Incoming call “claiming” to fix your computer SCAM

First let me say that I am a very knowledgeable IT consultant so I knew what I was doing the entire time.  I don’t recommend doing anything a unsolicited caller asks you to do no matter what.  As you’ll see below the trick this person tried was to try to fool me that they knew something about my computer that only they would know.

95% of the calls to my old home phone number are from unsolicited telemarketers even though my number is on the government do not call list.  I think I just keep the number around so I can mess with them when they call.  I feel if they’re breaking the law and wasting my time I’ll waste their time.  I usually pretend to be interested to string them along for as long as I can before dropping the do not call list speech on them and letting them know I just wanted to waste their time.  I also let them know the company they’re working for is breaking the law.  They either debate, argue, tell lies, verbally insult me, or hang up.  Hey, whatever happens after they make my phone ring illegally is fair game right?  My record keeping them on the line is about 6 minutes and I’m working on ways to keep them on longer if possible.

Today when my home phone rang the caller ID said “Name Unavailable 997-914-9783”.  I was uploading a 4.2GB file (SQL 2008 R2) so I had some time to take the call.  It was from a gentleman that claimed to be Peter Brown even though he had a thick Indian accent.  I could hear other locals working around and/or next to him.  He said he was calling me from “computer maintenance department”.  Of course I knew where this was going so I put him on speakerphone and decided to go along with his game, or should I say scam.  He said the call was about my Windows computer.  He went on to say that they have been receiving some error message (not plural but singular without the s) from my computer and they’re calling to help me.  I asked him how he knows it’s my computer and he said my “computer ID number” has been entered into their database.  He said if my computer downloads any virus they receive the error message.  Trying to pull more info from him he said it was my “computer security ID number”.  Long story short he wanted me to open a command prompt and type in ASSOC then hit enter.  ASSOC is used to display and modify file name extensions in ALL computers.  Also the info is pretty common among all computers.  To gain his trust he wanted to say the CLSID number to me and if it didn’t match what I saw in front of me I could hang up.  Sure, I’ll play along knowing that number is the same in ALL computers.  Of course what he told me matched my computer, and my server, and another server but I just went along for fun.

After he believed he gained my trust he directed me to a website (microsoftsupport015.com) where he wanted me to download and run a file.  He said it will connect me to a Microsoft technician that will fix my problems.  That’s where I started challenging him saying I’m unsure of downloading a file and running it.  I explained to him the .ZFSendToTarget=CLSID number is the same for all computers since I ran it on another computer.  He tried to tell me that both of my machines were infected.  I told him he’s part of a scam and debated with him for a while.  He finally hung up on me.  The screenshots of ASSOC and the website are below.

After all of this happened I decided to spin up a VM in Azure, install Microsoft Endpoint Protection, update MS EP, go to the website, download the software, and run it to see what happens.  This is in an isolated environment on a machine that I don’t care about using one time unique credentials.  It has internet access but isn’t touching other machines so it’s pretty safe to blow up.  I can also delete the VM whenever I want so whatever software gets installed won’t keep running.  The file that downloaded was named aa_v31.exe and MS EP didn’t see it as a threat.  The software appears to be AMMYY remote desktop software.  It appears if I kept “Peter Brown” on the phone he would have given me an address to enter so they could remote control my machine to do who knows what.  I think I’ll power down this VM and spin it back up when I get another call like this to see what they do.  I don’t get these calls often so it might be a while with what I find out.

In the meantime people please don’t fall for this scam.  If they can’t tell you some information like your ISP, IP address, MAC address or something that is really unique to your computer then just hang up.  If you are a non-technical person don’t worry.  Just hang up anyway.  People don’t reach out to you and offer to fix your computer via the phone.  If they do more than likely it’s a scam.  Oh and by the way so are the lower your credit card rates calls.  I enjoy them the best.  They get so mad when you keep them from “selling” their service to other people, I mean victims.

For more detailed information go here www.webologist.co.uk/internet-security/pc-support-security-scams-zfsendtotarget-clsid-trick
This person took it farther than I did so you can see more of what happens.

Software I was directed to run

image

 

ASSOC Results.  He rambled off the CLSID number below.

.ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

image

 

Screenshot of the website I was asked to visit and download their “security software”

screenshot.261

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s