Tech Support Scammers Call HTG: What Happened
Tech Support Scammers: A Firsthand Account
A phone call initiated with the statement, "I'm contacting you from Windows technical support." Unsolicited, these fraudulent tech support operatives targeted us today, and we engaged with them to document their methods.
The Pervasive Scam
Tech support scams have been a recurring issue for many years. Scammers impersonate representatives from Microsoft and proactively contact individuals, falsely asserting that their computers are infected with viruses.
Their ultimate goal is to extract payment for unnecessary "repairs." Despite ongoing awareness campaigns, these schemes unfortunately persist.
Related: Inform Your Family: Microsoft Will Not Initiate Contact Regarding Computer Issues
Our Experiment
Driven by curiosity, we deliberately answered the call and allowed the scam to unfold. The following details outline the sequence of events as they transpired.
We previously addressed this topic extensively, detailing how these individuals operate. They initiate cold calls, falsely representing themselves as affiliated with Microsoft.
It's reasonable to expect governmental intervention to curtail such deceptive practices. However, these scams continue to thrive, demonstrating their resilience.
Today’s call provided an opportunity for direct observation. We chose to participate in the interaction solely for investigative purposes.
A Phone Call Claiming to Be From Windows
The telephone rang, displaying an unfamiliar number – (404) 891-5588 – originating from the Atlanta, Georgia area code. The individual who answered sounded as though they were struggling with equipment. A delay preceded their speaking, with background noise resembling a disorganized call center, or even a public house.
"Hello? I am contacting you from Windows technical support," the caller began, speaking with a pronounced accent that was difficult to decipher. "Our systems have identified viral infections on your personal computer. Are you cognizant of this?". This marked the second such call within the week; the first attempt was unintelligible, resulting in an immediate disconnection, but I was prepared for this subsequent contact. "No, I wasn't previously informed. What is the nature of this issue?"
The caller explained that my computer was reportedly transmitting virus alerts to their servers. Verification of my consumer license ID was then requested, to confirm the PC in question was indeed mine. "Could you please record this sequence?" he asked, reciting an alphanumeric code: 8, 8, 8, D as in dog, C as in cat, A as in apple, 6, zero. Was I able to repeat it? I did, stating 888DCA60, and received confirmation.
I immediately initiated a freshly installed Windows environment within a virtual machine, fortunately available for this purpose.
The next instruction involved pressing the Windows key and the R key simultaneously, followed by typing C, M, D, and then pressing Enter. He then directed me to type "assoc" and press Enter again. The urge to laugh was strong, yet my curiosity compelled me to continue observing their tactics.
"Would you be able to read the longest line located towards the bottom of the screen?" I complied, recognizing the numbers matched the code I had previously written down, finally understanding the deception.
That lengthy code, {888DCA60-FC0A-11CF-8F0F-00C04FD7D062}, is a CLSID, a universally unique identifier within the Windows registry. It specifies the registry location responsible for handling a particular file extension. The command 'assoc.exe', which they requested I execute, is used to display file extension associations and is unrelated to viruses. A further advantage of this scam is that the ZFSendToTarget extension consistently appears near the end of the list, potentially appearing alarming to an inexperienced user.
"It appears that the code is identical to the one we asked you to note. This validates that we are calling from Windows and that your computer is infected." I anticipated this, and responded, "This is becoming interesting. Could you type the following into the window now?"
He then requested that I open Event Viewer by typing eventvwr and pressing Enter. I was becoming impatient with the need to verify each element on the screen. What was visible in the upper left corner? And in the upper right? The precision of the pre-written script was notable, though irritating given my awareness of the unfolding scenario.
Naturally, the next step was to filter the System Event Log to display only critical errors, and then claim my computer was reporting numerous errors. He had me read the total event count before acknowledging he observed the same result on his screen.
At this juncture, he stated he would transfer me to a more experienced technician to investigate the issue further. I later realized this was a tactic to simulate a legitimate call center, and potentially to evade responsibility for the fraudulent activity.
Allowing Remote Access with Suspicious Software: A Deliberate Experiment
The subsequent individual on the call, exhibiting clearer communication, requested that I input a specific web address into my browser of choice. He inquired about my preferred browser first, then meticulously dictated a shortened URL from tinyurl.com, character by character.
I was then asked to verify the URL before pressing enter. Following this, a precise set of instructions was given. “What is displayed on your screen now?” he inquired, prompting me to click the Run button.
The script deviated slightly as the instruction to acknowledge the User Account Control (UAC) prompt was omitted. A vague direction of “Continue” was offered, but anticipating the next step, I proceeded prematurely. Essentially, I granted access to my virtual machine to the scammer, though silently.
Surprisingly, unlike many reported scams, they didn't utilize TeamViewer. Instead, they employed a program named Ammyy Admin, originating from a company based in Russia. Prudence dictates caution, and a quick online search confirms that this entity is not a trustworthy source for financial transactions or system access.
I proceeded to share the identification code with the operator and selected "Remember" and "Accept" to authorize remote access to my computer. Interestingly, the associated IP address resolved to a server located within the United States.
Repeating Diagnostic Procedures
The new representative then began reviewing system information, largely duplicating the steps requested by the previous caller. He stated a need to examine the Event Viewer and subsequently expressed concern regarding the findings.
He claimed to have discovered numerous viruses throughout my system, asserting that the errors logged in the Event Viewer indicated a severe problem.
The Escalation to a Specialist
A transfer to another representative was required to attempt a diagnosis of the issue. The subsequent individual possessed a distinct accent, leaning towards an eastern inflection. While initial communication proved difficult due to the first representative’s unclear speech, and the second spoke with clarity, this new accent was immediately noticeable. Could there be more to it than just the accent?
Indeed, the difference extended beyond mere pronunciation; this agent deviated from the established script. He exhibited a greater degree of knowledge, a less rigid delivery, and demonstrated proficiency in navigating the computer system. It became apparent that he functioned as the closer – tasked with finalizing the interaction, convincing the user of a computer infection, and offering a solution for a fee. This realization marked a turning point, transforming the experience into an engaging one.
Initially, he stated the need to perform a system scan to identify the problem. This was accomplished by launching a command prompt and executing the command 'tree /f'. Have you ever utilized this function? The process requires a considerable amount of time, as it systematically lists every file and folder on the computer in a hierarchical "tree" structure. Importantly, this command bears no relation to a legitimate virus scan; it simply replicates the functionality of 'dir' or 'ls', displaying a file listing.
A deceptive tactic was then employed. While the command was running – a duration of approximately one minute on the virtual machine – the agent simultaneously typed phrases such as "security breach..trojans found..". This input remained unseen by the user, concealed by the rapidly scrolling output of the 'tree' command. Once the message was fully typed, CTRL + C was used to interrupt the 'tree' command. The fabricated error message then appeared. It’s undeniably clever.
“Ohhhh,” he exclaimed, “This is concerning. A security breach and trojans have been detected. Are you familiar with what a trojan is?” He then proceeded to elaborate on the alleged infection of my computer with trojans, stating further investigation was necessary, and emphasizing the severity of the situation. He inquired about the computer’s performance and whether I experienced errors while browsing the internet.
A $175 PC Cleaning Offer?
It appears he believes he has successfully gauged my susceptibility, as I seemingly allowed his initial approach to continue. He then proceeded with his proposition: "Your PC requires a thorough cleaning to eliminate existing viruses and trojans. This service can be provided by us, or alternatively, you could utilize a local repair facility." My response inquired about the associated cost.
He began to elaborate, stating the fee would be $175, encompassing not only the cleaning process but also a full year of technical support. The cleaning itself, he explained, would require one to two hours.
During this timeframe, Windows Defender would be installed, and comprehensive scans would be executed across the entire system, ensuring complete removal of threats and up-to-date software. Naturally, a transfer to another representative would be necessary to finalize payment and initiate the repair process.
A degree of skepticism arose within me, which he likely detected. Unbeknownst to him, I was suppressing laughter. He then accessed my System Information, initiating a review of the system's configuration.
This is when it became apparent the deception might be uncovered – after all, I was operating within a virtual machine. The system model was identified as VirtualBox, and the computer's name was WIN81VM10. How could this detail be overlooked?
Surprisingly, it was not immediately noticed. He continued, asserting that my BIOS was significantly outdated, last updated in 2006, despite the fact that my BIOS was clearly identified as belonging to "VirtualBox." Gradually, the inconsistencies began to coalesce.
He began questioning my purchase date and the frequency of system updates, intensifying his sales pitch. However, I was struggling to contain my amusement, attempting to muffle my laughter.
The virtual machine's limited 1.49 GB of RAM was flagged as unusual, an impossibility in a physical computer. He persisted in claiming a problem existed, yet remained fixated on the RAM discrepancy.
He then realized that a recently purchased PC wouldn't logically possess a BIOS from 2006. Unable to contain myself any longer, I directly questioned him: "Do people genuinely pay $175 for this scam?".
Recognizing his scheme had been exposed, he responded with a brief, nervous chuckle, but steadfastly maintained his facade, refusing to provide further details. He challenged my accusation, insisting he was merely attempting to assist in removing viruses and trojans.
Amusingly, he began reciting the dictionary definition of "scam" and then accused me of dishonesty, claiming he had known all along I possessed technical expertise. I inquired about his actual location, to which he replied "Sacramento."
I pointed out the discrepancy between his stated location and his Atlanta area code, prompting him to dismiss the question as irrelevant. When asked about his affiliation with Microsoft, he denied ever making such a claim. He maintained he had not requested my credit card information or attempted to defraud me.
He asserted his actions were legitimate, repeatedly questioning why suggesting a local repair shop would be indicative of a scam – a point he reiterated at least ten times. This became the core of his defense for approximately fifteen minutes, as I attempted to elicit an admission of wrongdoing.
The operation functions through a series of interactions. An initial caller claims to be from "Windows," reporting the presence of viruses. A second representative establishes a connection, followed by a third who quotes a price, and finally, a fourth who presumably collects payment, performs no beneficial work, potentially installs malware, and leaves the victim feeling exploited.
Thus concludes the account of my 41-minute engagement with a scammer, an experience I found thoroughly enjoyable.