Support Scammer Update: Misrepresenting Task Manager

Support scammers, those knowledgeable and kind-hearted people who call you offering fake help for a fake problem on your computer – for a not-so-small fee- have to find ways in which to convince you that you have A Problem. They also have to convince you that it's possible for them to have any knowledge of what is happening on your computer, even though they have no remote access to it unless you're naive enough to help them install some kind of remote access tool: however, they usually do that by telling you that they represent or are working with some entity that you might consider authoritative: Microsoft, an ISP, even a security company.

Even so, people are not necessarily gullible enough to believe that they have a problem just because a cold-caller – usually with a foreign accent – tells them that Microsoft (or whoever) told them so. The scammers have to demonstrate the existence of the 'problem': in order to do this, they rely heavily on the misuse and misrepresentation of the output of Windows utilities that have little or no relation to security, which still seem to fall into three main groups:

• Event Viewer (EVENTVWR) – they claim that transient events and errors noted in the Event Viewer log are indications of malware infection or serious system errors. (They try to panic you into paying for their services by telling you that your PC is about to crash and burn, sometimes literally!)
• Having realized that INF and PREFETCH do what they do (provide a directory listing which means very little to most people and has no particular security significance) – and will ignore spurious parameters such as "prefetch hidden virus" or "inf trojan malware" - they will tell you that the listing shows infected files.
• Misrepresentation of the CLSID (file class identifier, and NOTHING to do with licensing!) shown by the ASSOC utility. They try to kid you that this entry in the output of ASSOC – CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062 – is a unique licence number that proves they have information about your system. In fact, it's an identifier for a filetype, and can be found on many millions of Windows PCs.

However, here's a slightly novel twist worth noting. I have a report (thank you, Sarah!) of a scammer who directed his intended victim to Windows Task Manager: he tried to convince her that it was a problem that CPU usage was running at 3%, and it should be running at 80%. (The CPU or central processing unit is the chip that carries out the main computational work on your system: its brain, if you like.)

This is nonsense, of course: low CPU usage just means that the processor doesn't have much to do right now. In fact, a continuously high CPU usage percentage might actually indicate a problem, though I certainly wouldn't suggest that you let a cold-caller convince you that it's a virus (or a system about to crash, or World War III…) In general, though, it's perfectly normal for CPU usage to fluctuate dramatically according to what processes are active. For instance, you can see that I have quite a few processes running on the machine from which I've taken this screenshot, whereas the little netbook behind me which is just monitoring a handful of email accounts only shows 40 running processes, yet it's CPU usage is going as low as 1-2% and as high as 15-20% when it starts polling email servers, as it does at regular intervals..

Since it seems likely that scammers will make more use of Task Manager, the easiest way of dealing with it is simply to assume that if someone calls you out of the blue to tell you that you have a malware problem and tries to prove it by getting you to run Task Manager, they're lying.

Still, it may be worth taking a little time to understand what Task Manager actually does. The more esoteric aspects of the technology are rather more than I can address in a short blog, and most people are not going to need to understand it in that much detail, but let me see if I can put it on non-geek terms. (Well, there's always a first time…)

• At the moment, the only report I have of misuse of the Performance tab is of the CPU usage information as described above. I suppose it's possible that a scammer might try to misrepresent other tabular or graphical information on that page. In fact, that's dynamic information that might be useful once every third blue moon for a real technician checking over your system, but it's unlikely that anything in this tab might be helpful in diagnosing a malware problem. The thing to remember in this instance is that the scammer isn't trying to diagnose a real problem: he's trying to prove that he already knows about a 'problem' that he can't possibly have information about. Even if he has your name and address correct – and in many cases they don't – that doesn't mean he has any information about your system. Hang onto that thought rather than being drawn in by technobabble.
• It's perhaps more likely that they might misuse the Processes Tab to blame some innocent process for an imaginary problem, perhaps by pointing to the amount of CPU it's using or its memory footprint. Rule of thumb: unless you're very well-acquainted indeed with malware, you aren't likely to be identify malware by process names. And if you do know malware in that detail, you're probably much too busy in a malware-processing lab like ESET's to sit around making random and unsolicited support calls to people who might have virus problems.
• The applications tab is straightforward: normally, it will show each window you have open currently, though that isn't the same as showing every running program. Since it's a simplified view of the programs you probably know you have running, it's probably not going to be much help to the scammer, but why would you tell him what it shows anyway? He just rang you out of the blue: you don't owe him anything, not even the time it takes to listen to his pitch.
• The networking tab shows information relating to your network connection: in my experience, support scammers don't usually know enough to understand what's shown here, let alone make use of it, but it's probably not information you want to share with them.

Task Manager is normally called using the key-sequences Ctrl-Alt-Del or Ctrl-Shift-ESC, but a scammer might ask you to go by a different route, probably the context menu on the Windows taskbar (at the bottom of your screen, by default) or starting taskmgr.exe from the Start menu or from command-line (DOS prompt). As you can see from the screenshot, there are four main tabs. (You might also see a Users tab if more than one user is logged on to the machine.)

While these sweethearts don't come up that often with a new technical twist to their scams, we have received quite a few reports (mostly as comments to our blogs on the topic) with some significant changes in the way that they're delivering their scripts. There'll be another blog about that shortly.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow