Here's a slightly different approach to PC 'support' scamming, flagged by an anonymous reader of one of my blogs on the CLSID gambit the scammers often make use of to con you into thinking they really know something about your PC, and can therefore (for a fee) help you with a system problem that they claim you have – some sort of malware problem, mostly.
On this occasion, the scammer claimed to be from Microsoft (yeah, right…) and told the intended victim that his IP address was linked with a DOS attack – I presume we're talking about Denial of Service here, not the revenge of the C> prompt! – on one of their servers, involving the sending of hundreds of error messages every time he started his system. The rest of the conversation went along predictable lines, with the scammer claiming (falsely) that the CLSID entry previously described is a unique identifier that proves that the scammer is telling the truth, and asking for remote access (using AMMYY on this occasion) so that he could 'fix' the system. Though I particularly liked the bit where the scammer claimed that Symantec/Norton AV is useless at catching viruses and only Microsoft is up to the job. ;-)
Well we know this sometimes seems like a surveillance society with police Trojans lurking on every hard drive, Microsoft operating systems and applications reporting on everything you do, five of the major Western governments listening in to your conversations via the ECHELON signals intelligence collection/analysis network, and elderly security bloggers lining up to capture photographic evidence. :-D
Anyone can ring up out of the blue claiming to represent Microsoft.
Anyone can look up your name and address in a telephone directory. Even if you're ex-directory, that doesn't stop your details having been added to a list. In Europe, there is data protection legislation that restricts the use a company can legitimately make of those details, but that certainly doesn't mean that contact lists are never sold on and recirculated. That's a whole different thing to having enough information to match your IP address and your telephone number. Your internet provider may be able to provide that information under exceptional circumstances, but they don't make it available to all and sundry. (Or even Microsoft.)
What a support scammer almost certainly won't be able to do is give you information that isn't easily and publicly available about you or your system, which version (if any) of Windows you use – though he'll probably assume it's XP, in my experience – which ISP you use and so on. However, if you're unlucky enough to come across a first-contact coldcaller who actually knows something about technology and social engineering, he'll probably try to trick you into giving him enough information to enable him to sound convincing, or put you through to 'second-line support' person who knows enough to break away off-script. The trick is to let him tell you what he 'knows' about you without giving him any of the cues that a wannabe mentalist may use to convince you that he really knows something about you that he couldn't get from the phonebook.
Our sceptical informant also seems to have got plenty of amusement from yanking the scammer's chain and wasting his time. I don't necessarily advise readers to follow his example unless you know exactly what you're doing, though (in which case you won't need my permission or encouragement). And of course, I can't guarantee that you won't receive a scam call that uses another approach I haven't come across before. However, one of my previous articles on the topic should give you a useful grasp of ways in which support scammers commonly give themselves away: How to recognize a PC support scam.
Remember: even if your machine is infected with real spyware or something similarly unpleasant, the people most likely to know much about who and where you are are the people behind the malware. And they're not likely to ring you up: they have more direct ways of profiting from your misfortune.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow