Sat 05 Oct 2013 @ 10:47 PM


Messing with Scammers

You may have heard about the supposed "Microsoft Security" or "Microsoft Support" unsolicited scam phone calls that have become all the rage recently. I've received at least five of these calls over the last year that actually connected to a person on the other end. Even more that were disconnected before I could talk to anyone.

Note: Every call I've received seems to originate in India, as that is the accent I identify. Given that I've been working with a consulting / contract programming team from India for the last two years, I'm pretty familiar with the accent from our weekly Skype update sessions. Also from years of listening to Apu on "The Simpsons".

The first two or so calls I interrupted quickly, told them they were frauds and they should be ashamed of themselves or some such, and either hung up on them or was fortunate enough to hear "eff you" before they hung up on me.

Then came July 2013. I was sitting in front of my computer when the phone rang, presenting me with crappy caller ID information and what was surely a fake telephone number. I answered it anyway and was told that it was Microsoft calling me because they had recently detected problems with my computer. I decided to have some fun with it. I pretended to be computer ignorant and went along with the scam up to the point they wanted me to use a remote computer control service to gain direct access to my computer, at which point I let the guy know I wasted 19 minutes of his time and did so to keep him away from other less technically savvy Windows users. He actually didn't get very upset all things considered. I shared the story with my friends on social media and said I was going to setup a virtual machine (aka VM) running a pristine copy of Windows so that the next time one of them called me I would be able to play along even longer. Naturally I never got around to creating the VM.

Note to those unfamiliar with VMs: You can use software like VMware or VirtualBox or a number of others to create what is effectively a "fake" computer inside your real computer. This is useful for a number of tasks from isolating server processes from each other to software development and testing to running older software that doesn't work with a modern operating system and even to try out a new operating system on your computer without having to make any changes to your real computer.

This last week I received three calls from such numbers. Two never connected to anyone and I thought maybe they recognized my number and disconnected before talking to me. On Friday I struck paydirt! I was just about to leave for work at 9:30 when I received another call from "Microsoft". Since I didn't have a VM ready, I ran the same game I played in July but acted even more computer ignorant than I had previously. In the process, I talked to three different people and managed to waste about 31 minutes of their time. They didn't take it as well as the previous caller did. I re-iterated to my friends in social media that I wish I'd had a VM ready. So after work I pulled a VM out of cold storage and got it mostly setup for the next time they called. Then came 7:12 this evening.

I have no idea how many sweat shops are trying to run this scam, but there must be a lot, or they are lousy at keeping track of the unsuccessful numbers they've hit in the past. Yes, I received another call from "Microsoft". The VM wasn't quite setup the way I wanted, but it was close enough. I started playing along with the scam while making a few last tweaks to my VM (changing my default password and uninstalling the VMware tools so that it wouldn't be too obvious that it was a fake computer they were working on).

Here is the basic flow of the scam:

  1. You answer the phone and they identify themselves as being with Microsoft.
  2. They ask if you are the main computer user and for you to go to the computer so they can check some things out, letting you know that if there are only minor problems the service will be free, but if there are major problems there will be a modest one time charge for the service of fixing your computer.
  3. They walk you through accessing the Windows Event Viewer and have you view different lists of events. For example, they'll tell you to look at Application events and ask if you see any warning or error messages (which you will and is perfectly normal). Confirmation is usually followed by some exclamation of fear or concern on their part because the software part of your computer has a lot of damage (but it really doesn't). Then they'll have you look at the System events and react the same way because that is the (not really) damaged hardware part of your computer.
  4. At this point they tell you all those errors and warnings represent files and folders that have been installed by hackers that are taking over your computer and stopping essential Windows services. You're transferred to a higher level technician who will walk you through viewing a list of services and prove it by showing you how over half the Windows services are in a stopped state (which is also perfectly normal).
  5. At this point they have you open a webpage to an remote computer control service. The exact one doesn't matter, and it's not the service's fault that bad people are using it for bad things. Regardless, they want access to your computer at which point they can do anything they want. At this point they might transfer you to yet another technician.
  6. Now that they have access to your computer, they covertly upload a script file that pops up windows with various scary looking faked warnings and error messages, further proving that they need to fix your computer.
  7. You might be shown more things that are "wrong" with your computer and are presented the various support options. Tonight there was short term support for $264, mid term support for $360, long term support for $415, and life time support for $523. Life time also included fixing up three different computer in your house, because of course if one is damaged, they all will be.
  8. Next they have you leave your computer for 15 to 20 minutes so they can remotely fix it, cleaning up the bad stuff and installing software that will ensure you never have these problems ever again! They say they'll call you back after they've finished & hang up while they "work".
  9. Multiple software packages are downloaded and installed to your computer. I couldn't keep track of everything they did, but I didn't notice anything truly harmful being installed. That being said, I might have missed it and you should assume they have installed something dangerous to your computer's health. The programs I did notice being installed were ATF-Cleaner, CCleaner, WinUtilities, and Firefox.
  10. Additionally, they disable the Windows Event Services so that it can never log those "evil" (but perfectly legitimate) warning and error messages ever again.
  11. Now that they've installed whatever they want to install and cleaned up their tracks and disabled things that aren't really problems, they call back and show you all their handywork to prove they deserve payment.
  12. A webpage is opened for payment processing. The two "real" pieces of information I gave it were a relatively little used email address and my first name. Everything else was faked: middle name (a good friend's middle name), last name (Smith), address (my childhood home in Dallas), phone number (also from my childhood home), Visa card number (acquired from a list of test numbers published by Paypal) and the CVV # (666, which seemed oddly appropriate).
  13. They don't want you to click submit on the form though. They're taking the information from the screen and processing it manually. I don't know if that means the website is another innocent victim (as was the use of the remote control service) or just that they didn't have the skills to put up an actual payment processing web page. They couldn't understand why the credit card wasn't being processed.

At this point I'd consumed 97 minutes of their time. I let the technician know what I'd done and that I was smarter than him, at which point he tried to argue with me, then ran a system restore, told me I'd never be able to use my computer ever again and hung up on me. So I stopped the VM and deleted it from my computer, and restored the original pristine VM from cold storage! I'm ready for them to hit me again!

When discussing this yesterday I mentioned people trying to "hack" into my computer. While it is true this is not a typical technology based hack, it is a social engineering hack. It only works because many people are generally kind and trusting.

I thought at one point that the jig was up. Even though I'd uninstalled the VMware tools (programs that allow the real computer and the VM to communicate for a better experience) so that they couldn't be seen from the desktop, I didn't take into account that the event logs would reference them. When they gained access to my VM and pulled up the event viewer again, there were multiple lines showing that VMware tools had been on the computer at some point. Fortunately, they didn't notice it or (more likely in my opinion) even know what it meant. WHEW!

I did take a minor chance with this tactic. If there was a bug in VMware and they realized they were running in a VM, they potentially could have gained access to my real computer and done bad things there too. I felt pretty confident that there was no risk and took the chance. Even if I should discover later that they did get something onto my main computer, I have a backup image from before their access to my system.

As I've written in the past, I can understand why this tactic seems to work well enough that they keep doing it over and over and over again. If a non-technically savvy computer owner received an unsolicited call claiming to be with Microsoft and problems have been detected with their computer, they might be inclined to trust the nice person offering to help them. If they can get that far (and I'll bet that's the hard part) and can convince the victim their computer is damaged via all these errors and warnings and stopped services, I'm sure there are a lot of people that will be willing to part with a couple hundred dollars or more to fix things up.

I do this for two reasons, both related to how much of their time I can waste. One, I think it is hilarious. Two, for however long I can keep them occupied they aren't making a victim out of someone else.

Here is an idea. If you are technically inclined, think about creating a Windows VM and see how long you can keep these guys away from successfully accessing another's computer, much less their credit card information. If you choose to do it (and I won't blame you if you don't want to) act as stupid as you possibly can to drag things out. Type URLs with the word "dot" instead of a period character. Deliberately misunderstand as much as you possibly can. Ask which mouse button to use repeatedly. Continually come up with reasons to put them on hold for a minute or two while you "let the dogs out" or "answer the door bell" or whatever tactics you can. And especially have fun at the end when you let them know they are fools for wasting so much of their time on you.

If you are not technically inclined and an especially trusting soul, realize that NO ONE AT ANY TIME WILL EVER MAKE A LEGITIMATE UNSOLICITED CALL TO YOU FOR COMPUTER SUPPORT PURPOSES. It is even worse if they ask for remote access to your computer (though they probably won't use those exact words). Worse yet when they ask for money. These should all be warnings to you that nothing good will come of the phone call. Unless you're me. Then lots of fun is to be had.

Share this information with as many people as you can. If you are technical, you can help protect the entire internet ecosystem from evil-doers. Regardless, you should let your friends know about this. Note: I don't have any ads or other revenue streams tied to my blog or webpages. I'm not trying to generate hits to make money. I'm doing this because it is hopefully an interesting story and to make people aware so they don't become victims.

Please let me know what you think in the comments, especially if you have ideas on how to improve this tactic or have personal stories of dealing with scam callers.

Go Top