Monday, May 23, 2011

The Case of the Cold Call AV Expert

TL;DR- Indian scammer showed me an error in my event log, tried to get me to give him remote access.


A call out of the blue…

On Saturday, about noon, I got a phone call at home. Unusually, this is actually quite unusual. Only our parent’s ever call us on our home phone, and since signing up to the Do Not Call register, the telemarketers have stopped.

After the familiar delayed “hello”, I was introduced to a polite, if somewhat quick-speaking, Indian named “Roony Takar” from the Windows Support Centre.

Oh boy! My very first live scam attempt! My girlfriend had received a similar call a couple of months back, so I was aware of the general outline of the scam. What intrigued me was the strategy. Also, I figured the longer I took up his time, the less oportunity he had to scam others.

Roony told me that they had detected a virus on my computer, and that my computer was infected. I expressed my horror at this, and agreed to go to my computer and turn it on. Roony asked me if it was a laptop or desktop. I replied laptop. There was no questions about version of Windows (or even if I had Windows) or brand of computer.

I told Roony that I was pleasantly surprised by this amazing level of service from Microsoft. It appeared that he didn’t hear me…

Breaking News: Event Log Has Errors!

I was then laboriously instructed to open the event viewer (“presss window + r, type in e for echo, v for…”). I was then instructed to open the Application log and asked to scroll through and report how many yellow warnings and red errors I saw. For shame, I lied and stated that I had but 7 warnings and no errors out of 2,000 messages. I was intrigued as to their backup plan should my computer have no errors, but I was then instructed to open the System log. It is probably stretching the bounds of credulity to have no errors here, so reported that I had some errors.

I was then instructed to open the error. I chose a benign DHCP error, and reported it’s message[1], type (error) and category (none). I was told that my computer was infected and that software was causing DHCP server to be blocked, and that the category of none meant that my computer was broken. I asked what my DHCP server thing was, I don’t use any programs called that. I was told that it was a program inside my computer.

Gimme Remote Access

Roony then told me that as my computer was infected, I would need to have it reviewed by a Microsoft certified technician[2]. Now I was asked if I had Windows Internet Explorer, and if so, to open it. I was then painstakingly directed to go to the website “”[3]. By coincidence, my internet connection had dropped out at that time, so I was instructed to also try “”[4].

Upon having both these sites unavailable, I was then instructed to restart my modem.

With the internet back up, I went to “”. I noted to Roony the lack of Microsoft logos on the page. “Surely”, I said, “Microsoft would have their logo on this site?”

I was then told the scripted disclaimer “We are PC Solutions, I am calling you from the Windows Support Centre, we are contracted to provide software maintenance”.

“So Microsoft has contracted you?”

A Bridge Too Far

And with that, *click*, Roony had hung up. I was slightly disappointed to not obtain the log-in details that he was using for “” in order to report it to, but pleased to at least take up some of his time.

Speaking with friends later, it appears I’m not the only one to have gotten one of these phone calls. Most people report that their initial thoughts were that the call came from Microsoft. Some told the scammer “I don’t have a computer” (only to be scolded “But everyone has a computer!”) or “I have an Apple”, which resulted in quick hang-up. Maybe we’ll start seeing fake Apple calls soon.

Reap What You Sow

From research, it appears that there 3 general pay-offs for these scammers, in order of increasing illegality-

1) Use the remote admin access to install a useless “anti-virus” program, and charge you either for it or for the heavily promoted upgrade. As a product has been sold, there is little recourse for victims.

2) Install a botnet client onto your machine, and use your computer for spam, DDOS, etc.

3) Install a keylogger and obtain passwords in order to defraud, blackmail or steal identity.

My guess is that the first one is their main M.O. By not directly saying that they are from Microsoft, they merely mislead rather than misrepresent, suggesting a desire to stay within the letter of the law, if not the spirit.

How do we stop this scam?

Looking at the critical points in this attempt-

The phone call – You could ask for their number and insist on calling back. This is good practise, but not foolproof. You should additionally google the phone number and company name, and still be wary. Ask how did you get my number? Don’t give out any additional personal information.

Event log – You could lock down the event log, but there are million ways a scammer could convince you that your computer had an error.

Remote admin tools – Again, there a million different remote access tools, with legitimate purposes. There are even open source options like VNC.

The best means of stopping this is to make people aware of it. This scam has been mentioned a couple of times in the news, but is still not listed on Scam Watch. I recommend letting your friends and family know about this (especially grandparents and those more likely to be scared by  shouts of “VIRUSES!!”).


And leave you with a final question…

Why get remote access, when you could get the user to install a virus-ridden program via the browser?



[1] “The IP address lease for the Network Card with network address XXXXXX has been denied by the DHCP server (The DHCP Server sent a DHCPNACK message).” I took care to spell out DHCPNACK very slowly. 

[2] This was the only time he mentioned “Microsoft”. I was specifically listening to see if he would misrepresent, but his script appeared to be big on implication.

[3] An online remote admin tool, appears legitimate and not directly associated with the scammers.

[4] A remote admin program, again appears legitimate and not directly associated with the scammers.

No comments:

Post a Comment