The Tech Support Scammer's Revenge

Fraud

5

I received a sad report on the subject of PC support scams.

Yes, those same old scams where the perpetrator tells you that you have malware infections or system problems and  tries to scare you into letting him or her connect to your PC so that he can install some software and fix it. For a price, of course, though that may not be immediately clear.

One of our readers described how he took a call from one of these guys on behalf of an elderly relative: having worked in tech support himself, he went out of his way to make the scammer’s life easier by giving him access to the relative’s system so that it could be fixed.

However, when he was told he needed to pay $310 in order to register his CLID file (from the context, I assume this is a variation on the CLSID ploy described here) he told the scammer he wanted to do a little more research on the problem first. And this is where it turned really nasty. The scammer told him that if his victim did not register the file,  the computer would be  shut down so that it couldn’t be used any more, as he claimed that the PC was only running a trial version of Windows That’s a ploy I haven’t come across before, and I can’t say I’ve ever heard of a trial version of Windows, apart from beta versions.

At first, our correspondent thought the scammer was just removing the files he’d installed during the remote session, but then realized that he was removing everything in the Windows/System32 folder. Although he shut down the remote connection window and rebooted the machine, enough damage had been done to prevent the system from starting up. (Hopefully, he was able to restore the system from CD without losing data.)

Scamming a Scammer

However, a somewhat related story had a much more entertaining finish. Chris Hamer, who has been quoted by US TV on the topic here and here, spent about 45 minutes stringing along a scammer who called him out of the blue. Fortunately, he already had a virtual machine set up for research purposes, so he was able to allow the scammer access in order to diagnose and fix’ it. (Don’t try this at home unless you know exactly what you’re doing, which means you don’t want to  give the scammer access to a machine you can’t fully or easily restore!)

Incidentally, Virus Bulletin’s Martijn Grooten did much the same thing with another tech support scammer, and he’ll be referring to that sting as part of our joint presentation (with Steve Burn and Craig Johnston) for the Virus Bulletin conference in Dallas in September.

But back to Chris Hamer’s story… He did a fine job of playing the dumb victim and gathered a great deal of information about the way this particular scammer operated. When, at the end, he told the scammer that he had no money to pay for the service and would probably ask his son to clean up his system, the scammer tried hard to persuade him that his credit card would not be charged immediately (this claim is characteristic of many phone scams, by the way), and then proceeded to make further changes to Chris’s system. When asked what he was doing, he claimed that he was installing free protection. However, he then told Chris that his PC was going to crash in 5-4-3-2-1 seconds. And it did. The scammer had gone to some lengths to make the system unusable. Fortunately, Chris is no dumb victim, and knew what was going on. He told me:

He disabled all services, added a shortcut to startup that executed a little program he pushed from the remote admin app to kill services.exe, and then used msconfig to disable everything else. He also tried to add a startup shortcut that was a Weblink, but I hit escape when I saw him creating the shortcut and ended it.

Imagine the scammer’s surprise, then, when Chris told him the system was rebooting normally and thanked him for his help. In fact, Mr. Helpful insisted that it could not be rebooting. But eventually he wished Chris luck with the system and rang off, no doubt to take a couple of aspirin and try to work out what the heck had gone wrong (from his point of view…).

In fact, the system hadn’t rebooted altogether normally, as you’d expect, given the nature of the damage: Chris had restored it from a virtual snapshot.

Lessons Learned

Good to see a scammer getting egg on his face, but what do we learn from these stories?

If someone rings you up to tell you that your computer is infected with viruses, the chances are overwhelmingly in favour of his being a scammer. Well, if you read this blog regularly, that won’t come as a surprise to you. But apart from not taking any such claims too seriously in the first place, you really want to be ultra-suspicious of anyone who wants remote access to your system. In Chris’s case, using ammyy.com, but other remote access services such as LogMeIn are also used or misused.

Getting remote access to your PC   is an essential part of the scam: not only does it help the scammer confirm’ his diagnosis’ of the problems with the computer, but it also gives him a way to prove’ that he’s providing the so-called service that he is charging you for. But it has an even more sinister aspect: once he has that access, he can do pretty much what he likes within the limits of your own access privileges.

Trashing files and installing programs like the one Chris mentioned –  though it wasn’t technically a virus, contrary to the TV station report  – is just one possibility. Many of the scammers I’ve talked to have demonstrated little technical knowledge: after all, they’re mostly working from a script. However, they use social engineering ploys that do sometimes suggest a certain amount of technical knowledge. In the case of the scammer Chris talked to, the scammer has not only enough knowledge to run the remote diagnosis/installation session, but both the knowledge and intent to trash a victim’s system, possibly permanently. While I have yet to see verified reports of the installation of out-and-out malware such as fake AV,  it wouldn’t require astonishing technical sophistication to install something that would ensure that the tech support scammers would get another chance to dip their snouts into the trough.

There’s no gainsaying the malice displayed in these cases, though from the scammer’s point of view, I guess he considers himself entitled to be angry at having his time wasted. For myself, I have absolutely no problem in principle with seeing a scammer’s time wasted, and it appears that there are plenty of people actually prepared to do it. However, if you feel like a little scammer baiting yourself, you need to know exactly what you’re doing to ensure that you don’t expose yourself to malicious action.

And if you don’t want to waste your own time wasting a scammer’s time, I can’t think of any good reason to give remote access to your PC to someone who rings out of the blue and spins you a yarn about viruses.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Craig

    I have a lot of customers. Who report this to me, but i havent been on the end of a call myself as i want to do something similar.  Once poor customer was not only taken to the tune of $529 but was also mocked for not having many friends on facebook so the guy added himself when he had remote control.  I've since added him on Facebook but he hasnt accepted yet… I wonder why.  

  • Bob

    Surely, (in the UK at least) such actions by the scammers in deliberately deleting files would be offences under the Computer Misuse Act, and the police should be informed.  

    • David Harley

      Yes, unauthorized modification is an offence under the CMA (and in this case other offences might apply). Other jurisdictions have similar legislation. However, the companies carrying out the scam seem to be almost invariably operating out of India. While there is cooperation across international borders for this type of offence, it rarely leads to prosecution.

  • Andre Lenn

    Hi. I have been called 4-times these past 2-days. First 2 were the "Event Viewer". Next was the "Virus" on my system. And today was the CLSID. On the first call, I asked for his name (Sam) and a return phone number. I set my cell phone on speaker and called the number. When he heard the phone message saying the number was no good, he hung up. The next time "Sam" called, I read back the number he gave me the previous time and he hung up again. The third call (virus), I told him that he was lying and he hung up. On the most recent call (CLSID) , I read your web site to him and he started cursing me out, telling me I should go F*** my self. I talked over him, while he continued cursing at me. I told him that I was recording this call and was going to send his voice to the FBI and they will find and arrest him because he and his company was committing a felony and that he is going to jail. He continued to curse at me. I finally hung up on him. Isn't there anything the FBI and other law enforcement can do to stop this kind of threat? Thanks for creating a great web site.

    • David Harley

      Andre, there are several reasons why the FBI isn’t able to do a lot about this. It isn’t a US domestic issue and requires cooperation across international borders, the sums involved in individual cases are comparatively small, and the sort of verbal abuse and threats many people have experienced probably wouldn’t stand up in court even if the individuals concerned could be identified, being reliant on witness reports rather than hard forensic data. Best hope is probably that eventually cooperation with the Indian authorities will lead to direct action against the companies concerned, but I wouldn’t start holding your breath just yet.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.