Being scammed at home - a cyber professional’s own experience
Adam Burt, Incident Response and Forensics Consultant at Symantec
on 22 Jul, 2014
We'd like to acknowledge and thank Adam for contributing this blog post. It is technically quite in-depth and we have deliberately left it so to demonstrate the lengths that social engineering scammers will go to to persuade you that they are genuine and part with your money. The key tips to prevention are highlighted on this page.
Recently I was called, at home, informing me that my computer was “downloading viruses”. This is the fourth time this has happened and so I decided to take notes, screenshots and follow through with what happens.
Just a quick note about my setup; I pretended that my machine was a Windows XP SP2 box, which is actually virtualised and has many snapshots already taken. This means, if required, I can give control to anyone online of this machine without worry. Consequently, whilst the caller was describing my problems, I had created a backdoor to this system that allowed me to control processes from another computer. This meant, if anything TOO bad was about to happen, I can cut them off. I also had to pretend that I knew next to nothing about my computer and that I just used it for web browsing and e-mail.
If someone is calling to scam you they will generally try to:
Convince you that your PC is not working as it should
Offer a fix.
Make you pay for the fix
Here is a summary of what to remember:
If ANYONE calls you to tell you your computer needs something doing to it, or is displaying bad behaviour, YOU ARE BEING SCAMMED! Either hang-up, or ask for a number to call back and also a web address for their company. If you know someone who is technical, you could always ask them too.
So, here’s what happened: I received a call at home from someone claiming to be from “Microsoft’s technical department”. They explained that they were a “Microsoft Supervisor” and that my machine had been seen downloading viruses. They then asked me to, if not already, turn on my computer and they would show me how this was possible. Once I had logged in they requested that I press the “Windows Key” plus “R” on my keyboard, displaying the “Run” command box. They asked that I type in “eventvwr” and press enter. This would display my event viewer. They asked me to click on the “Application” events on the left (after a few time wasting minutes of deliberating what an application was, I clicked on it). They asked me to scroll down the list and look for “Warnings” or “Errors”. They asked me to count how many I see and if it was more than about 5 or 7, I had a problem. They explained that the errors were created by downloading malicious files from the web and e-mail, but not to worry as it probably happened without my knowledge. They then explained that after time, the “Informational” events would turn to “Warnings” and “Warnings” would turn to “Errors”. Then, when everything was an “Error” the computer drive would crash. Yep, that’s right, the computer drive.
What happened next surprised me slightly. They asked that I hold whilst I am passed to a senior member within the department. Wow! They have a hierarchical structure in these scam places! The next person introduced themselves as “Peter Smith” (ha!) and said that they will continue the operation. They were going to connect me with “Microsoft Headquarters” because “…only Microsoft can fix these problem…”. They also explained that “this is a one-time check-up” and “…all Microsoft users are being called about these problem…”.
They next asked me to perform the same “Windows key plus ‘R’” and type in “www.ammyy.com” and press enter. This opened the relevant website and they asked me to download and install the remote control client on the site. As a point of clarity, this website is not malicious and there is nothing malicious about the operations carried out here, or the software offered. The crime was that they were done under false pretences.
So now they had control of my computer. They could control mouse, keyboard, could see my screen, could use my microphone and webcam and could transfer files in the background. They now said I was connected to a “Microsoft technical expert” in “Microsoft’s Headquarters”. Notepad popped up.
They asked me to type in my name and e-mail address to prove that I was who I said I was. I didn’t at any point say who I was, because they didn’t ask. I also made up a name and fake e-mail address for them to use. The person on the phone then stated “…everything you see now is from Microsoft Headquarters. I will wait until they confirm they have finished..”. I could hear the key strokes and mouse clicks in the background. It’s worth pointing out that, at most times during this call, I had to try hard not to laugh.
They showed me the same screen again (Windows Event Viewer) as before, but they created a filter that ONLY showed “Warnings” and “errors”.
Again, they explained that more than 5 to 7 errors were a result of this problem they were going to fix. What happened next was slightly alarming; They minimised all windows on the desktop and whilst they were frantically typing and clicking the mouse, kept repeating “..please let me know if you see ANYTHING appear on your screen..”. Once they has finished, they asked once again, to which I replied “no… nothing appeared”, they replied “Good, let us look at the events again…”. Now, something happened there, perhaps some file transfer in the background? Not too sure. I have a forensic copy of the hard-drive that I will examine later.
Next they opened another run command line and typed in “inf hacking files find”. Firstly, the “inf” part will open the “inf” folder under Windows’ system path. This is a legitimate folder and should not be tampered with. What follows the “inf” on the run command is irrelevant and ignored. So, the folder opened (with the pretence that they were looking for “hacking” files) and began to open random files that had no file association with them.
Not being able to open files that have no associated program with them is normal. However it was explained that these were hacking files and could not be opened. They explained that they were going to trace where the hacker was and find them.
The command they used allows a user to trace a path, via the network, to an IP address. He used the domain name “hack.info” which resolved to “22.214.171.124”. I cannot comment on the nature of this site or IP address or as to why they used it, probably for effect. They said that they have now found the hacker and that they could resolve my problem.
They opened my computer management console and proceeded to perform a search for “secure sockets layer” in the indexing query window. As a note, indexing allows quicker searches for text with objects within Windows. This query form is a way of testing to see if indexing is bringing back results. The “Indexing Service” is not running on this particular machine, so this query would return with the same result every time: “Service is not running”. However, they informed me that the “secure sockets layer” was not installed on this machine and that they would install it for me. They explained that this would protect the whole computer and any other computer in my house. They informed me that in order for them to install the “secure sockets layer”, I would need to pay a 1 time fee (I was wondering when they would get to the money part!). Now, for clarity (again) the “Secure Sockets Layer” or “SSL” is what allows us to communicate over the internet securely. It can be used and is available on almost ANY electronic device with a browser. This applies to Windows, Apple, Android, Linux, Unix, anything. It is what allows us to use “https://” rather than “http://”. There is no need to pay for it to be “installed”. They ran through the pricing options, which were:
- Enabled for 4 years: £149
- Enabled for 8 years: £349
- Live-time enablement: £500
I chose to go for the 8 years. Didn’t want to get them overly excited at this point, as I was doing so well in fooling them. I queried about future machines that I would own. I was told “…don’t worry, this will install on any machine on your network…”.
I can only presume that because I had agreed to pay them money, they didn’t want to lose my connection. They then browsed to “www.teamviewer.com” which is a legitimate site to allow remote control to a system (much as is ammyy.com). They downloaded the client for me and connected to my machine again. So now they had 2 connections, both controlling my system. They then took me to the next website to pay the money before they could fix my problem.
Now, again, I do not know the legitimacy or whether this website is malicious or not, but it’s where they wanted me to pay money to. There was a “pay now” button at the bottom of the page that did not render correctly. This was probably because the browser I had installed was from the 1800’s (for anyone not technical, I don’t mean that literally, it was just several years old). They then went to another website to download Google Chrome.
More clarity, file hippo shares files and is a legitimate website. I cannot comment on the content of the downloads though. I do not even know if they were downloading a real version of Google Chrome?!
I was now at the end of my tether and they had wasted enough of my time. I started to shut down the internet browser windows via my “remote control” I had established before they took control. They were persistent in opening more browser windows and trying to re-download the file. It got a bit repetitive, so I shut off their remote access and hung up the phone. They promptly called back and apologies for the cut-off. I explained slowly that they should not call this number any more. They haven’t, yet..