A Scambaiting Adventure

Posted by Alastair Bor | 5/15/2011 08:55:00 pm | | 1 comments »

This afternoon the phone rang with one of those phishing scammers (documented here, here, here and here) that tries to install malware on your computer or otherwise scam you. The last time they called, I didn't have time to mess with the guy, but this time I was prepared and had some time to burn. I had created a totally quarantined Virtual Machine sandbox for them (and me) to play with, and I was ready.

I mostly did this to appease my curiosity about how the scam actually works... I took notes and screen shots as it was happening in case you are interested. The story is below.

The scam starts with a cold call from a guy with a heavy accent who introduces himself as a technician from Microsoft who has detected a problem with my machine. He then confirms that I am running Windows XP and then asks me how long it takes for my machine to boot up. I tell him about a minute and he says "Oh no, something must be wrong - it should only take about 5-6 seconds."

He then tells me he can remotely diagnose my problem and that I should go to my machine and follow his instructions. I boot up the VM and we're off.

First he has me click on START and RUN and then load the Event Viewer (eventvwr.exe).

He then asks me to click on a bunch of things (Properties, and un-check Information/Success Audit/Failure Audit) to basically remove anything except the errors and warnings. He then asks me if I see any Warnings or Errors. Of course, at this point I can only see Errors and Warnings. When I tell him that I do he says "Oh my gosh, there is something wrong with your computer, you have a virus!" For those that don't know, this is a perfectly normal screen on a virgin new installation of Windows XP. In fact if you did the same on a system that's a few months old, you'd say many many more of these warnings and errors. Again, this is perfectly normal.

He then says to open up Task Manager to check the performance hit that I have from this virus. I tell him that the CPU usage is 2% (which is normal) and again I get a "Jees, that's bad" it should be 100%, but the virus has taken away 98% of the system capacity. He then asks for the size of my PF (PF Usage) which I tell him is 148MB and he says it should be 3000MB (3GB). He also says that the yellow line in the "Page File Usage History" graph should be blue - the yellow is a sign of a critical warning. Of course, this is all bullshit - in fact the Task Manager Screen is showing a perfectly normal system.

He then tells me that he understands I would be skeptical of his call and that I should go to http://www.desksense.com which is his company and I can see that they are Microsoft Certified. Look, there is a Microsoft logo on top of the screen. It must be true! Incidentally, the guy said that I could verify that it's him by calling him back on the phone number 0280144592. I didn't bother trying, but I would have imagined that such a large company wouldn't just have a VOIP Sydney dial-in number.

He also asks me to go to the Testimonials and Awards section to see how well regarded they are. The Awards are kinda funny, I'm sure you've all heard of these prestigious awards.

Now that I trust that he is from Microsoft, he tells me to go to http://www.teamviewer.com and install their remote administration software. He tells me that TeamViewer normally costs $150 but he is giving it to me for free as part of this service. He then transfers me to his colleague who then takes over the call.

I install TeamViewer and give him my machine ID and password. What bad could come of this? :)

He then uses these details to connect remotely to my computer so that he can control it. You can see he has full control.

Also, he does a bunch of talking during which other people also seem to connect to my machine. About 5 separate people connected to my machine while he was talking. Don't quite know what they were doing - maybe looking for some interesting personal files.

The colleague, who can now remotely control my computer, loads up prefetch (START - RUN prefetch) which will find the viruses... and WOW! I am infected by the Rundll32.exe virus and the Update.exe virus!!!!! OH MY GOD! :) Again, these are all perfectly normal screens. In fact, prefetch isn't even a program, it's just a directory.

He now tells me that he will "upgrade" my CPU to 100% and upgrade my memory to 3GB (which I will see in my page file). To do this, I need to go to http://www.logmein123.com and then punch in the ID 879463 (which is a top secret number that I shouldn't tell anyone... ooops, did I just reveal his secret?) and speak to Mark Brown who is the Senior Microsoft Engineer who will handle my case. At this point it becomes an online chat and I can't hear Mark Brown's voice, we only type to eachother.

Mark now has remote control of my machine and he then installs Mozilla (which he tells me normally costs $100) for absolutely free!

Then we go to http://www.gitsolutions.net

and he takes me to the pricing page where I need to pay $145 to go on... I humour him by going to the shopping basket stage, but stop when I actually have to put my Credit Card number in there.

This is where my "internet connection" suddenly went down and we couldn't continue. We had been online for just over an hour at this point and I think they really smelled the $145 because they went through great lengths to call me back and offered to check with my ISP about what's wrong. Anyway... I then got bored and closed it all down. This didn't stop them from trying to repeatedly call me for the next hour or so.

So... just saved you an hour in case you wanted to know how this scam works :)

I imagine the next steps are left to your imagination, but by now they would have full control and access to my computer and any connected drives as well as my credit card details and address info. All in an hour's work.

Incidentally, if you get a call like this, you can quickly shut the guy down by either saying you don't have an internet connection, you have a Mac or you left your laptop at work and don't have another computer. They will just quickly move onto their next target.

Bookmark and Share


  1. Ooddy // 26 May 2011 at 17:49  

    In my case, he didn't move on to the next target. I told him I got a mac I don't use microsoft, he's still trying to get me in.

Post a Comment