A while ago, I responded to a blog comment promising some thoughts on how to recognize a cold-calling PC support scam. Unfortunately, I wasn't able to do that immediately, and then I was on vacation with no Internet connectivity (I should do that more often!). But then, since the problem isn't going to disappear any time soon, I guess advice on how to recognize it before you hand over any cash isn't going to pass its best-by date too soon, either.
- If you have caller-ID enabled on your phone display, you may see International or Number Withheld. That doesn't, of course, guarantee a scam. But if you're not accustomed to receiving international calls and you share my dislike of businesses that call without showing the number they're calling from, it is at least a warning to be on your guard. On the other hand, it's far from unusual for a scammer to use what looks like a local number (which may or may not be spoofed).
- India is a major provider of legitimate call-centre services to many parts of the world, so you can't assume that a caller with an Indian or Asiatic accent is a scammer, just as you can't assume that all Nigerians are 419 scammers (or even that all 419s are Nigerian in origin). Nonetheless, the moment, nearly all the reports of support scams that I'm seeing note that the caller sounds Indian, and almost all of the sites and domains we've been able to trace (and in some cases, block) have had an Indian connection.
- If you're on a national "do-not-call" register, pointing that out early in the conversation is a pretty good way of whether a call is likely to be from the same region. If, as often happens, they take no notice, it's probably a good time to put the phone down.
- The caller is likely to claim to represent or to be affiliated with a well-known name - Microsoft, Cisco and Dell (and, more recently, BT) are frequently mentioned, though the nature of the affiliation is often vague. These are companies that are very unlikely to contact an end-user directly about a virus problem: frankly, it's pretty time-consuming to trace individual users who may have a security issue. The fact that the caller may know your correct name, address and telephone does not mean they have access to any information about your PC. They're guessing, and if you know enough about your own system to ask how they have the information they claim, their answers make no sense at all. And if, as is often the case, they don't have your correct contact details, how can they possibly know anything about the status of your PC?
- Most scam calls are reliant on the scammer "proving" that he or she can identify problems with your system: in a moment, we'll look at the ways in which they misuse and misrepresent standard Windows utilities as some kind of malware diagnostic, but even before that, they may tell you that they already know you have a security problem because:
- Microsoft, or your ISP, or some other "authority" told them so. The circumstances under which this might be true are very limited indeed: if you think it's possible that it might apply to you, check directly with the "authority". It's naive to take the word of someone who just called you out of the blue. If they're evasive about the exact nature of their relationship with Microsoft (or whoever), I’d suggest you save yourself the bother and just put the phone down.
- The details of your system are on some imaginary database.
- There are spam or virus reports associated with your IP address. Or your phone number. Or, more vaguely, "your computer". Take with a very large pinch of salt. If you don't understand the caller's explanation of how they identified your system, assume that you're being misled. If you think you do understand the explanation, that's probably a tribute to the social engineering talents of the scammer, not a reliable indicator of a bona fide support call.
So what about the ways in which they try to prove to you that your machine is infected by walking you through standard Windows utilities? It’s likely that scammers will come up with variations on this approach, but these are the ones that we see most often.
- Event Viewer is a tool that keeps a system log. A scammer is likely to tell you to go to the Run menu and type in eventvwr. That will take you to a screen that shows you various system events, some of which will indeed be problems, though they’re usually transient problems that have already come and gone. When you see the Event Viewer screen, say something rude and put the phone down, if you've let them get that far.
- Microsoft tells us that ASSOC “Displays or modifies file name extension associations.” However, scammers tend to use one of the items near the bottom of the list it outputs that looks like this:
.ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
What that ASSOC command actually tells us here is that the .zfsendtotarget extension file is associated with the compressed (zipped) folder form in Microsoft windows. However, the scammer will usually tell you that this is the unique identifier of your PC, as proof that he can see that there is a problem uniquely associated with your PC. Or he may tell you that CLSID stands for Computer License ID, and that you need to renew the license. Either way, he’s lying to you. Tell him where to stick his license and put the phone down.
- INF and PREFETCH are legitimate system utilities: The "Prefetch" command shows the contents of C:WindowsPrefetch, containing files used in loading programs. The "INF" command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system. So how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something "prefetch hidden virus" or "inf trojan malware". When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type "inf elvish fantasy" or "prefetch me a gin and tonic" and you'd get exactly the same directory listing, showing legitimate files. Time for another rude word.
For the scammer, there are two other critical steps.
- The whole point of the exercise (and they’ll probably want you to do it before they actually “fix” your system) is to get you to give hand over credit card details. Make it clear from the start that you’re not going to give that information to anyone you can’t validate as genuine. In some cases, they may simply give up at this point, or they may try to persuade you that they’re genuine by giving some information about themselves (or, more to the point, their company). Tell them you’ll call them back and get in touch with the authorities, or even us. Unfortunately, there’s a good chance that they’ll call you back eventually if you don’t ring them back: they really do want your money. Tell them you’ve talked to the police, or to a security company, or even to Microsoft, and the chances are they’ll give up sooner or later, though they may bluster for a while.
- The other is to persuade you to download remote control software (most often from logmein.com or ammyy.com) so that he can demonstrate to you that he’s downloading utilities (usually these are free versions of genuine software, but of course they could in principle be anything...) and fixing your imaginary problems. Don’t go there: why would you give someone who just rang you up out of the blue access to your system?
Of course, we can’t guarantee that they’ll use any particular approach, and in fact you may get threatening or abusive behaviour before they give up. Nonetheless, the earlier in the process you disengage and make it clear you’re not interested, the less hassle they’re likely to give you: at least, in terms of that specific phone call. The advantage to that approach, of course is that it tends to work for other scams (some of which may come from the same call centres): mortgage scams, fake surveys (usually a precursor to a sales pitch or even to a follow-up scam call, tailored according to your responses) and so on.
See also ESET's white paper Hanging on the Telephone.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow