Computer scam described in first person detail

For background on this scam please visit
http://www.consumer.ftc.gov/blog/ftc-combats-tech-support-scams
I believe the people that I spoke with were not from a company but rouge scammers.

 

Remember everyone. When someone calls you be leery. Don’t trust incoming calls no matter how convincing things sounds.  It’s always best to hang up. If something is ligament then that company will contact you another way than email or phone trying to get you to give financial and/or personal information.

 

I’m a VERY knowledgeable seasoned IT consultant specializing in Microsoft products. Every step of the way I knew the risks and had everything setup where I, my computer, or should I say VM, and my personal information was never in danger. I don’t recommend others do what I did. That being said I want to apologize for the lack of screenshots. Every time I tried to take a screenshot they would notice keyboard and mouse activity. I wanted things to go smoothly so we could continue to the very end so I just watched and took notes most of the time. If some of my sentences sound odd that’s because I’m trying to convey the way I was being spoken to. You’ll notice quotes in this blog. That’s exactly what was told to me from these people. I recorded both of these calls so the accuracy of this blog is very high.

I often get unsolicited calls to my cell phone and home phone even when all of my phone numbers have been on the FTC’s do not call list for years. When I get one of these calls I either hang up on them, string them along like I’m interested, or act really stupid. If they stay on the line long enough I eventually let them know I’m on the do not call list and the company they’re working for is breaking the law. They either hang up, tell me that I’m not on the do not call list, or attempt to prove that they have a business relationship with me. Once I was actually told it costs money to be on the do not call list. I don’t know if these people are clueless, desperately need a paycheck, or don’t care. Unsolicited calls are bad but what’s worse is when someone is trying to intentional scam me out of money without offering a false promise of lowering my credit cards interest rates, becoming an Amazon affiliate, or giving me a free security system that of course I have to pay to have monitored. If someone is calling selling a good or a service and I don’t have a valid business relationship with you then be prepared for me to waste your time. If you’re calling me trying to intentional scam me then be prepared for whatever I dish out including documenting everything that happens so others will know.

A few month ago I received a phone call. I knew from the caller ID that it was going to be an unsolicited call and I was prepared to waste their time. When I answered, a gentleman with a thick Indian accent named “Peter Brown” claimed he was from “Computer Maintenance Department”. He told me they’ve been receiving error messages from my computer. He wanted to guide me though a few things to help me fix my computer. I knew his intentions weren’t to sell me something but to try to con and scam me out money or obtain my credit card number. Knowing this I wanted to play along for a while to see how this scam worked. When I asked him how he got my phone number his response was my Computer ID number has been registered with their database. Say what? He went on to say when my computer downloads any kind of virus they’ll receive the error message. I asked if it was my IP address and his response was “computer secret ID number”, whatever that means. Remember that quote, “Computer Secret ID number”. He had me open up the Windows run box using keyboard shortcuts. He requested that I type in cmd and click OK. In the command window he had me type assoc and hit enter. This of course brought up a list of file types that are registered and what applications are associated with them. This is so Windows knows what app to use to open different kinds of files. At this point he wanted me to look for a line toward the bottom that has CLSID in it. To try to prove to me that he in fact knew something about my computer he went on to say the CLSID number is that “computer secret ID number” he was talking about earlier. He wanted to read back my CLSID number that I saw in front of me and mentioned if he’s wrong then I can hang up. Well of course he’s going to know this as quick research with him on the phone turned up that number is the same on all of my computers. It’s not unique, it’s the same on pretty much every Windows machine out there. By him trying to fool me that this is a secret number and by him telling verifying mine I would believe he is telling the truth. Of course none of this is working as I’m smarter than him but it shows how people that are not familiar with Windows could fall for something like this.

clip_image001

When he read me the number I pretended to act surprised and upped the gullibility factor. He once again went on to say my computer will register with their database using the CLSID number when I download any kind of virus. He then said that was the reason why he was calling me from “Windows”. I said “so you’re calling me from Windows, OK”. He then went on to say when my computer is online it “download the viruses”. At this point he had me open up the run box using keyboard shortcuts. We asked me to type in www.microsoftsupport015.com and click OK. This took me to a webpage that tried to look like an official support site.

clip_image003

The graphics said “Windows Security Department”. Of course to someone skilled in this area I knew it wasn’t a valid Microsoft or Windows website but to someone that has skills in different areas I’m sure they would have believed it. At this point he wanted me click on the link that said “SECURITY SOFTWARE” that would download a file. He explained this will connect my computer to “Microsoft in Arizona” where they’ll help me resolve my problems. When I questioned him about the software he said it is security software and just ignore the warnings. Of course I’m wasn’t going to do this and I told him I was concerned about running software from the internet. His response was it was security software. At this point either we got disconnected or he dropped the call knowing he was just wasting his time.

 

It was after that call that I wanted to see how this scam worked in great detail. I decided to setup a Windows Azure VM and wait for the next call. In a few weeks sure enough my phone rang with a spoofed caller ID number. This gentleman like the other had a thick Indian accent. This person told me he was from “Windows Technical Department” and my computer had some malware on it. He wanted to help me get rid of it. I’ve been waiting for this call to find out more how this scam works. The last call I strung him along until they wanted me to install some remote access software. This time I was ready. I had a virtual machine isolated in Azure with a unique password with no software or data on it. It was a bare install of Windows. I was ready to see how this scam worked and ready to document it.

What was interesting with this call and the other was in the background I could hear others talking as if they were in a call center. Having spoken to another scammer they let it slip that the background noise was a CD to make people think they’re actually in a call center when they’re not. I guess scammers shouldn’t tell their secrets eh? Anyway this gentleman wanted to know if I was in front of my computer. I said I was but I had to turn it on. Little did he know I was powering up that VM designed specifically for the purpose to document our upcoming hour long phone call. To make him think I was gullible I told him I’ve been noticing it takes longer than usual for my machine to boot and that’s why my machine in front of me was taking so long to start up. The truth was I forgot the unique password and had to look it up. What he said sounded like he was reading from a script. He said whenever I’m “going to online to the internet my computer is downloading junk files that is corrupting my computer day by day”. He then said that’s the reason I’m having these kinds of problems. As I was waiting for my VM to start I asked him if Microsoft watches for this stuff. He said he was not calling me from Microsoft. He said he was calling me from “Windows Technical Department”. I thought that was interesting. Here he is trying to scam me but yet he’s sort of honest enough to say he’s not from Microsoft. I then asked him if Windows looks for this and his response was simply “Windows Technical Department”. I asked him once again if the “Windows Technical Department” looks for this and his response was “yes, I’ll help you out. No need to worry about that”. Once I logged into my VM the very first thing he wanted me to do a key combination of Windows + R to bring up the run window. When the run window came up he wanted me to type in eventvwr and click OK to bring up the Event Viewer.

clip_image004

At this point he guided me to the Administrative Events filter. He then asked me if I saw any errors. Of course I did. It’s common to have errors, warnings, and informational events in the event viewer. He told me not to click any errors because “these are the online infections that are corrupting your computer day by day without my knowledge”. Once again it sounded like what he said came from a script. He then asked me to close out of the Event Viewer.

 clip_image006

At this point he once again wanted me to do a windows key + R to bring up the run window. This time he directed me to type www.121support.usa in the run box. Then he changed his mind and wanted me to use http://www.121usahelp.com . At that point he directed me to click OK to open up the webpage.

clip_image007

clip_image008

This of course brought up a website that appeared to connect to a remote support connection. He did not want me to type a password in the box. He wanted me to click on the Ammyy link below.

 clip_image010

At this point the call dropped. I was upset as I wanted to know more how this scam works. Since I seemed gullible he ACTUALLY CALLED ME BACK! Yes, he called me back.

Clicking the Ammyy link of course downloaded ammyy.exe. Ammyy is a remote support software application where someone can control your keyboard and/or mouse. He directed me to run it so I did of course as this is an isolated VM used only for collecting information on how this scam works.

 clip_image012

At this point the application opened ready for someone to connect to my computer as soon as I gave them my ID. Of course he asked for my ID as he wanted control of my machine so of course I game him my ID.

clip_image013

Once he connected to my machine he asked me place a check in “remember my answer for this operator” and to click accept. At this point any keyboard commands I used to try to capture screenshots messed him up so I took notes at this point. Any screenshots from this point are not from the actual session but recreated for this blog.

clip_image014

At this point he congratulated me and told me I was successfully connected to the “Windows Technical Department”. He told me the movement from the mouse is from his technician. I asked him if he was going to fix my computer and he said he is just seeing how much my computer is corrupted without my “good knowledge”. What’s interesting is while they had control of my computer, or should I say control of my isolated VM, they went to a website, downloaded TeamViewer, that is another remote control application, installed it, and connected to my machine using that software. I tried to get the website they went to but it was so fast I couldn’t document it. Once they switched to TeamViewer I was told that now I’m fully connected to his technician. At this point they opened up Event Viewer and showed me all the “errors”. I then got “transferred” or as I like to think the phone was handed to his partner in crime next to him. I heard them speaking in a language that wasn’t in English. This new person introduced himself as a “SENIOR” technical supervisor. He then dove into telling me all those “errors” I’m seeing are inside of my computer and he wanted to tell me that’s why “Windows was giving a call”.

He asked me if I used my computer for business or personal reasons. My response was it’s for business knowing it’s just a useless VM. He asked me if I “didn’t want to lose my computer anymore” and of course my response was “no I don’t want to lose it”. He once again said I’ll see with my own eyes all the errors and warnings. He said “one warning and one error may crash your computer any part of time”. He then went on to say I have lots of problems on my computer. He said each date and time in the event viewer was when a problem came inside of my computer. Once again if my sentences sound odd it’s because that’s how is sounded from him. He then asked me if I email, online backing and stopping, or playing online games that made problems come inside of my computer without my “good knowledge”. I said my machine has been running slow and his response was that’s the reason why they’re calling me to show me all of these problems. He said I shouldn’t worry because a Windows Technician was working inside of my computer showing me all of these problems. He then said he will show me all of these problems one by one in my computer.

At this point he made me bring up the run windows again using the Windows key +R and had me type in inf online hacker and click OK.
Yes, he had me type in inf online hacker
This brougt up my INF folder.

clip_image016

He asked me what I saw and I told him I saw a bunch of folders. He mentioned that I had 991 items(screenshot below not from session but recreated)then asked me if I reconized these folders. Playing along I said no knowing it’s my INF folder. He then went on to say this is the hacker folder. He said 991 hackers hacked my machine. I guess each hacker gets their own folder each time they connect? He then went on to say that the date and time was when they hacked my computer. Of course that wasn’t true but I’m wasn’t going to argue with him and he was much smarter than I was 😉 He even went so far to say that the hacker on that date and time was watching what I was doing on my computer without my “good knowledge”. What is is with the term “good knowledge” they keep using? He then went on to say my machine is hacked and it might have been from email. He wanted to check out my “email position” whatever that meant. Of course this was an isolated VM. I didn’t have any software installed or any personalized settings.

With everything they’ve been doing so far it was all very convincing for the average user but they still kept going wanting to prove to me that my machine was infected and hackers hacked it. I don’t even think they used the term malware but they kept going trying to scare me. At this point he brought up Internet Explorer and went to a page that validates W3C code.

clip_image018

He directed me enter my email address in the field and click Check. I entered some fake email address and clicked Check. Of course the page is validating a website but since I was directed to use an email address obviously it returned errors.

clip_image020

This is where he said 282 hackers hacked my email. He also said there were 8 warnings that I have inside of my computer. Of course this is all BS. He then wanted to show me the errors and warning of my hacked email. Once again he used the term “good knowledge” talking about email is secure but my email has been hacked. He then went on to say my computer may crash at any corrupt time. He asked me if I wanted to crash my computer and of course I said no smiling.

He then started asking me if I had a 6 digit code. Frankly I had no clue what the heck he was talking about so I said no. He said I should have been given a 6 digit code when I bought the computer. At this point I was like what. I thought he didn’t know what the heck he was talking about but he kept going on about this 6 digit code. He brought up a website used for people to connect to a LogMeIn technician and wanted me to put in my 6 digit code that I had no clue what he was talking about.

At this time we got disconnected again. Since they had control of my VM they opened up notepad and was typing to me while I was typing back. I told them I really wanted my computer fixed so please call me back. It seems like they were having technical difficulties but after a few minutes they called me back. Yup, they called me back a second time.

At this point they he kept asking me about this 6 digit code that he says I should have got when I bought my computer. I really had no clue what he was talking about. Since they had control of my computer they opened the window below(example)and tried to explain that when I bought my computer I should have been given the 6 digit code that is last 6 digits of the Product ID.

clip_image021

Of course I knew this wasn’t true but since I was trying to expose how this scam worked I just went along with it. He wanted me to type that last 6 digits of my product ID in the LogMeIn webpage that was up on my screen. This LogMeIn webpage was for people to enter a 6 digit code to connect to a LogMeIn user so they can remote control a machine. Of course following his directions I entered those 6 digits and clicked “start download” knowing it’s not going to connect me to anyone. At this point I received a warning message saying the code “does not exist and please contact my support providers”. He made a big deal about this. I don’t know why but he asked me to enter it again so I did and the same thing happened. He said “oh my goodness”. He then went on to say my support provider is expired, whatever that means. At this point he claimed he wanted to see if it was expired hinting that I might have to renew my software certificate license. Now I was starting to put everything together. From here he opened my Cert Store / certmgr.msc and found a certificate that was expired or not yet valid. He showed me the properties saying it’s expired and that I need to renew my “software certificate license”. It’s normal for some certificates to be expired or not yet valid. I knew nothing was wrong but to the average or below average user this could scare them.
clip_image022

He then went on to say that was the reason why “the code is not accepting”. I guess he was trying to say in a very vague way Windows is not activated but I knew he was lying. So far to the average or below average computer user it’s all very convincing but of course I wasn’t buying it. Now here is where he doubled down since I was sounding intentionally sounding stupid and gullible. He said I need to renew my software certificate license first before they can connect to my machine to clean out all the hackers. I saw where this was going. He was going to try to double scam me. Once to “activate” and once to “clean”.

This “gentleman” informed me that it would be $179 for a 5 year software certificate license, $279 for a 7 year software certificate license, and $349 for a lifetime software certificate license. Well of course the lifetime software certificate license is the best deal, and most money scammed from me, so I said I wanted that one.

At this point he actually went to support.me, typed in a valid 6 digit support code too fast for me to document, and installed LogMeIn. He was doing stuff in the background with LogMeIn that I couldn’t see. I’m not sure what he did but eventually he brought up a webpage where he wanted me to enter my credit card information to renew my software certificate license. This webpage appeared to be through a 3rd party payment service and it appeared the name of the business he wanted me to pay was “Southend Enterprises”. Of course I wasn’t going to enter real financial information so I just made stuff up, put it in the form, and submitted it. I even mocked them saying the mouse was jumping around, it must be that hacker software knowing darn well that both them and I were fighting for control of the mouse. At this point I was sure they were already celebrating as they thought they just scammed someone out of another $349. Of course it was declined because I didn’t enter real numbers. He then asked me what bank my card was through so I picked one from the top of my head and told him. I guess this support technician didn’t understand me so he passed the phone back to the first person. At this point he actually wanted me to call the bank and tell them…………………….DARN, WE GOT DISCONNECTED AGAIN.

Since they still had control of my VM they used notepad to chat with me. They wanted me to call my bank and tell them to authorize the payment that was declined for $349 for Southend Enterprises. I kept telling them to call me back. For some reason they couldn’t call me so they actually GAVE ME A PHONE NUMBER TO CALL THEM. Yes, they said to call them at (786) 220-3237. I looked up the area code and it was Miami. I’m sure the number rolled to something else and/or it was a prepaid cell phone.

After making sure I wouldn’t be hit with long distance fees I called the number they gave me. Once again this “gentleman” wanted me to call my bank to authorize the declined charge. When I asked him why it didn’t go through he went on to say something but I couldn’t understand him. This is where I dropped on them that I wasted an hour of their time, I’m an IT consultant, and I know they’re trying to pull a scam. I then mentioned I have their merchant name, I recorded the entire call, and I’m even going to blog about it. Even at this point he asked me how this could be a scam. He said they went through all the things wrong with my computer and asked me why I’m thinking they are fooling me to give them money. I went on to say that my computer was really a VM that was setup specifically to document this scam and to blog about it. There was silence then he asked me how I like it. I told him it was a pretty good scam but that I strung them along as far as I could to document all of this to warn others. At this point I must have gotten under his skin as the vulgarities started only for him to eventually hang up.

The next time someone like that calls I’m all setup to not only record audio but video of my screen so that I can slow down and stop the video to document everything.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s