Biz & IT —

“You took so much time to joke me”—two hours trolling a Windows support scammer

"Albert Morris" and team get taken for a ride while we tried to track their tradecraft.

“You took so much time to joke me”—two hours trolling a Windows support scammer

Technical support scams are the bottom of the barrel for cyber-crime. Using well-worn social engineering techniques that generally only work on the least sophisticated computer users, these bootleg call-center operations use a collection of commercially available tools to either convince their victims to pay exorbitant fees for "security software" or extort them to gain control of their computer. And yet, these schemes continue to rake in cash for scammers.

We've dealt with these scammers before at Ars, but this week I got an opportunity to personally engage with a scam operation—so naturally, I attempted to inflict as much damage on it as possible.

On Monday afternoon, I got a phone call that someone now probably wishes they never made. Caller ID said the call was coming from "MDU Resources," but the caller said he was calling from "the technical support center." He informed me there were "junk files" on my computer slowing it down and that he was going to connect me with a technician to help fix the problem.

A compressed edit of my two-hour troll, cut to a mere 27 minutes.

I was thrilled, displaying what my wife Paula felt was an inordinate amount of glee about getting the call. Over the next two hours, I subjected the scammers to such misery that Paula later told me she felt bad for them. "They probably had a quota to meet," she said sarcastically. "You probably kept them from getting four or five other people."

Actually, with any luck, I did more than that—I passed on the data I collected to the operators of the infrastructure used by the scam. That should at least put a speed bump in this particular nefarious operation. But taking down a scam like this is akin to a game of whack-a-mole; the infrastructure they use is too easily replicated. It's simple for support scammers to mount call center campaigns from cheap (or even stolen) VoIP services. Many of the tools they use offer free trials that can be repeatedly abused. And there's so much money in fooling naïve computer users that scammers are motivated to do this again and again. The FBI's Internet Crime Complaint Center (IC3) reported last June that just in the first four months of 2016, the bureau "received 3,668 complaints [of technical support scams] with adjusted losses of $2,268,982."

Law enforcement agencies have worked with the government of India to shut down a number of these tech support scams run out of what had passed for legitimate call centers. But as the crackdown continues, the scammers are going even more black-hat and down-market—abusing free trials of remote support software and exploiting peer-to-peer virtual private networks and Voice over IP phone services to further obscure their location and identity. The scripts for these scams remains the same shopworn material in use for years, preying on less technically aware targets who can be herded toward giving remote control of their computers away to a stranger.

The best weapon against these scams is education. So, as a public service, the following is a condensed version of my nearly two-hour-long recording of a scammer baiting plus a dissection of their tools, techniques, and tactics. Certainly, the technically inclined can feel free to thoroughly enjoy this recounting. But, cautionary tales like this are also good to share with those who may be potential victims of such a scam. You may also want to clue in whoever runs your organization's phone network about how such scammers turn poorly secured phone systems into virtual call centers.

"Windows-R"

The script that my scammers were using was well worn, to say the least. The initial call was simply to identify me as a potential victim; I was told that all the "technicians" were busy with other "customers" and that one would call me back shortly. So, luckily, I had a few minutes to install a Windows XP virtual machine and get a recorder set up before the scam began in earnest.

When the second call came, the "technician" repeated the same pitch as the first. I turned on my recorder.

"As I told you earlier, sir, the last couple of weeks, whenever you browse e-mails, like browse Internet, or do your online stuff like checking e-mails, browsing Internet, online shopping... from that very moment your computer has been automatically generating certain unsecured junk files without your proper knowledge. And as a reason, the functionality of your computer may have been decreasing day by day. I believe you understand me, right?"

"I think I understand what you're saying," I replied.

"Exactly right, sir. And that's why we at the maintenance department have been giving you this call today so you know some steps so that you by yourself can check where those unwanted files are inside your computer, and how you can know how to get rid of those files yourself from your side."

He asked if my computer was on. I told him that after getting the earlier call, I had turned it off. He told me to go ahead and turn it back on. "Take your sweet time," he said. I'm not sure my scammer realized that I absolutely intended to do just that.

What immediately followed was a painfully scripted scheme to convince me of the presence of these "unsecured junk files" and provide evidence that yes, indeed, I had a support license for this maintenance department to provide help hidden within my very own (virtual) Windows XP machine. Some people have called this the "Windows-R" scam, since the whole routine begins with the caller instructing the potential victim to hold down the Windows key while pressing the "R" key—launching Windows' "Run" box. From the Run box, the target is instructed to type in commands that will reveal just how horribly overrun with junk files their computer is.

However, I didn't want to make it too easy.

"You just need to hold the Windows key," he explained. "Hold it down and, with another finger, press the R key, R as in Romeo. Now what do you see on your computer?"

"It just reset," I said.

"Apart from that what else do you see?"

"It's rebooting."

"It's rebooting, OK…"

"It must have been doing an update or something, I don't know."

Finally... I got the Run box up. He told me to make sure the text box was empty, and then told me what to type into it, slowly spelling out EVENTVWR. "Type in there, E as in Echo, V as in Victoria, E as in echo once again... And now hit the enter button from your keyboard."

I complied.

"This is the page we were talking about. It is the Event Viewer page. It is also known as Microsoft Management Console page. All right. It is highly designed by Microsoft to check the computer's exact health state."

I choked back a laugh.

Next, the scammer asked if I had ever seen this page before. I said I hadn't, so he then tried to give me what amounted to a magical realistic interpretation of the contents of Event Viewer—or he would have, if there were any events to view aside from a parallel port warning under system events (since my virtual machine obviously didn't have a printer port). Also, I was not helpful.

"Double click on application and what do you see? What options?"

"Security is under application, and there's nothing there."

"Double click on security then."

"I did, and there's nothing there."

He soon gave up and moved to the next part of his pitch, having me launch the Run box again and phonetically spelling out "INF JUNK FILES." Windows ignores everything after INF, and the OS just opens the File Explorer to \WINDOWS\inf—a directory containing configuration files for drivers.

My technician then told me everything on display qualified as the junk files he was telling me about, the stuff that had been "created without your proper knowledge."

"These will multiply day by day," he continued, "filling your hard drive until it turns your computer off. The hard drive is the brain of your computer, and once it fills up your computer will work no more."

To dispel any suspicions I might have that this mysterious tech support "maintenance department" was not actually legitimate, the scammer technician then read from his script that I should type in something in a Command shell "so you can tell who we are."

"Do you see a cursor blinking? Type in there A as in apple, S as in sugar, S as in sugar—there should be two Ses—then type in O as in Oscar, C as in Charlie. Now hit the enter button from your keyboard, OK?"

This is a classic scammer move—literally. The "assoc" command scam has been around for ages. The command itself lists the application and class associations of system files, and the one that the scammers always focus in on is the association for .ZFS files—a long class identifier (CLSID) string.

But the scammer presented CLSID as standing for Consumer License Support ID, and he read off the string (very, very slowly): 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. You'll be shocked to know that if you have a Windows PC and run this command, you'll find you have the exact same CLSID.

After reading off this number, the scammer triumphantly said, "We already have your CLSID, and I believe you now know what we are exactly."

"Uh… excuse me?"

"Like, I'm just asking you if you understand from where is this call coming from, like, who's calling."

"No, I don't understand where this call is coming from. Who is this call coming from?"

"Yeah, as I told you before, this is the tech helpline. We are the one who maintains the software part of the computers based on Microsoft Windows, like XP, Vista, 7, 8, 8.1, and also Windows 10. So, sir, right now what you need to do right now is you need to close those unsecured stuff for yourself."

We were already 30 minutes into this call, and my new friend was clearly eager to push me into the delivery phase of the scam. Unfortunately for him, I was ready for more shenanigans.

Channel Ars Technica