What I learned playing prey to Windows scammers
- 07 July, 2016 20:00
“I am calling you from Windows.”
So goes the opening line of the well-known phone scam, where a person calls purporting to be a help desk technician reaching out to resolve your computer problems. These Windows scammers feed off people’s concerns about data breaches and identity theft to trick them into installing malware onto their machines. The scam has been netting victims for years, despite the fact that none of what the callers say makes sense.
I recently received such a call and decided to play along, to see how the scam evolves and who the players might be. Over a period of three months, I received calls on average of four times a week, from various people, all intent on proving that my computer had been hacked and that they were calling to save the day. I had multiple opportunities to try a variety of conversational gambits and to ask questions of my own. Here is what I found out about the Windows scammer underworld via conversations with “Jake,” “Mary,” “Nancy,” “Greg,” “William,” and others.
The scam’s success hinges on being helpful
The callers are polite, and they sound very earnest, explaining in great detail how hackers can loot your bank accounts, steal your identity, and compromise passwords. They are intent on convincing you the threat is not only real but hackers are already in your system performing all manner of nefarious activities. Your computer has been slow, they say. Or they explain that they have detected suspicious activity emanating from your PC.
“Whenever there is any negative activity going on with your computer, right? We get notified from the license ID of your computer,” said “Nancy.”
The scammers don’t expect you to take it at their word; they are willing to show proof that your computer has been hacked. They instruct you to press the Windows key and R to bring up the Run box on your system, and to enter commands to open Windows Event Viewer. The caller notes how many errors are listed (most of which are harmless) and uses the list as proof the computer is compromised. "Jake" walked me through finding my unique computer ID using the command line.
“Rachel” sounded genuinely horrified when I told her how many errors were in Windows Event Viewer: “This is the worst I’ve ever seen!” I burst out laughing. Needless to say, she hung up immediately.
Once the victim has been convinced there is a problem, the hard part is done. Depending on the scam, the caller tries to talk you into installing remote software, such as TeamViewer or AMMYY, onto your computer, or they direct you to a website to download software that would supposedly fix the problems. The remote control software can be used by the attacker to steal data, download malware, and further compromise the system.
To avail myself of their help, I would have to hand over my credit card number and pay anywhere from $49 to $500. I never got past this step, though.
It doesn’t matter who the victim is
Scammers get phone numbers from myriad places: marketing lists sold between telemarketers, the phone book, personal records of criminal forums from data breaches. Some scammers used my married name, which isn’t listed anywhere. Because our phone is listed in my husband’s name, scammers working off public phone records probably switched to Mrs. when I answered the phone instead.
Most of the time, scammers don’t bother with names. They start off with a polite, “Good afternoon, ma’am.” I infuriated “Greg” by claiming he must be talking about someone else’s computer as it couldn’t be my computer that was infected. When “Greg” retorted that he knew everything about me and rattled off my name and the city I lived in, it made me think he was working off a list obtained from a data breach dump. That scared me a bit, knowing that these callers could possibly know where I lived, so I ended that call in a hurry.
It doesn’t matter in the end because the scammers will talk to anyone. My child answered the phone once, and instead of asking to speak with an adult in the house like any proper (and scrupulous) telemarketer would, the caller went through the explanation of how the computer was infected and needed to be dealt with immediately. My child, wanting to be helpful, scrambled to follow the instructions. Luckily, my child stopped to ask me which computer to turn on, at which point I took away the phone.
Considering kids don’t often have a credit card for the final payoff, it’s perplexing what scammers hope to gain by proceeding with calls involving minors. When asked, “Jake” huffed a bit, then ignored the question.
That was an eye-opening moment, and we immediately had a family meeting to explain these calls and emphasizing that no one should be calling and asking us to do anything on the computer. We had the same conversation with the grandparents.
On another call, I tried convincing “William” that I didn’t have a credit card, at which point he suggested I borrow a card from someone else. The implication was that if I really wanted to stop the hackers, borrowing a card wasn’t a big deal.
They will stick to the script, no matter what
Callers stick to a script, rarely veering off what they are supposed to say, even to the point of repeating the same keywords over and over. Take the exchange I had with “Nancy.”
“What I am trying to say is when you bought your computer, a technician installed the operating system, you know that? The Windows operating system,” said “Nancy.” I noted there was no such thing as the Windows company because it was an operating system. “That’s what I am saying. I am calling from the Windows Service Center. Windows is the operating system you are using, right? And this is a service center for Windows. There are 700 service centers for Windows, you know that?”
"Nancy" claimed later in the call that my Windows license would be canceled if I didn’t fix the issues on my computer. “You have been provided with the license for the operating system of your computer. Right? If we find that someone is misusing the computer for any reason or there is something going wrong, what we do first is that we cancel the license of the computer, which means that you won’t be able to use this computer, all right?”
I argued back, “Why not?”
“You are using the Windows operating system,” she repeated patiently. I hoped I was annoying her at this point. “If we cancel the license of the Windows operating system from our end, then your operating system gets locked.”
Way to spook victims with the idea of ransomware, “Nancy.”
“Being a Windows user, I believe you know that all Windows computers are connected to the same Windows Global Router in Virginia,” “Nancy” said.
Even conspiracy theorists can’t make up this stuff. All Windows users connecting to a massive network that monitors all their activity? The sad thing is I can see how people wouldn’t know how preposterous the idea sounds.
When “Rachel” told me she was calling because the technician had detected malicious activity from hackers on my computer at 5 a.m., I told her she was mistaken as my computer was always off at night. She ignored me and proceeded to the next part of her spiel where she asked me to open up Windows Event Viewer.
After a while, even the most curious recipient will give up asking questions, since the answers don’t make sense. I told “Nancy” so. “At this point you are saying a lot of things that make no sense, because they are not logical, but OK, go on.”
I was startled that she continued regardless. “If you do not remove the hacking file from this computer, then unfortunately, we will have to cancel the license of your computer so that there is no misuse of your personal information.”
“Nancy” really wanted that payout. Why not? I was making her work for it.
Each team operates differently
The Windows scam doesn’t appear to be the work of a single group. Toward the end of the observation period, callers were exclusively women, some with strong Eastern European accents and others with strong Indian accents. Earlier calls, in contrast, had been exclusively from males with Indian accents, except for “Steve,” who sounded American. Possibly Pennsylvania or Maryland. Not the Northeast, the South, or the Midwest. Definitely not Texas.
I am almost certain that I spoke with “Jake” at least seven times, but he was “Mike” and “William” at least once during those calls. It would have been smart for “Jake” and his team to take notes when victims didn’t pay, so they could spare themselves the effort of repeatedly calling to try to hook me. It’s pretty clear these folks aren’t using CRM software to track interactions with their “customers.” This wasn’t a highly professional criminal organization.
Despite these hints of amateurism, they were still getting the handful of victims necessary each day to make the operation worthwhile.
A few times throughout my experience with my various Windows scammers the thought crossed my mind that the callers themselves may be unwitting dupes for the actual criminals. Perhaps, like call center workers in the movie "Outsourced," these folks know nothing about the “company” they work for and are simply doing their jobs following the script. Perhaps they themselves are convinced they are actually being helpful.
I told “Frank” I had a really poor connection and I kept hanging up the phone. But he called back each time and remained very polite and eager to help. The dropped calls had to be tremendously annoying for him, but he never broke character. Maybe it wasn’t an act for him, and he genuinely believed in his purpose, unaware that the script was a scam. I finally disconnected the phone for the day to get him to go away.
When I asked “Jake” why he scammed people, he got angry and denied it, but “Mary” tried to convince me I was mistaken. She didn’t break character and assured me she’d helped many people in the time she’d been working there. She made me hesitate, and I am still not sure if she was simply skillful, or if she was the victim in this situation, manipulated by a criminal syndicate.
“Mary” was also the only one who remained polite when I accused her of taking part in the scam. All the others issued threats before hanging up, although “Nancy” did say, “Thank you,” before disconnecting.
Ask a lot of questions
The devil is in the details, and the more you ask questions instead of swallowing whatever the callers say, the more likely you will uncover inconsistencies or problems. The moment you suspect a scam, hang up.
Many of the callers don't take into consideration that you may have multiple computers. When I asked “Mike” which computer he wanted me to turn on, at first he didn’t understand what I was asking. “I am talking about your Windows computer,” he said.
I explained I didn’t know which of my seven computers had problems. I half-expected him to tell me any would do, but he went through the pretense of looking at his logs and telling me to turn on the one that had been on at noon the day before. I wonder if he would have tried again later with my other computers, but I didn't let him stick around long enough to find out.
My questions must have rattled “Nancy” from “Windows Technical Services,” a bit, since she switched the company name a few times during the course of the call. From “Windows Technical Services,” she switched to “Windows Security Services,” “the Windows Company,” and “Windows Service Center.”
Later on in that call, “Nancy” made another goof. “All I am trying to say, to do, is to explain that your computer is getting hacked by foreign IP addresses, from Texas and from California.”
Yes, Texas was once an independent republic, but come on, “Nancy.” You can do better.
Do not engage the scammer
Never, ever share any personal information. Don’t provide your name. Don’t talk about anything specific to you -- the caller wants to gain your trust and will engage in small talk while waiting for the computer to execute the commands you typed. Don’t go to any website the scammer tells you to visit, don’t accept emails, and most of all, don’t download any software during the call.
A recent variation of the scam depends on victims making the initial phone call. While browsing online, the victim comes across a browser pop-up stating the computer is infected and to call technical support at the listed number for instructions on how to fix it. The message is frequently served up via a malicious advertisement. Don’t call the number. Instead, close the browser and move on. It’s easier to never, ever engage the scammer.
If there really is a problem, you won’t find out over the phone. Microsoft doesn’t have the phone numbers of every user who owns a Windows computer, and the company definitely doesn’t call individuals if something goes wrong. If a problem exists -- say, the ISP thinks your computer is infected and spreading malware to other computers -- the notification will not come via a phone call. More important, there is no such thing as a Windows Global Router monitoring your computer activity.
If you suspect a problem with your computer, go to Best Buy (for Windows) and Genius Bar (for MacOS), or hire a reputable IT pro to take a look.
As I learned from “Greg,” some of the callers know where you live, which increases the chances of your getting doxxed or targeted in another attack in retaliation. The scammer can set a password on the computer or change the existing password, to lock you out of the computer the next time you start it up. If they know where you live, they can hit you in the real world.
Once you realize it’s a scam, hang up. There is no benefit in stringing them along, and these callers get very angry. I usually was shaking after each of these encounters and frequently had to go outside for a walk to calm down.
One of the many calls from “Jake” ended with him screaming, “You think this is a scam? I will show you! I will show you hackers have control, because I am going to be the one taking over in 48 hours. Watch out!” I was rattled enough to keep all computers (even the Linux and Mac systems) in the house off for three days after, just in case.
“Nancy” threatened legal action. “Listen, I am telling you one last time, whatever information you have in your computer save it, because in the next 24 hours, we are going to cancel the license of your computer. And we will send you a legalized document, all right? At your doorstep. At that time, you can have a talk with the lawyers.”
It’s been a few weeks. No lawyers yet, whew.
What if you fell for the scam?
If you installed software, uninstall the software and run a security scan to remove it. If you gave remote access, reboot the computer to force-end the session. Uninstall the software. If the scammer got a chance to look through your files, as part of the remote access session or through the downloaded software, then assume they have copied your files and may have access to your passwords. Change your passwords after running the security scan and verifying no keylogger was left behind.
At this point, it may be better to disconnect your computer from the Internet, back up the specific files you need (if they already weren’t backed up over fears of ransomware), and wipe the machine to start over. There is no point in risking that the malware has enough hooks into the system that the security software is unable to eradicate it completely.
If you paid the scammer, call the credit card company right away to report the incident and cancel the transaction. Cancel the card, too. If the attacker has the information, they can use it again later or sell the number to someone else.
U.S. victims should report the scam to the Federal Trade Commission and provide the name of the scammer, as well as the originating phone number of the call. I don’t have Caller ID, so I couldn’t track the number, and in several cases, when I tried to dial back to track the last incoming call, I got the message that the number was blocked. The sheer number of calls I fielded made me question the wisdom of maintaining a landline -- at least if the calls had been going to my cellphone, I could potentially block calls. Alternately, I couuld whitelist calls I recognized and ignore the rest.
They know which buttons to push
In the past, I’d dismissed these scammers as bumbling criminals preying on clueless and naïve computer users, but after 60 or so conversations, I’ve revised my assessment: They're skillful social engineers. At one point, when I’d managed to irritate “Nancy” enough, she asked, “Do you know who you are talking to? Do you know I have the authorization to cancel the license key for your computer?”
I stopped for a half-second to remind myself that she couldn’t do that. It helped that at the time of the call I was working on a Mac, but I sympathize with the victims who don’t want to take the risk. These scams are effective because they’re utterly convincing to nontechnical users. Even someone who has been reading about the latest news and staying well-informed can be tricked because the callers are good at hinting at all the things that can happen. The people making these calls are polite and charming -- unless, like me, you’ve been annoying them for 15 minutes with questions. They are confident and sound like they know what they are doing, which is why they are successful.
“We are calling you to find out why your computer is downloading all this hacking software and who are the persons who are trying to get into your computer to steal your personal information. That is illegal. That is against [sic] cybercrime.”
That’s the only point I agreed with from those calls. What they are doing is illegal. If you get the call, hang up. Don’t engage, and we will eventually starve the scamming beast into ceasing operations.
- 11 signs you've been hacked -- and how to fight back
- 11 signs your kid is hacking -- and what to do about it
- Be paranoid: 10 terrifying extreme hacks
- Do it now! From SHA-1 to SHA-2 in 8 steps
- How to tell if you've been hit with fake ransomware
- Got ransomware? These tools may help
- 10 reasons why phishing attacks are nastier than ever
- 19 open source GitHub projects for security pros
- 6 hard truths security pros must live with
- 10 security blunders that will get you fired
- 10 dumb security mistakes sys admins make
- The most innovative and damaging hacks of 2015
- 6 lessons learned about the scariest security threats