How to commend a PC support scam
A while ago, we responded to a blog criticism earnest some thoughts on how to commend a cold-calling PC support scam. Unfortunately, we wasn’t means to do that immediately, and afterwards we was on vacation with no Internet connectivity (I should do that some-more often!). But then, given a problem isn’t going to disappear any time soon, we theory recommendation on how to commend it before you palm over any cash isn’t going to pass a best-by date too soon, either.
- If we have caller-ID enabled on your phone display, we competence see International or Number Withheld. That doesn’t, of course, pledge a scam. But if you’re not accustomed to receiving general calls and we share my dislike of businesses that call yet display a series they’re job from, it is during slightest a warning to be on your guard. On a other hand, it’s distant from surprising for a scammer to use what looks like a internal series (which competence or competence not be spoofed).
- India is a vital provider of legitimate call-centre services to many tools of a world, so we can’t assume that a tourist with an Indian or Asiatic accent is a scammer, only as we can’t assume that all Nigerians are 419 scammers (or even that all 419s are Nigerian in origin). Nonetheless, a moment, scarcely all a reports of support scams that I’m saying note that a tourist sounds Indian, and roughly all of a sites and domains we’ve been means to snippet (and in some cases, block) have had an Indian connection.
- If you’re on a inhabitant “do-not-call” register, indicating that out early in a review is a flattering good proceed of either a call is expected to be from a same region. If, as mostly happens, they take no notice, it’s substantially a good time to put a phone down.
- The tourist is expected to explain to paint or to be dependent with a obvious name – Microsoft, Cisco and Dell (and, some-more recently, BT) are frequently mentioned, yet a inlet of a connection is mostly vague. These are companies that are unequivocally doubtful to hit an end-user directly about a pathogen problem: frankly, it’s flattering time-consuming to snippet sold users who competence have a confidence issue. The fact that a tourist competence know your scold name, residence and telephone does not mean they have entrance to any information about your PC. They’re guessing, and if we know adequate about your possess complement to ask how they have a information they claim, their answers make no clarity during all. And if, as is mostly a case, they don’t have your scold hit details, how can they presumably know anything about a standing of your PC?
- Most fraud calls are reliant on a scammer “proving” that he or she can brand problems with your system: in a moment, we’ll demeanour during a ways in that they injustice and misrepresent standard Windows utilities as some kind of malware diagnostic, yet even before that, they competence tell we that they already know we have a confidence problem because:
- Microsoft, or your ISP, or some other “authority” told them so. The resources underneath that this competence be loyal are unequivocally singular indeed: if we consider it’s probable that it competence request to you, check directly with a “authority”. It’s genuine to take a word of someone who only called we out of a blue. If they’re shy about a accurate inlet of their attribute with Microsoft (or whoever), I’d advise we save yourself a worry and only put a phone down.
- The sum of your complement are on some hypothetical database.
- There are spam or pathogen reports compared with your IP address. Or your phone number. Or, some-more vaguely, “your computer”. Take with a unequivocally vast splash of salt. If we don’t know a caller’s reason of how they identified your system, assume that you’re being misled. If we consider we do know a explanation, that’s substantially a reverence to a amicable engineering talents of a scammer, not a arguable indicator of a bona fide support call.
So what about a ways in that they try to infer to we that your appurtenance is putrescent by walking we by customary Windows utilities? It’s expected that scammers will come adult with variations on this approach, yet these are a ones that we see many often.
- Event Viewer is a apparatus that keeps a complement log. A scammer is expected to tell we to go to a Run menu and form in eventvwr. That will take we to a shade that shows we several complement events, some of that will indeed be problems, yet they’re customarily transitory problems that have already come and gone. When we see a Event Viewer screen, contend something bold and put a phone down, if you’ve let them get that far.
- Microsoft tells us that ASSOC “Displays or modifies record name prolongation associations.” However, scammers tend to use one of a equipment nearby a bottom of a list it outputs that looks like this:
.ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
What that ASSOC authority indeed tells us here is that a .zfsendtotarget prolongation record is compared with a dense (zipped) folder form in Microsoft windows. However, a scammer will customarily tell we that this is a singular identifier of your PC, as explanation that he can see that there is a problem singly compared with your PC. Or he competence tell we that CLSID stands for Computer License ID, and that we need to replenish a license. Either way, he’s fibbing to you. Tell him where to hang his permit and put a phone down.
- INF and PREFETCH are legitimate complement utilities: The “Prefetch” authority shows a essence of C:WindowsPrefetch, containing files used in loading programs. The “INF” authority indeed shows a essence of a folder routinely named C:WindowsInf: it contains files used in installing a system. So how are they dissipated by scammers? By seeking a plant to press Windows-R to get a Run discourse box, afterwards seeking them to form in something “prefetch dark virus” or “inf trojan malware”. When a folder inventory like those above appears, a plant believes that a complement is inventory antagonistic files. In fact, conjunction of these commands accepts parameters in a Run box. You could form “inf elvish fantasy” or “prefetch me a solitaire and tonic” and you’d get accurately a same office listing, display legitimate files. Time for another bold word.
For a scammer, there are dual other vicious steps.
- The whole indicate of a practice (and they’ll substantially wish we to do it before they indeed “fix” your system) is to get we to give palm over credit label details. Make it transparent from a start that you’re not going to give that information to anyone we can’t countenance as genuine. In some cases, they competence simply give adult during this point, or they competence try to convince we that they’re genuine by giving some information about themselves (or, some-more to a point, their company). Tell them you’ll call them behind and get in hold with a authorities, or even us. Unfortunately, there’s a good possibility that they’ll call we behind eventually if we don’t ring them back: they unequivocally do wish your money. Tell them you’ve talked to a police, or to a confidence company, or even to Microsoft, and a chances are they’ll give adult progressing or later, yet they competence boast for a while.
- The other is to convince we to download remote control program (most mostly from logmein.com or ammyy.com) so that he can denote to we that he’s downloading utilities (usually these are giveaway versions of genuine software, yet of march they could in element be anything…) and regulating your hypothetical problems. Don’t go there: because would we give someone who only rang we adult out of a blue entrance to your system?
Of course, we can’t pledge that they’ll use any sold approach, and in fact we competence get melancholy or violent poise before they give up. Nonetheless, a progressing in a routine we disentangle and make it transparent you’re not interested, a reduction con they’re expected to give you: during least, in terms of that specific phone call. The advantage to that approach, of march is that it tends to work for other scams (some of that competence come from a same call centres): debt scams, feign surveys (usually a predecessor to a sales representation or even to a follow-up fraud call, tailored according to your responses) and so on.
See also ESET’s white paper Hanging on a Telephone.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
.