Support Scammers using INF and PREFETCH

Support Scammers (mis)using INF and PREFETCH

As well as misusing Event Viewer, ASSOC or a system CLSID, scammers hijack "prefetch" and "inf" to con victims into believing they have malware.

As well as misusing Event Viewer, ASSOC or a system CLSID, scammers hijack “prefetch” and “inf” to con victims into believing they have malware.

Here's a quick summary of the PREFETCH and INF ploys I mentioned in a separate blog here. These are alternatives (or supplements) used by support scammers from India to the Event Viewer and ASSOC/CLSID ploys also used to "prove" to a victim that their system is infected with malware or has other security/integrity problems.

The "Prefetch" command shows the contents of C:WindowsPrefetch, containing files used in loading programs.

 The "INF" command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system.

INF and PREFETCH are legitimate system utilities: so how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something "prefetch hidden virus" or "inf trojan malware". When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type "inf elvish fantasy" or "prefetch me a gin and tonic" and you'd get exactly the same directory listing, showing legitimate files.

Neat trick: but don't you fall for it!

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Discussion