'Hello, I'm from Windows and I'm here to help you'

2011-01-01

Craig Johnston

Cybercrime researcher, Australia
Editor: Helen Martin

Abstract

Craig Johnston relates a tale of unsolicited phone calls, interesting conversations and a worrying (anti-)malware-related scam.


A few weeks ago I received a number of queries from friends who had received phone calls from a man telling them that they had viruses on their computers. I told them that this was a scam and advised them not to have anything to do with anyone who calls and makes such claims.

Round one

However, one evening recently I received an unsolicited phone call at home from a man with a heavy Indian accent. He informed me he was 'from Windows in Sydney' (when I questioned him further he said he was from Microsoft and gave me the company's correct Sydney address). He told me that my computer had been flagged as being infected with viruses and that he was calling to help me out.

Of course I realized this was a scam, but I was very interested to learn how the scammers operated, so I played along.

The caller took me step by step through the process of opening up the Event Viewer on my home PC and told me where to look once there. He asked if I could see any error, alert or warning messages displayed - which of course I could. He told me that this confirmed that my computer was infected with viruses and that he would help me fix the problem. When I asked him why he was doing this, he said he was from Microsoft and that its staff had a duty to help people when they could see a computer was infected.

Next, he asked if my computer was running a little slower than it used to, and of course I said it was. He presented this as more evidence of the virus infection on the computer. He then tried to get me to log onto a website that would give him remote access to my computer to enable him to help me.

Of course, I wasn't too keen on giving him control of my system, so I hung up the phone. Two minutes later, he called back and continued to try to persuade me to allow him to take control of my system.

After about five minutes of me trying to get the caller to prove that he was actually in Sydney (by asking what the weather had been like here that morning - it's easy to look up a weather forecast for anywhere in the world, but harder to find very recent weather history) he eventually gave up and said he couldn't help me. The incident was interesting, but somewhat predictable.

Round two

Four days later, I received another call from another man with an Indian accent, who spouted the exact same lines. I strung him along for a few minutes before I got fed up of the whole exercise and told him that it was all a scam and accused him of preying on people's naïvety and abusing their trust. He asked 'So you think this is a scam?', to which I replied 'I know it's a scam!', and he simply admitted, 'Yes, it is a scam'.

For the next 15 minutes we had a very interesting conversation. The caller was more than happy to answer my questions about the group's modus operandi and admitted that his job was to cause confusion and fear in the victim, while posing as a trusted advisor, so that he could sell the victim a product. The product he said the group were selling was Registry Mechanic - which is a Windows registry optimization tool from PC Tools (owned by Symantec). While the caller admitted that the methods used to convince the 'customer' were dodgy, he was keen to assure me that the product being sold was legitimate and that it would benefit the customer.

I think that this man genuinely believed that he and his colleagues were helping people out. When I asked him if Registry Mechanic was an anti-virus product, he replied that it was, and told me that it would protect users from malware.

I found the conversation very interesting. The guy was more than happy to answer my questions, even though at one point I told him that I worked in the field of cybercrime research. He told me that he was based in Calcutta and that he and his colleagues had made a lot of money by targeting people in Australia recently. As we said our goodbyes, he even told me that he'd enjoyed our chat.

Concerns

These two related events raised some concerns in my mind. They are, in no particular order:

  • Given the queries I'd had from friends, and the fact that I received two similar calls in the space of a few days, it seems that these guys were hitting the Sydney area very hard.

  • I'm certain that the bogus callers would be very successful with the method they were using. There are plenty of people who are naïve and/or ignorant when it comes to computers. If a nice gentleman (apparently) from Microsoft calls them to help them find evidence of a virus on their computer, then offers to take over their computer and clean it up, then sell them a product to protect them in the future - and install it on their system for them - many people would be grateful and even happy to pay a small fee for the assistance.

  • The claim that Registry Mechanic is an anti-virus product that will protect users against malware is simply wrong. The product is a legitimate one, and it does its job very well, but it is not designed to provide full protection against malware.

  • How immoral (and illegal) is it to use fear, uncertainty and doubt (FUD) and scammer-type techniques to sell what is essentially a legitimate product (even if it is not a good solution to the supposed threat)?

  • Is there a reseller of Registry Mechanic in India who is doing a lot of business selling to customers in Australia, and if so, should someone be pulling the plug on them and their questionable operations? I understand that Symantec is looking into it. (Having said that, the product that was being sold may well have been a copied, hacked or outdated version of the genuine product, and it is most likely that the callers were not, in fact, genuine resellers of the product.)

Conclusion

It would be relatively easy to tell people simply to ignore any and all unsolicited contact from people informing them that they have spotted a malware infection on their computer. However, on 1 December this year all the big ISPs in Australia signed up to become 'icode compliant'. The icode [1] is a national voluntary code of practice which involves ISPs contacting customers that have been identified as being infected with malware to inform them that they may be quarantined or disconnected from the Internet until they clean their computer up. The ISPs will direct the infected users to a website (http://www.icode.net.au) which tells them how to avoid malware infections, how to detect and remove malware, and how to get professional help in cleaning up their computer.

So the ISPs will soon be contacting people out of the blue and telling them that their computer has been identified as having a malware infection, then offering help to clean up their computer. It goes a little like this: 'Hello, I'm from [Big ISP], and I'm here to help you!'

Hmm, sound familiar...?

(Fortunately, when the ISPs make their calls they will encourage the customer to verify the ISP's identity by calling them back on a previously published and publicly available phone number.)

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.