Sign up to our newsletter
The latest security news direct to your inbox
I received a sad report on the subject of PC support scams.
Yes, those same old scams where the perpetrator tells you that you have malware infections or system problems and tries to scare you into letting him or her connect to your PC so that he can install some software and fix it. For a price, of course, though that may not be immediately clear.
One of our readers described how he took a call from one of these guys on behalf of an elderly relative: having worked in tech support himself, he went out of his way to make the scammer’s life easier by giving him access to the relative’s system so that it could be fixed.
However, when he was told he needed to pay $310 in order to register his CLID file (from the context, I assume this is a variation on the CLSID ploy described here) he told the scammer he wanted to do a little more research on the problem first. And this is where it turned really nasty. The scammer told him that if his victim did not register the file, the computer would be shut down so that it couldn’t be used any more, as he claimed that the PC was only running a trial version of Windows That’s a ploy I haven’t come across before, and I can’t say I’ve ever heard of a trial version of Windows, apart from beta versions.
At first, our correspondent thought the scammer was just removing the files he’d installed during the remote session, but then realized that he was removing everything in the Windows/System32 folder. Although he shut down the remote connection window and rebooted the machine, enough damage had been done to prevent the system from starting up. (Hopefully, he was able to restore the system from CD without losing data.)
However, a somewhat related story had a much more entertaining finish. Chris Hamer, who has been quoted by US TV on the topic here and here, spent about 45 minutes stringing along a scammer who called him out of the blue. Fortunately, he already had a virtual machine set up for research purposes, so he was able to allow the scammer access in order to diagnose and fix’ it. (Don’t try this at home unless you know exactly what you’re doing, which means you don’t want to give the scammer access to a machine you can’t fully or easily restore!)
Incidentally, Virus Bulletin’s Martijn Grooten did much the same thing with another tech support scammer, and he’ll be referring to that sting as part of our joint presentation (with Steve Burn and Craig Johnston) for the Virus Bulletin conference in Dallas in September.
But back to Chris Hamer’s story… He did a fine job of playing the dumb victim and gathered a great deal of information about the way this particular scammer operated. When, at the end, he told the scammer that he had no money to pay for the service and would probably ask his son to clean up his system, the scammer tried hard to persuade him that his credit card would not be charged immediately (this claim is characteristic of many phone scams, by the way), and then proceeded to make further changes to Chris’s system. When asked what he was doing, he claimed that he was installing free protection. However, he then told Chris that his PC was going to crash in 5-4-3-2-1 seconds. And it did. The scammer had gone to some lengths to make the system unusable. Fortunately, Chris is no dumb victim, and knew what was going on. He told me:
He disabled all services, added a shortcut to startup that executed a little program he pushed from the remote admin app to kill services.exe, and then used msconfig to disable everything else. He also tried to add a startup shortcut that was a Weblink, but I hit escape when I saw him creating the shortcut and ended it.
Imagine the scammer’s surprise, then, when Chris told him the system was rebooting normally and thanked him for his help. In fact, Mr. Helpful insisted that it could not be rebooting. But eventually he wished Chris luck with the system and rang off, no doubt to take a couple of aspirin and try to work out what the heck had gone wrong (from his point of view…).
In fact, the system hadn’t rebooted altogether normally, as you’d expect, given the nature of the damage: Chris had restored it from a virtual snapshot.
Good to see a scammer getting egg on his face, but what do we learn from these stories?
If someone rings you up to tell you that your computer is infected with viruses, the chances are overwhelmingly in favour of his being a scammer. Well, if you read this blog regularly, that won’t come as a surprise to you. But apart from not taking any such claims too seriously in the first place, you really want to be ultra-suspicious of anyone who wants remote access to your system. In Chris’s case, using ammyy.com, but other remote access services such as LogMeIn are also used or misused.
Getting remote access to your PC is an essential part of the scam: not only does it help the scammer confirm’ his diagnosis’ of the problems with the computer, but it also gives him a way to prove’ that he’s providing the so-called service that he is charging you for. But it has an even more sinister aspect: once he has that access, he can do pretty much what he likes within the limits of your own access privileges.
Trashing files and installing programs like the one Chris mentioned – though it wasn’t technically a virus, contrary to the TV station report – is just one possibility. Many of the scammers I’ve talked to have demonstrated little technical knowledge: after all, they’re mostly working from a script. However, they use social engineering ploys that do sometimes suggest a certain amount of technical knowledge. In the case of the scammer Chris talked to, the scammer has not only enough knowledge to run the remote diagnosis/installation session, but both the knowledge and intent to trash a victim’s system, possibly permanently. While I have yet to see verified reports of the installation of out-and-out malware such as fake AV, it wouldn’t require astonishing technical sophistication to install something that would ensure that the tech support scammers would get another chance to dip their snouts into the trough.
There’s no gainsaying the malice displayed in these cases, though from the scammer’s point of view, I guess he considers himself entitled to be angry at having his time wasted. For myself, I have absolutely no problem in principle with seeing a scammer’s time wasted, and it appears that there are plenty of people actually prepared to do it. However, if you feel like a little scammer baiting yourself, you need to know exactly what you’re doing to ensure that you don’t expose yourself to malicious action.
And if you don’t want to waste your own time wasting a scammer’s time, I can’t think of any good reason to give remote access to your PC to someone who rings out of the blue and spins you a yarn about viruses.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET