I recently responded to a couple of comments on one of my articles for WeLiveSecurity - Support desk scams: CLSID not unique -on the CLSID ploy used by tech support scammers in the hope of persuading victims that the scammer really has some insight into the condition of the victim's PC. This works (sometimes) because the scammer uses the ASSOC command to display the following identifier stored in the Windows Registry at HKEY_CLASSES_ROOTCLSID:
ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
CLSID revisited
By claiming that the following entry in the Registry is different on every machine, the scammer 'proves' that he has information on the victim's PC (sometimes he may claim that it represents a Computer Licence ID). But it proves nothing of the sort. To quote that blog:
That’s the CLSID on both the PCs open on my desk at the moment ... And I bet that if you have a recent version of Windows and go through the same steps you’ll find that you have it too. In other words, the scammer can’t see your CLSID or anything else on your PC ... Unless, of course, you fall for the scam and give him remote access with AMMYY or LetMeIn.
And it's also the number used by the scammer quoted in the comment, who claimed:
…that my computer's registration number was individual and he would recite it for me to prove he is legitimate.
[In fact, the .zfsendtotarget entry is associated with the compressed (zipped) folder in Microsoft Windows: it tells the system what to do with that option on the Windows Explorer right-click context menu.]
I just write about this stuff, I didn't invent it
There's nothing particularly novel about all this: after all, I originally wrote that article about the CLSID ploy, which was then new to me, back in 2011. I don't know how many people have read it, but apparently at the time of writing 2.6 thousand people have Liked it on Facebook, and it's attracted 571 comments. So I was slightly surprised to be asked whether the article was part of the scam. :) If it was, you'd think someone would have noticed by now. Still, I'm not one to discourage scepticism: not everyone in the security industry is scrupulously honest. (Oddly enough, we were contacted the same day by someone offering to sell us a domain name that closely resembled the sort of name favoured by tech support scammers. I suppose to be suspected of running fake support scams makes a change from being accused of being responsible for creating malware.)
Old twisters and new twists
Back in the real world, however, there were a couple of things I found quite interesting about this story, demonstrating that even an old scam can produce an interesting variation from time to time.
- The first is that the scammer claimed that if '… if I had any other computer, tablet, phone etc which used the same internet facility they would all be contaminated.' That's not a world first, of course: similar claims have been made by scammers misrepresenting the overstated threat from Tapsnake, actually an Android-specific issue. Still, I don't think it's been made frequently in the context of support scams.
- The second is that the scammer claimed that 'people were using my computer without my permission and that I would be blamed for doing all kinds of things I was unaware I was able to do.'
- The third is that he actually suggested that the commenter google 'CLSID' in order to 'prove his integrity'. Now that is bizarre. When did the same thing, the first page that came up had at the top an article by Microsoft that explains the CLSID, and articles from other sources intended to do the same thing. It also included two of my blog articles on support scams, another blog article that referenced one of mine, and a YouTube movie on 'CLSID support scam call trolling'. A search with Bing came up mostly with pages that explained CLSID, though my article did show up there too. But neither search engine offered any comfort for a support scammer.
Thinking about it, perhaps that overabundance of Harley articles explains why the commenter was worried that ESET might be involved with the scam: certainly when I search for information on a product and find page after page of links telling me how great it is, I tend to assume the sort of 'fake reviews and dodgy search engine manipulation' described here by Brian Krebs, and by Sophos here. (In fact, Virus Bulletin's Martijn Grooten and I first looked at web site and social media manipulation in the context of support scamming back in 2011.) But since that sort of manipulation isn't what I saw on that search page, I have to wonder what the scammer thought would turn up that would 'prove his integrity'. I can only see two likely possibilities.
Scammer Psychology Speculation
One explanation might be that he hoped that she would find some technical articles on .COM and CLSID which she wouldn't understand, or not understand well enough to realize that the CLSID is unique to a class of software object, not the computer on which it happens to be registered. After all, my own experience of support scammers suggests to me that they fall into two main groups:
- People reading from a script who don't really understand the technology very well, and may not even be fully aware that what they do is dishonest: if you deviate from the script they tend to keep repeating the same assertions, give up and go on to the next phone call, or try to refer you to someone better equipped to execute the scam.
- People who may or may not be as clever and knowledgeable as they think they are, but are convinced that their victims are stupid and deserve to be conned. Such individuals might actually assume that a potential victim who can't see through their pitch immediately would be unable to parse a moderately technical article. Another recent commenter, describing how he'd played one of the scammers along, recounted how the scammer directed him to a scam site, the name of which is actually an ugly word used in Bengali to describe someone stupid (actually it has overtones of something even uglier, but that's probably only marginally significant). You could compare it to the use by 419 scammers of the word 'mugu' (big fool) to describe their victims. Is this a sociopathic contempt for people who are regarded purely as scam fodder, or do some scammers need to convince themselves that their victims are unusually stupid and deserving of exploitation, so that they can live with their own dishonesty?
On the other hand, it occurs to me to wonder whether the scammer in this instance was influenced by a more localized search engine that may be more vulnerable to manipulation. But I really don't know how likely that is.
Or there may be another scenario that hasn't occurred to me. What do you think?