was a sale call, I replied that I think it’s a scam. And he hung up immediately. I looked up pc support on the internet and found this page. They do still try to fish with this scam. My phone number is in east coast Canada.

    • Aryeh Goretsky

      Hello Jonathan,

      I wonder if your Caller ID might have displayed “NO DID”? D.I.D. is an abbreviation for “direct inbound (or inward) dialing” and is a term used in telecommunications to refer to phone line assigned to a specific device. In this case, I have to wonder if the scammer who called was had hacked into some company’s VoIP phone system to steal phone service for their calls, and this was displayed as a result of that action.

      Regards,

      Aryeh Goretsky

  • -KZ-

    Help!! Plz..!!
     
    I think i just been had..!!
     
    I know about computers (since D.O.S.).. I know about scams,, but it still happend to me.. so be very, very carefull people..
     
    i just recievedthat infamous call.. i saw them comming..
    (a lady named Nancy Turner!!  with the most incredible ''Indian'' accent  -& i got Indian & Pakistani friends so i know – & her "Supervisor" mr.James turner, or something.. i wrote it somewhere..)
    ..but they realise i knew about msconfig & all the windows command they were trying to use to lure me & convice me it was legit.. so they skiped the credit card approch & went to the ''download remote control software'' approch & got me there.. (i tried tracing my steps back.. but i was on incognito mode.. so i lost the link where i went to download it..)
     
    the thing is i assumed i could just turn the program off & un-install it.. but i cant find it anywhere..!
    (unless i forgot the name & dont realise it.. but i doubt it.. i re-re-re-checked..)
     
    do what you can to help me please !! im getting paranoid..!!
     
    they said they knew i had computer problems because they got the warning (through Microsoft) with
    my clsid:  computer license security identification number (all my "send bug reports" are set to dont send..)
    and only my computer had that id number.. (but how did they know my phone number??)
     
    how can i find it or track if its running?
    & is it a serious threat?
    & what can they do with access to my computer?
    & can they access it when they want? even if i got remote "services" off (or disable)?
     
    i've had this laptop for 1yr.. i dont want (or need) to buy a new one now..
    i'm firewalled.. & virus protected.. & anti-malware too..
    is it enough??
     
    this is the site they wanted me to go, to use the credit card:

     
    impc support
    help line-1-204-800-2612
     

    theese are the programs they wanted to give me free!!
    registry cleaner
    daignostic tool
    pc tune up
    windows firewall home - all full versions (!!)
     a new windows license key – (if i register at the previously mentioned site..)
     6 months free technical support.

    i ran my anti-virus last night.. im doing it tonight too!!  just to be sure..
    any more suggestions would be greatly apreciated..
    thanks in advance
    -KZ-

    • David Harley

      Hi, Karlito. If you’re in the US, there’s a good chance that the remote software they got you to install was ammyy: see http://www.ammyy.com/en/admin_mu.html for info including how to remove it. logmein.com is another much misused service, and Team Viewer is frequently mentioned. I don’t know either of those products well enough to tell you how to identify their presence for sure, though.

  • Adeliade

    somehow they got all my details…….and now they use it for there own deals like scam..id..and many more!
    To me…….i just want to tell everyone that i'm well and alive..but to others i'm dead..cause they use everything!
    Hope everyone is reading this and be safe than sorry later…
     

  • carol wilson

    01143603323 is the number they called me from…is in New Delhi India..said that they worked for a company called Tek Gear official for Microsoft.
    Mentioned that I was being hacked and gave me a CLSID number …….was not prepared to do anything they said and eventually hung up,  but just in case anyone else receives a call from this number….
     

  • JP Masta

    I just got a call from a Indian guy. He claimed he was from Windows technical support. He told me that in a few days my computer software would crash if I didn’t give him the information he needed. Well this sounded like a scam and so I tried to get more info. out of him. Just like the article says, he was vague, claimed to know things about my system and wanted to walk me through some steps to fix this. Well I didn’t let him tell me what to do, so I asked for a supervisor and when the “supervisor” came it was the same guy! I was tired of listening to him talk so I said I’d call him back. This is the number he gave me: 44 1612980909, guy #1- “John”, guy #2- “Jack”.

  • Barfly

    Just got off the phone with one.Used the exact technique you described. They said they were with URVAN Support Online. My computer has been sending error reports to Microsoft and they have contacted me to fix it. I have a terrible virus.ALL My Microsoft programs are going to stop working. He went through the entire computer showing me errors and MS systems not working. BUT they it would be no problem if I repurchase my MS License for a 5 year term for $299.00. Pls give me your card info and I will fix it. CLICK! I was gone.
    I got them to give me a phone number 231-930-2098 no answer.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

14 articles related to:
Hot Topic
18 Apr 2012
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.