The Support Scam : Needed “A Special Hell”

By now I expect by now everyone at one time or another received a call from technical support telling them there is something wrong with their computer.

They used to say they were from Microsoft openly but that ended when some of them got busted http://www.bbc.com/news/technology-26818745

Sadly the money to be made is significantly better than the penalties if you get caught.  Perhaps they will go to “The Special Hell”

 

I have been getting these calls off and on for a long time and have talked to them in the past. I have always been interested in knowing what they are trying to do from a technical level. The first time I tried the scammer talked to me like I had never touched a computer for about half an hour. Eventually I ran out of patience and told him that I knew what a windows key was and could he just tell me what program he wanted me to run. (trying to short cut the 5 minutes of instructions on how to get a run prompt). He said

“Ok what you need to run is F*@! you – Click”

So there was half an hour wasted I guess I will have to play dumb longer next time. Mostly I don’t have time so I just hang up and my wife just tells them she has a Mac and they leave her alone.

This morning I was between client and had some time when the call came in and I decided to give it another go. The call came in from 232-555-6985 this area code is from Sierra Leone, and I have talked to my telephone provider who says there is nothing that can be done because of the caller ID spoofing that they use. Personally I believe that this kind of spoofing needs to be fixed globally as part of the infrastructure but for now we just have to live with the fact that we can’t just block calls based on the caller id number.

Have you ever called for tech support? do you recall how hard you had to work to get someone to listed to you and get your issue fixed? The first thing to remember is that Microsoft and or tech support does not just call home computers users.

Never run commands on your computer that have been provided to you by a stranger who calls you

The first thing they asked me to do as to run

ASSOC – This has been in windows systems for a very long time. It lets you see what programs run when a file with given extension is clicked on. Notes  Used without parameters, assoc displays a list of all the current file name extension associations. Near the bottom of the output is the following line. 

.zfsendtotarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

You are then told that CLSID is Computer Level Secirity IDentifier and he will then read you the code and you can confirm it. This way you know the call is legitimate and not one of the scams going on.

A CLSID is a globally unique identifier that identifies a COM class object, and is NOT unique and is the SAME on every computer (or at least close enough for the scammers)

next you are asked to run

eventvwr.exe – This shows you all the logs of what is going on in a windows system. If you are like me you spend a lot of time here but most people never look. The only thing you really need to know is that it is completely normal to have yellow and red icons here. I was asked if I knew what the events were and I said I did (I was getting tired of this game) I picked the top event in the and told him what it was.

Log Name: System
Source: Microsoft-Windows-Kernel-Processor-Power
Event ID: 37
Task Category: (7)
Level: Warning

The speed of processor 3 in group 0 is being limited by system firmware.

I told him that this was just power saving features of my laptop and was immediately corrected. I was told that this error message is proof that hackers are inside my computer trying to do bad things and it needs to be fixed right away.

The next command I was asked to run was

inf hacking files (actually I had to quickly look this up before I ran it, I really enjoyed putting the scammer on hold for 2 minutes to “take another call”)

What this command actually does is open your c:\windows\inf folder (the hacking files does nothing) this is a normal system folder that handles softeare and drivers (If you care details here)

I was asked to identify all the files there, and look for anything that ended PNF. I know these files are normal and part of windows installer but again I was told this is proof that my computer had been compromised.

At this point in the call he was clearly fishing for me to say something specific because for the next 15 minutes he went over these details again and again until I agreed that he was legitimate and my computer was infected by hackers. Saying things like “If you say so I believe you” was not good enough. When I finally said I was infected we moved on

(FINALLY THE GOOD BITS)

Now he asked me to run

iexplore support.me  – this will connect you to https://secure.logmeinrescue.com/Customer/Code.asp (Please don’t associate this scam with logmein hold your thoughts about these remote control companies until the end)

This is where the scammer is attempting to gain access to my computer (something I am not about to let happen) I was then asked for the 6 digit computer security code that came with my computer. Then I was scolded for not keeping such critical system documentation. (no emmy here but at least he tried to sell it as he read from the page he had) But wait fortunately I am in luck as he can generate me a new code as long as I promise not to loose it this time.

If I enter this code in the logmein website it would let then gain access to my computer.  Fortunately logmein appears to take this kind of abuse very seriously and you will notice a link just below where you key in you code “We take security seriously, Report Abuse”  so while I told him the download was running I was reporting his code in the background. This much of the call took about 40 minutes and now it was my turn to take up some of their time, they have decided they have a sucker on the line and don’t want to let me go.

I complained that the logmein application kept saying connecting but never finished. I was provided 2 different codes to try and downloaded the application multiple times , and then I was transferred and I knew they really didn’t want to let me off the phone.  For reference the entire call to this point was very noisy there were clearly dozens of calls going on in the background and the person I was talking to clearly had a significant challenge with english.  All of a sudden things are very different, the call is quiet and I am speaking (and hearing clearly) with someone with a slight Indian-Brtish accent? He is not reading from a script but is here to fix any technical issues to get me connected. I am provided another access code and I tell him I have another call and will be right back. This time I use my cell to call the 1800 number on the logmein abuse and someone answers right away, he explains they are working hard to prevent this abuse of their system and can report the access codes I have been given so they can be traced back and the account closed and blocked. He is very polite and thanks me for helping them prevent this abuse of their system.

Quickly I get back on the phone with the scammer and tell him this just is not working. Now he directs me to a new site.

showmypc.com

Now this site work differently as I have to install the software and give them a code (not the other way around) and there is no clear way to report abuse and nothing I can provide to showmypc.com to trace back (at least without letting the scammer connect to my pc) we are close to an hour now and I have no good answer for the scammer as to why I can’t provide the code so I hangup. I do manage to find a support chat and contact showmypc.com

John: Hi
John: How may I help you?
Scott: Just wondering what I can do to report fake support from india trying to use your software to to take control of my computer
John: We are already aware of that and we are trying to add features to avoid such issues.
Scott: is there anything I can get from them to get for you to catch them?
John: We have a lot of things but, they are using the free version which can’t be limited however, we will put a warning on our homepage as well.
Scott: I think that should be a top priority you are assisting in the abuse of a lot of people right now
John: Yes we will do that ASAP.

Shortly after I receive an email from showmypc.com

Hi Scott.

We saw your recent chat, just wanted to let you we currently have an active warning on our home page.
Any time a user tries to download the software, he see a big red active warning message, and also after they try to use the are shown a warning.
http://showmypc.com/faq/warning.html?hmnu=1

And in addition, we have an case filed with FBI for investigating this.

If you have something concrete to add we will be happy to take information from you to block. We constantly block users who we detect are trying to abuse our system.

Now what they say is true but I you don’t see the warning until after you go to click on showmypc

8-29-2014 12-53-56 PM8-29-2014 12-54-15 PM

 

 

 

 

 

 

They say they constantly block users but at the same time told me in the chat it couldn’t be limited.

I have been through this with showmypc.com and although they say they are all over it it doesn’t feel that way to me. make your own decision.

I think remote support tools are a good thing, even if I feel that showmypc.com doesn’t take this as seriously as I would like them to.

Bottom line don’t waste your time, hangup and move on.

 

Leave a Reply

Your email address will not be published. Required fields are marked *