What happens when a scammer tries to scam a security researcher?
I just got off the phone with a very nice gentleman from the “service center for the Windows operating system computers.” During the call, he informed me that they had received numerous warnings that my computer was infected. He explained that I had something “much worse than viruses,” but in fact had “malwares and spywares.” The ‘malware and spywares’ can actually cause my computer to “crash down.”
As a way to show me that I was indeed infected with these horrible “malwares,” he went through a few steps to ensure that I was in front of my laptop and it was powered on.
Little did he know, I complied by opening my non-Windows laptop and fired up a completely clean virtual image of Windows XP.
The eager savior of my malware woes instructed me to hold down the “full Windows flag” in the lower left hand corner of my keyboard (sorry my keyboard doesn’t have a Windows flag, but whatever) and “press the ‘R’ key.” After explaining what I should see on the screen, he had me type “eventvwr” in the blank white space next to the word open and click ‘OK’. Again, another long explanation that I was looking at ‘Event Viewer’. From there he had me “double left-click” on ‘Application’. (Update needed to the friendly technician’s flip chart: there is no need to double click.)
He next explained the normal ‘blue’ information icons and asked if I saw any ‘red circles’ or ‘yellow triangles’.
Of course, I immediately informed him that I saw both. He said, “Okay, don’t click on any of those. Those are ‘malwares’. They are causing damage to your computer.” I immediately responded with “Oh no! How do I get rid of this?” The nice gentleman calmly assured me that he was here to help and that is exactly why he called. When I told him that I “Facebooked all day long,” he informed me that is probably how I became infected and “not to worry.” He said after he helps that “your computer would run just like it was new and you will never have problems again.”
Well, sign me up!
Eager to get this stuff off my computer, I followed his instructions to go back to the Run dialog box and type in “www.ammyy.com”. Of course, it brought up a browser with the website of AMMYY Remote Desktop Software. He instructed me to click on the “Start working with Ammyy Admin” button in the center of the page. He then kindly asked if I saw anything asking to run the file. I told him that “I had an option to save the file but I don’t see run” so he had me select ‘save’ and then double click the downloaded file.
Once I did that, he asked if I saw my “Client ID.” I quickly questioned why he needed my Client ID and he told me that he needed to provide this to the service engineer so they could fix my computer. At this point, I either had to give him access to my computer or cut the call, and I wasn’t going to give him access to my computer. I decided to end my game and let the scammer know I was on to him and playing him the whole time. I wasn’t rude, but I did make it clear to him that the call was over.
In this case, I wasn’t the one being socially engineered, but was the one doing the social engineering. However, this is a scam that many fall victim to. I mean, the guy just sounded so sincere.
Typically, the next step in this kind of scam would be that the scammer demands payment for the “cleaning” service by conveniently opening a browser to PayPal for you to submit payment. If you refuse? Well, they have a remote session open on your computer so your entire computer, and all of your data, is at their mercy. And, since they have full access to your computer, they often just install their own malware anyway.
How do you avoid this? Well, I could be snarky and ask what the chances are that someone from Microsoft would call you to warn you. But, instead, what are the chances that any software company would call and warn you that they found out you were infected?