Support scammers, those knowledgeable and kind-hearted people who call you offering fake help for a fake problem on your computer – for a not-so-small fee- have to find ways in which to convince you that you have A Problem. They also have to convince you that it's possible for them to have any knowledge of what is happening on your computer, even though they have no remote access to it unless you're naive enough to help them install some kind of remote access tool: however, they usually do that by telling you that they represent or are working with some entity that you might consider authoritative: Microsoft, an ISP, even a security company.
Even so, people are not necessarily gullible enough to believe that they have a problem just because a cold-caller – usually with a foreign accent – tells them that Microsoft (or whoever) told them so. The scammers have to demonstrate the existence of the 'problem': in order to do this, they rely heavily on the misuse and misrepresentation of the output of Windows utilities that have little or no relation to security, which still seem to fall into three main groups:
However, here's a slightly novel twist worth noting. I have a report (thank you, Sarah!) of a scammer who directed his intended victim to Windows Task Manager: he tried to convince her that it was a problem that CPU usage was running at 3%, and it should be running at 80%. (The CPU or central processing unit is the chip that carries out the main computational work on your system: its brain, if you like.)
This is nonsense, of course: low CPU usage just means that the processor doesn't have much to do right now. In fact, a continuously high CPU usage percentage might actually indicate a problem, though I certainly wouldn't suggest that you let a cold-caller convince you that it's a virus (or a system about to crash, or World War III…) In general, though, it's perfectly normal for CPU usage to fluctuate dramatically according to what processes are active. For instance, you can see that I have quite a few processes running on the machine from which I've taken this screenshot, whereas the little netbook behind me which is just monitoring a handful of email accounts only shows 40 running processes, yet it's CPU usage is going as low as 1-2% and as high as 15-20% when it starts polling email servers, as it does at regular intervals..
Since it seems likely that scammers will make more use of Task Manager, the easiest way of dealing with it is simply to assume that if someone calls you out of the blue to tell you that you have a malware problem and tries to prove it by getting you to run Task Manager, they're lying.
Still, it may be worth taking a little time to understand what Task Manager actually does. The more esoteric aspects of the technology are rather more than I can address in a short blog, and most people are not going to need to understand it in that much detail, but let me see if I can put it on non-geek terms. (Well, there's always a first time…)
Task Manager is normally called using the key-sequences Ctrl-Alt-Del or Ctrl-Shift-ESC, but a scammer might ask you to go by a different route, probably the context menu on the Windows taskbar (at the bottom of your screen, by default) or starting taskmgr.exe from the Start menu or from command-line (DOS prompt). As you can see from the screenshot, there are four main tabs. (You might also see a Users tab if more than one user is logged on to the machine.)
While these sweethearts don't come up that often with a new technical twist to their scams, we have received quite a few reports (mostly as comments to our blogs on the topic) with some significant changes in the way that they're delivering their scripts. There'll be another blog about that shortly.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET