Microsoft Technical Support Scam: A victim’s eye view

I’ve been getting these calls for months, the thick asian or african accent at the other end of the line proclaiming themselves to be Scott, Ben, Mark or Chris from Microsoft Technical Support, BT, or my Internet service provider, all calling about my system being hacked, virused or compromised in some other way … and of course they are calling me to help.

So it was only a matter of time before I decided to follow in the footsteps of quite a few people before me and actually follow one of the calls through to its conclusion (as opposed to my usual indignant raised voice … and the all too common exchange of insults before I smugly hang up last) to actually find out what it is that draws people in and makes them fall for the scam. So armed with a fresh windows installation on a spare hard drive (I didn’t want any personal information on it as I was going to be letting them into my computer), I waited for the call to come through.

When the phone finally rang, and the heavily Asian accented ‘Scott’ asked to speak to the owner of the Windows computer, which I confirmed was I (all the while launching into a frenzied shut down – change hard drive – reboot to get the ‘victim’ HDD in place).

Now, just to start off with as far as the actual scripting on the scam goes, the level of social engineering (on however small a scale) is pretty complex and advanced … playing on fear of the unknown (the faceless hacker and virus writer) and the gaps in knowledge that most people have as far as computers go (almost everyone knows something, but we all have gaps of varying sizes in our depth of knowledge, whether it be hardware or software).

The first task of the scammer during the call is to draw the computer owner into the game while keeping their own agenda hidden … and admittedly the scripting is good at this task, using some quite advanced hooks to keep the victim both engaged and off balance, while building trust through their own ‘knowledge’ of the situation (using keyboard shortcuts, spelling out programs and locations for the victim to look at, and picking out system files that appear to fit in with what they are telling you). In reality, like any con, this is just a version of the old street magic sleight of hand tricks, letting you see what they want you to see.

One of their favourites is to pick out a standard CLSID registry entry (CLSID is a class identifier which allows Windows to link into a program by address instead of by name), but what they will tell you it means is Computer Licensing Security Identifier, which plays on the fear factor again, and as CLSID registry keys are uniform for certain programs, they can make it look as if they know exactly what you can see … and in a warped sort of way they can, because they can access exactly the same industry standard information within their own computer.

This is the point at which they will spin their main scam line, which is also getting to the most dangerous part for the victim … and they will usually do it through the run box rather than an internet browser window, spelling the text out phonetically again to hide their agenda to a certain extent. ‘Scott’ sent me in this manner to a website usually used for technical support on a peer to peer basis (it allows one user to take control of another computer through a secure system of client/password connections), Teamviewer … which I will state now is a legitimate utility, but it does in this case have the potential (realised potential) for misuse.

I was instructed to download and run the Teamviewer software, and given the connection information (again, a trust building exercise, as the appearance of being given control of their computer is insinuated, although if you tried anything you would find the permissions not in place for such an action), and then instructed to flip the connection which gives them full access to your computer (any unencrypted card and bank information at this point would be visible to them, as well as any information on usernames and passwords that are not securely stored). But even at this point, they keep the victim engaged and involved.

Now is the point where the ‘technical suport’ operator will enter their ‘endgame’, in the case of my call, they offered to give me windows security essentials and microsoft internet security for free, but there is always a catch … a £7 activation fee (not a huge amount of money, which is the hook they need to get bank/card details, at which point they can drain your account at will.)

I, of course, had a few reasons as to why I could not give these details out (best one is denying you have a card or bank account, making payment impossible), at which the operator asked me what I could see on my screen … and promptly rebooted my computer remotely (after setting a password on Windows which allegedly made my computer unusable), then told me that I would have to pay if I wanted to get back in … and hung up after a further refusal.

The most important thing to remember at this point is DON’T PANIC. All they have done is passworded your Windows installation, which can be solved easily (use your windows disc to restore your computer to a point before the changes were made … or if you don’t have a disc there are other methods available, but I would advise having a professional do those if you are not a fully confident computer user), using the installation disc and system restore it took me about 5 minutes to sort it out.

As I stated earlier, I used a specially cleared hard drive to do this, if it happens on the computer you actually use, it is then a good idea to run virus and malware scans to ensure that no unwanted software has been deposited on your system.

If you are reading this out of interest rather than as an after event, then there is no substitute for caution when fielding this sort of phone call, and if it’s your sort of thing, get to know your computer so that the ‘problems’, ‘hacks’ and ‘viruses’ that they will ask you to look at are already familiar to you as normal working parts of your day to day computer operations, not the dangerous and terrifying horrors that they claim.