First things first, we do not recommend that you screw around with crooks.
That includes fake support calls, 419 scammers and fake tech support outfits.
If you’re talking to them on the phone, they know your phone number. If somebody in the scam outfit got your number via a data breach, the caller might even know where you live.
All you really know for sure is that they’re crooks.
Our advice is to just hang up, lest you be on the receiving end of threats to, say, chop you up and feed you to the fishes.
Having said that, there’s a set of people who most certainly don’t hang up.
Damn the potential risk, full speed ahead. They do things like draw out the conversations to waste the crooks’ time. One guy even cooked up an autobot to do the work for him: he’d forward calls to it, thereby automatically (and hilariously) wasting the fraudsters’ time.
There’s a new one to add to that turn-the-tables genre. His name is Ivan Kwiatkowski, and his modus operandi was to infect the caller with Locky ransomware.
As Kwiatkowski tells it, earlier in the month, his parents somehow managed to land on a page (now defunct, but here’s a screenshot) telling them that their brand-new system – it had been in use for only 30 minutes! – had somehow been infected with the notorious Zeus malware.
As tech support scams go, this one was replete, blinking and flashing like the Strip in Las Vegas on a Friday night:
This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows’ BSoD days, and yet somehow it displayed a random IP address instead of the visitor’s one.
Kwiatkowski decided to mess with the crooks. So he fired up an old Windows XP virtual machine (VM), got in touch with “tech support,” got past a prerecorded message, and eventually reached a human who identified herself as “Patricia.”
The typical tech support scam ensued:
She guides me through the steps needed to download some kind of remote-assistance client: Windows+R, type in iexplore remote.join360.net, jump through a few more hoops and run whatever executable is offered to you. From what I gather, this is actually a legitimate tech-support program, it being digitally signed and all.
In these scams, the caller won’t take no for an answer until you give them remote access to your computer and let them “fix” the “threat” – for a fee, of course.
You also need to buy their super duper antivirus software, of course, and open up whatever executable files they want you to click on.
It used to be that these fake tech support callers would call us, but nowadays, as more and more people refuse to take calls from unknown numbers, the crooks have been adapting.
Instead of them calling you, it’s increasingly common that they’ll use a web ad or popup that simply runs the scam in reverse: like what happened to Kwiatkowski’s parents, the crook will display a warning and advise you to call them, typically on a toll-free number.
Toll-free! Hey, they’re paying for the call, so they’ve got skin in the game, right? Well, that’s what they’re hoping you’ll figure, at any rate.
So “Patricia” got access to Kwiatkowski’s VM, typed in commands that returned results that she knew would frighten the naïve and supposedly give her tech cred – “1452 virus found!” or “ip hacked!” – and yet, in spite of her purported tech sophistication, missed the fact that the VM had a few interesting icons kicking around: OllyDbg, a 32-bit assembler level analyzing debugger for Windows, as well as IDA: a hosted multi-processor disassembler and debugger.
Oops! Your 15 minutes of free support are over, Mr. Kwiatkowski. She’ll call back so you don’t have to pay for more of this benevolence.
And that’s just what she did: she called back, berated him for not running antivirus software (which he told her he wasn’t), and encouraged him to buy ANTI SPY or ANTI TROJAN, “for the measly sum of $189.90.”
As a matter of fact, there’s somebody connected to your system right now! she says.
The conversation that ensues:
Isn’t that you? I ask. This says it’s someone from Delhi.
An awkward pause follows. She tells me that she’s actually the “localhost” line, because localhost means secure connexion. I fight back:
— Are you sure? I thought localhost meant the local machine.
She mumbles a little then proceeds to read me that whole section of her script again, asserting once again that this other IP belongs to [someone] who lives in Delhi like her but is a totally different person – a malicious hacker.
Back to the software sale, Patricia booted her uncooperative “client” up to her boss. Kwiatkowski sent the guy test credit card numbers that were sure to fail payment processing.
Eventually, claiming bad eyesight, Kwiatkowski sent a “photo of his credit card” and told the caller to try inputting the number himself.
That was no photo of a credit card.
He’d gone into his junk email folder and found samples of the latest Locky campaign: .zip files with a script that downloads ransomware.
Kwiatkowski had already noted that the remote-assistance client was a two-way street: he could use it to upload to the scammer’s PC as well as to download.
He grabbed a piece of malware at random and uploaded it, telling the caller that…
Look, Dileep, I’m old and my sight is not so good. It’s starting to hurt, having to squint to read those tiny numbers. Also, we’ve established I’m no good with computers, how about you give me a hand here?
That was followed by silence, after which the caller said that he had tried to open it, but nothing happened.
The scammer was wrong, of course: there was indeed something happening.
In the background, a process was running to encrypt the files on the tech support scammer’s system. The only way to get them back: to buy the decryption key from the crooks via the dark web.
As of February, we were seeing prices to decrypt Locky-ransomed files that varied from 0.5 to 1.00 bitcoin, with one bitcoin being worth about $400/£280.
Kwiatkowski says he’s contacted the scammer’s ISP to report abuse, as well as their webhost and authorities.
He’s considering this a solid win in the war against tech support scammers and is recommending that others do the same, even listing a phone number to call.
But I’m not so sure. It’s a great story, but we don’t tend to give hip-hip-hurrays to people who inflict ransomware.
Do two wrongs make a right?
Let us know your thoughts in the comments section below.
In the meantime, if you’re wondering…
What to do?
- If you receive a cold call about accepting support – just hang up.
- If you receive a web popup or ad urging you to call for support – ignore it.
- If you need help with your computer – ask someone whom you know, and like, and trust.
In this case, when we say “someone you know,” we mean “someone you’ve actually met in person,” as opposed to just online.
You know that old truism that on the internet, nobody can tell you’re a dog? Just take out “dog” and substitute “Donald Trump himself,” “Justin Bieber,” or “legitimate tech support,” and that equation’s still solid.
In the case of PC technical support, especially to do with malware or any sort of cyberattack, don’t look for help online. In fact, if you use Bing, you can’t look online: in May, they threw out the whole lot of tech support offers, instituting a blanket ban on all online tech support ads.
Were there any babies in that bath water? Sure, probably. There might well have been legitimate tech support outfits that got banned from the search engine.
But how can you find them? Scammers have ruined it for everyone, turning that bath water into a toxic swamp.
DEALING WITH FAKE SUPPORT CALLS
Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.
(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)
Tom
I just tell “Emily” or whoever that I am have been a network admin for 28 years and nothing is wrong with my computer, that’s when Emily hangs up. But the problem seems to be getting worse, last week I got a call from someone who had turned over all his information, card number, social security, benefit card. The pop-up that yells at the user scared a lot of users last winter.
IMHO, most people are clueless about computer security and how the internet works, case in point, how many politicians gladly sent all their secret nefarious information in unencrypted e-mails! I tell the computer security classes I teach, if you wouldn’t paint it on the side of your car and drive around with it, don’t send it in an e-mail!
Sean
In my view, the scammers got what they deserved.
ejhonda
Thumbs up to Mr. Kwiatkowski.
Lily
Haha, that sounds amazing.
Hopefully the ransomware spread out across the entire network essentially shutting down their entire operation (assuming it’s located in one place like a call-center).
I wouldn’t have the guts to do it myself, but props to him for being brave enough to do that.
Anonymous
It’s further than I’d have gone but I think it’s great. Years back I received a similar call and led the guy on a wild goose chase, inserting every annoying complication I’ve gotten from my clients over the years (i.e.: “My mouse is on the left side of my desk, so when you say ‘right click’ do you mean ‘left click’?”, etc.). Finally, after about 40 minutes of this, I finally let the guy know that the “Internet wireless” had been hit by lightening, and asked if he could fix that remotely as well. He said No and hung up.
40 minutes of tech support for free? Not a bad deal :-)
Mahhn
I am impressed Excellent job Kwiatkowski.
John Knops
Do two rights make a wrong? HMMM. That’s a good question. -1 plus -1 equals -2, not zero. When the underworld “takes care of a problem” as in the movies, is that the way to settle problems? Maybe, because the first is out of business and won’t cause any more problems. But ethically is it a right? The IT world must struggle with crooks and ethics. What a world we live in. No different than the 13th century!
I do have a frustration with your security recommendations. I was alerted to Ghostery to help keep intruders like Google at bay some years ago in a Sophos article. 6 Ghostery trackers on this Sophos page. Now, it this article there is a video on the SoundClould video player which is blocked by Ghostery for very valid reasons, telling me:
Detected tracker source URLs:
https://w.soundcloud.com/player/?url=https%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F121351621&visual=true&show_artwork=true&color=1a60b3&auto_play=false&sharing=true&download=false&show_playcount=false
I don’t want to be tracked if I can help it and Ghostery helps. None of my 4 computers have Adobe Flash, so that is out. Too many writers at Sophos fear the Flash consequences and recommend not playing with fire.
Can the powers that be at be at Sophos set a policy that only non-tracking and safe video players be used in articles?
p.s all my computers (2 Apple Macs and 2 active Dell Laptops all have Sophos anti-virus/malware installed).
Paul Ducklin
What exactly is it about the Soundcloud player that worries you? You can listen to the podcast without logging in, so Soundcloud isn’t getting much from you except setting a cookie (I clear my cookies every browser exit to keep a bit of a cap on what any one service learns in one session) and your IP number (or whatever you present as “your” IP number). As far I as I know, we chose Soundcloud to host our podcasts because it works well all around the world, has good uptime and decent streaming speeds, is widely known, doesn’t need Flash, and doesn’t require you to create an account to listen.
I hear you about “not being tracked,” but with judicious cookie deletion I’m not sure that Soundcloud learns much about you from listening to our podcasts, except perhaps that “an unknown person X from town Y in country Z who listens to Chet Chats and Techknows also likes music by artists P, Q and R,” and that only if if you listen to lots of different tracks without exiting your browser in between (or using the “zap recent history” button from time to time).
Or do you know something bad about Soundcloud that we should know about, other than that Ghostery has it in one of its lists for some reason?
Steven218
Worked for me too – I went further I found there list of people they scam and sent each one the email of where they exist
Philip
Shouldn’t Sophos Web Control be able to block these pop-ups like Kwiatkowski’s parents got?
Paul Ducklin
So far as it can, yes. Ideally, it will block access to the entire bogus domain, not just to individual URLs, which nobbles he lot.
Clifford Jones
After having dealt with customers hit by ransomeware I can understand the temptation. But it is important to stay atop the fray, to have clean hands in all one’s dealings. Much as I’d love to infect the perps with their own medicine, I just couldn’t justify doing so…
But if someone else does it… more power to you! I just hope you don’t get tangled in the same web trying to catch the bad guys, that is the ones with bad intent.
Paul Ducklin
I have never held with scambaiting, and I have always received a warm response at conferences when I have publicly stood against it.
You don’t raise yourself to new heights by lowering yourself to someone else’s depths. You don’t show decency by treating other people with disdain. You don’t tower above the law by breaking it yourself. The only person who’s likely to come out of this badly is the call centre guy who ran the ransomware file. I don’t have a huge amount of sympathy for the call centre workers, to be sure, having heard the way they treat some of their victims (and I don’t much accept the argument I’ve heard that the staff “genuinely think they’ve got a real job and don’t realise it’s a scam”). But you can just imagine some call centre operator clawing back $300 from the hapless caller’s wages – leaving him stuck at the support-scam coalface for months and months to pay it all back – as a “punishment” to make good on the cost of his mistake. In other words, I suspect that this sort of vigilante justice very likely combines illegality with a blow struck against the wrong person.
It’s like those guys who think they’re clever because they trick 419 scammers into demeaning themselves by posting pictures of themselves with a fish stuck down their trousers, or persuade them to carve replica PCs out of wood for some weird power-play purpose. It’s screamingly funny, unless you’re more than 12 years old.
If you lie down with dogs, you get up with fleas.
My 2p.
Steve
As a matter of ethics, you pretty well covered all the bases there, Paul. But what about the practical aspects? Unless I’m really missing something, it seems to me that this stunt just put a lot of innocent people in further jeopardy than they might have been otherwise: isn’t that ransomware going to spread to the call center network, and then be further spread to the poor folks that were already being duped into wasting their money on “tech support”? So instead of just being ripped off, they will actually be paying for real damage to their own systems!
Paul Ducklin
I didn’t think of that. But I should have. Most ranswomare these days is a sort of one-shot, scramble-your-data deal, but not all malware works that way. Indeed, we’ve written about self-spreading, viral ransomware before:
https://nakedsecurity.sophos.com/2014/12/05/notes-from-sophoslabs-ransomware-with-a-difference-this-one-is-a-true-virus/
https://nakedsecurity.sophos.com/2016/06/01/zcrypt-the-ransomware-thats-also-a-computer-virus/
Another good reason not to muck about with malware :-)
Jenson
Bit of a necro post but wouldn’t the ransomware also encrypt any evidence of the operation. Any kind of malware that tampers with the computers could make a police investigation much more difficult (assuming there is an investigation). Reporting scammers and wasting their time is a good thing to do, but this action would have caused more harm than it fixed. That is unless the police don’t care, then this would have would have caused a major set-back to the scammers.
Paul Ducklin
I assume there would be other data left over on the infected computer (and others in the vicinity – probably wasn’t a one-person operation)…
…but vigilantism is not recommended, both for the reason you say (could mess with a later investigation, if ever there were to be one), and because it’s illegal :-)
pork
Who gives a shit! The scammer and anyone associated with it got whatever they deserved. No fleas picked up by the hero here. These types of scams should have serious felony prison time associated with them.
Paul T Ireland
There weren’t two wrongs. There was only one. The Indians believe in karma, and this was karma in action. This was ethical hacking.
Paul Ducklin
Hmmm. You can’t use the sum of everyone else’s beliefs to justify your own actions. “The Chinese are all hackers, so I can hack. The Nigerians are all scammers, so I can scam. Americans are all movie and music pirates, so I can steal what I like. All people of nationality X are Y, so I can make sweeping statements about them, even if the facts suggest otherwise.”
(Not all Indians believe in karma, of course, so your “argument” stops right there. In any case, AFAIK, karma isn’t about me being allowed to do bad thing X to you simply because you did X to someone else. It’s about the spiritual repercussions on you that arise from you doing X. I’m pretty sure it’s not an excuse for ill-directed vigilante revenge, even if both you and your victim believe in it.)
Bernd Wechner
I love it and most certainly think two wrongs don’t make a right, but that this pithy idiom has nothing to do with teaching a scammer a lesson, and taste of their own medicine. Certainly even if you consider that wrong it is not an arimetic addition of wrongs and the net result is not in the least clearly two wrongs or more wrong than it was from the outset. It is an escape path from a wrong that hopes as a net outcome to create a net reduction in wrongs (arguing that, the more people do this, the less cost effective the scam becomes and if a quorum is reached it becomes a net loss scenario or at the very least your number or IP is whitelisted (which is being black listed by a scam agency … ;-)
revdjenk
When my wife gets these calls, she acts confused and happy that a “computer person” is calling her with an offer for a new computer. “I don’t have one, and always wanted one! When are you sending it to me?” The poor “tech” tries to help her confusion, but my wife just gets more excited about her good fortune, and the “tech” quickly hangs up.
I, however, act all concerned, “Which device is reporting these problems?”
‘Your windows computer.’
“Well, The EULA says that windows telemetry doesn’t include personal information. How did you get my number?”
‘It is coded in the information.’
“So which computer is it? I know that you should have my device ID and which version of windows is running.”
‘It’s the one you use most.’
“Well, that is your third lie. I don’t use windows, ah yes, none of our devices run windows.”
(click)
Some don’t give up that easily, some sound all pompous that they don’t lie, and that I must be lying. Some guess wrong and say, ‘I can help you with the dangerous Mac problems.’
“I thought you were windows support?”
‘We fix windows and mac systems.’
“Well, I don’t run either of those.”
(click)
jandoggen
One variation you can use when they call you: “Sorry, this is my mom’s computer, I’ll get her for you, one moment please”. Immediately put down the phone (keep the connection alive). Sounds pretty inoccent, costs them several minutes and you nothing.
Steven Barber
I have a chat with them then ask them which computer is the one that’s got the problem. The usual answer is, “The Windows PC”. A few more rounds until I’m bored or have to go then I ask if their mother knows what they do for a living and would she be ashamed of them if she did, scamming money out of naïve victims. They usually hang up at that although I did get one who got abusive. He was actually quite funny. I left him listening to “on hold” music whilst he ranted.
Barry Young
live by the sword….die by the sword….they got exactly what they deserved.
Paul Ducklin
That maxim about “living by the sword and dying by the sword” is one of those weirdly ironic misquotes used to conclude that violence is excellent, given its place…
…even though that seems to me the exact opposite of what was meant when it was most famously said.
I’d be surprised if the ransomware infection at the other end caused any significant disruption or loss of earnings to the person running the call centre, but I wouldn’t be surprised to hear that the boss fella took it out on the junior for making that sort of mistake. In other words, you have no idea what “they” got, and so you have no idea whether it was what “they” deserved or not.
And that’s where mucking about with malware gets you.
Chris
Paul,
You seem to have a lot invested in telling everyone else how wrong they are.
Did this Ivan ask for CC info to defraud someone? DId he call them unsolicited?
They punched first. He punched hardest. Nothing amoral about that.
Paul Ducklin
You might want to look up the word “amoral” in a dictionary. It has a rather particular meaning which may not be the one you are after here.
Kenneth Porter
If this was wrong, then so is putting people in prison for crimes. Wearing a badge or black robes doesn’t make your action more or less moral.
Chris
According to 2012 study by FFRC, financial fraud costs the US annually between $40 and $50 billion.To put it plainly, these peoples/organizations are criminals and they will keep on being criminals until someone stops them. I doubt that those who are the “tech support technicians” do not realize what their doing is morally wrong.
That being said, morality is a sadly moving target in today’s world. Some may say that it’s fine to sleep with someone before marriage, others that it’s not. Some would say that it’s OK to murder as long as it’s for your country in War, others that it’s not. Some would say that retaliating (within reason) against a criminal is ok, others that’s it not. Some would say that telling people they have a virus when they don’t and selling them software at an exorbitant cost they don’t need is ok, others that it’s not. See where I’m going?
Paul Ducklin
I think you are about to say that some people think vigilante counter-hacking is OK but others don’t…
…which leaves us on the horns of the same dilemma :-)
sigfuss1
The sister and her husband of an old girlfriend of mine used to steal my lawn mower gas all the time until I polluted a can with sugar, diesel fuel and urine. I had confronted them about stealing the gas numerous times so I didn’t feel a damn bit guilty. As a matter of fact I felt elated when I found out they had to have their pickup towed because “something happened to their fuel pump”.
Megan Floyd
The same thing happened to me. I received a shady message on my screen that had a number to call ([REDACTED]). I called the number and a guy with a hard accent answered the call. I should’ve known it was a SCAM when he said his name was “Jason Townley” (ain’t no way this is his real name). He ended up persuading me to purchase a plan for $365.89 and I fell for it. The number has not been reachable since then. I did some digging and found out that the number belongs to [REDACTED]
This seems like a huge Tech support SCAM setup.
I would like to say that if I would have read this post earlier, I would have followed the things mentioned under What To Do? section and it would have helped me to escape from that situation.
Paul Ducklin
Did you report this to your card provider? Report it as a fraudulent transaction and let them follow it up… they do that for a living.