Skip to content
Biz & IT

“You took so much time to joke me”—two hours trolling a Windows support scammer

"Albert Morris" and team get taken for a ride while we tried to track their tradecraft.

Sean Gallagher | 209

Technical support scams are the bottom of the barrel for cyber-crime. Using well-worn social engineering techniques that generally only work on the least sophisticated computer users, these bootleg call-center operations use a collection of commercially available tools to either convince their victims to pay exorbitant fees for "security software" or extort them to gain control of their computer. And yet, these schemes continue to rake in cash for scammers.

We've dealt with these scammers before at Ars, but this week I got an opportunity to personally engage with a scam operation—so naturally, I attempted to inflict as much damage on it as possible.

On Monday afternoon, I got a phone call that someone now probably wishes they never made. Caller ID said the call was coming from "MDU Resources," but the caller said he was calling from "the technical support center." He informed me there were "junk files" on my computer slowing it down and that he was going to connect me with a technician to help fix the problem.

A compressed edit of my two-hour troll, cut to a mere 27 minutes.

I was thrilled, displaying what my wife Paula felt was an inordinate amount of glee about getting the call. Over the next two hours, I subjected the scammers to such misery that Paula later told me she felt bad for them. "They probably had a quota to meet," she said sarcastically. "You probably kept them from getting four or five other people."

Actually, with any luck, I did more than that—I passed on the data I collected to the operators of the infrastructure used by the scam. That should at least put a speed bump in this particular nefarious operation. But taking down a scam like this is akin to a game of whack-a-mole; the infrastructure they use is too easily replicated. It's simple for support scammers to mount call center campaigns from cheap (or even stolen) VoIP services. Many of the tools they use offer free trials that can be repeatedly abused. And there's so much money in fooling naïve computer users that scammers are motivated to do this again and again. The FBI's Internet Crime Complaint Center (IC3) reported last June that just in the first four months of 2016, the bureau "received 3,668 complaints [of technical support scams] with adjusted losses of $2,268,982."

Law enforcement agencies have worked with the government of India to shut down a number of these tech support scams run out of what had passed for legitimate call centers. But as the crackdown continues, the scammers are going even more black-hat and down-market—abusing free trials of remote support software and exploiting peer-to-peer virtual private networks and Voice over IP phone services to further obscure their location and identity. The scripts for these scams remains the same shopworn material in use for years, preying on less technically aware targets who can be herded toward giving remote control of their computers away to a stranger.

The best weapon against these scams is education. So, as a public service, the following is a condensed version of my nearly two-hour-long recording of a scammer baiting plus a dissection of their tools, techniques, and tactics. Certainly, the technically inclined can feel free to thoroughly enjoy this recounting. But, cautionary tales like this are also good to share with those who may be potential victims of such a scam. You may also want to clue in whoever runs your organization's phone network about how such scammers turn poorly secured phone systems into virtual call centers.

"Windows-R"

The script that my scammers were using was well worn, to say the least. The initial call was simply to identify me as a potential victim; I was told that all the "technicians" were busy with other "customers" and that one would call me back shortly. So, luckily, I had a few minutes to install a Windows XP virtual machine and get a recorder set up before the scam began in earnest.

When the second call came, the "technician" repeated the same pitch as the first. I turned on my recorder.

"As I told you earlier, sir, the last couple of weeks, whenever you browse e-mails, like browse Internet, or do your online stuff like checking e-mails, browsing Internet, online shopping... from that very moment your computer has been automatically generating certain unsecured junk files without your proper knowledge. And as a reason, the functionality of your computer may have been decreasing day by day. I believe you understand me, right?"

"I think I understand what you're saying," I replied.

"Exactly right, sir. And that's why we at the maintenance department have been giving you this call today so you know some steps so that you by yourself can check where those unwanted files are inside your computer, and how you can know how to get rid of those files yourself from your side."

He asked if my computer was on. I told him that after getting the earlier call, I had turned it off. He told me to go ahead and turn it back on. "Take your sweet time," he said. I'm not sure my scammer realized that I absolutely intended to do just that.

What immediately followed was a painfully scripted scheme to convince me of the presence of these "unsecured junk files" and provide evidence that yes, indeed, I had a support license for this maintenance department to provide help hidden within my very own (virtual) Windows XP machine. Some people have called this the "Windows-R" scam, since the whole routine begins with the caller instructing the potential victim to hold down the Windows key while pressing the "R" key—launching Windows' "Run" box. From the Run box, the target is instructed to type in commands that will reveal just how horribly overrun with junk files their computer is.

However, I didn't want to make it too easy.

"You just need to hold the Windows key," he explained. "Hold it down and, with another finger, press the R key, R as in Romeo. Now what do you see on your computer?"

"It just reset," I said.

"Apart from that what else do you see?"

"It's rebooting."

"It's rebooting, OK…"

"It must have been doing an update or something, I don't know."

Finally... I got the Run box up. He told me to make sure the text box was empty, and then told me what to type into it, slowly spelling out EVENTVWR. "Type in there, E as in Echo, V as in Victoria, E as in echo once again... And now hit the enter button from your keyboard."

I complied.

"This is the page we were talking about. It is the Event Viewer page. It is also known as Microsoft Management Console page. All right. It is highly designed by Microsoft to check the computer's exact health state."

I choked back a laugh.

Next, the scammer asked if I had ever seen this page before. I said I hadn't, so he then tried to give me what amounted to a magical realistic interpretation of the contents of Event Viewer—or he would have, if there were any events to view aside from a parallel port warning under system events (since my virtual machine obviously didn't have a printer port). Also, I was not helpful.

"Double click on application and what do you see? What options?"

"Security is under application, and there's nothing there."

"Double click on security then."

"I did, and there's nothing there."

He soon gave up and moved to the next part of his pitch, having me launch the Run box again and phonetically spelling out "INF JUNK FILES." Windows ignores everything after INF, and the OS just opens the File Explorer to \WINDOWS\inf—a directory containing configuration files for drivers.

My technician then told me everything on display qualified as the junk files he was telling me about, the stuff that had been "created without your proper knowledge."

"These will multiply day by day," he continued, "filling your hard drive until it turns your computer off. The hard drive is the brain of your computer, and once it fills up your computer will work no more."

To dispel any suspicions I might have that this mysterious tech support "maintenance department" was not actually legitimate, the scammer technician then read from his script that I should type in something in a Command shell "so you can tell who we are."

"Do you see a cursor blinking? Type in there A as in apple, S as in sugar, S as in sugar—there should be two Ses—then type in O as in Oscar, C as in Charlie. Now hit the enter button from your keyboard, OK?"

This is a classic scammer move—literally. The "assoc" command scam has been around for ages. The command itself lists the application and class associations of system files, and the one that the scammers always focus in on is the association for .ZFS files—a long class identifier (CLSID) string.

But the scammer presented CLSID as standing for Consumer License Support ID, and he read off the string (very, very slowly): 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. You'll be shocked to know that if you have a Windows PC and run this command, you'll find you have the exact same CLSID.

"Junk files." (Not really.)
This is not your Client Support License ID.

After reading off this number, the scammer triumphantly said, "We already have your CLSID, and I believe you now know what we are exactly."

"Uh… excuse me?"

"Like, I'm just asking you if you understand from where is this call coming from, like, who's calling."

"No, I don't understand where this call is coming from. Who is this call coming from?"

"Yeah, as I told you before, this is the tech helpline. We are the one who maintains the software part of the computers based on Microsoft Windows, like XP, Vista, 7, 8, 8.1, and also Windows 10. So, sir, right now what you need to do right now is you need to close those unsecured stuff for yourself."

We were already 30 minutes into this call, and my new friend was clearly eager to push me into the delivery phase of the scam. Unfortunately for him, I was ready for more shenanigans.

Not even a remote chance

The scammer quickly asked me to close everything out, hit Windows-R again, and type in "IEXPLORE FIX2X.SCREENCONNECT.COM." This would launch Internet Explorer… and take me to the scammer's custom ScreenConnect "invitation" page.

ScreenConnect is a legitimate, widely used remote support tool based on Java. It also happens to have a 14-day free trial that allows would-be customers to create a custom subdomain. The individual setting up the sub domain then has to generate an invitation code, which is given to the person needing remote support (or the victim in this scheme) to enter on the webpage at that host address. (I alerted ScreenConnect to the abuse of that particular subdomain, but it was still active as of the time this story was filed.)

But I hadn't configured networking for my Windows XP VM. So this was not going anywhere fast.

"What do you see?" he asked.

"Uh…'This page cannot be displayed,'" I answered. "I think there's a problem with my modem."

"When was the last time you were on the Internet?"

"Yesterday," I replied.

Perhaps I was taking this role-playing a little too far.
The ScreenConnect custom landing page—free with a 14-day trial.

At this point, I went into a prolonged network troubleshooting session. As in, I tweeted updates about the scam, checked some e-mail, and restarted the Windows XP VM to provide the proper shut down and startup sound.

I told him it still wasn't working, and he suggested that I check my router. I went downstairs to check in with my wife and to grab my "burner"—a veteran (10-year-old) HP Compaq nx7300 laptop configured with Kali Linux, a penetration testing focused distribution of Debian. I figured I'd keep the scammers entertained while I got the XP virtual machine's networking sorted out.

Nearly five minutes of silence passed, and the scammer was starting to get antsy. "Did you restart it?" he asked, his voice echoing in my office on the speakerphone as I came up the stairs.

"Yes, I did," I said, coming back into the room. "The cat must have knocked the plug out."

"Take care of yourself, don't harm yourself," he said, obviously concerned for my health. "I appreciate that you've done a very good job. I call a lot of people, and they don't understand… you are a very good learner, sir."

I thanked him for the compliment, then promptly worked in a few more XP restarts (largely for the sound effects) while I got my Kali laptop's Web browser open. Finally, I went to the ScreenConnect site and entered the code.

As the Java app began to open in IcedT, I changed its settings to "sandboxed" instead of letting it run rampant and take control of my system. Naturally, the app failed to work. I described what I saw to the scammer as obtusely as possible.

To get around the obvious Java issues, the next tool in the scammer's toolbox was LogMeIn Inc.'s Rescue, a Windows remote access tool. Entering a six-digit code starts a download of a pre-configured executable giving the remote "support" person full control of the computer. Like ScreenConnect, LogMeIn offers a two-week free trial account. In addition to the Windows executable, Rescue supports Mac, Android, and BlackBerry OS.

But the first code the scammer provided was expired, so he had to give me another one. By this time, I had the XP VM's networking configured, but IE 6 was not behaving well. Despite being able to reach Bing and Ars Technica, I could not get LogMeIn's page to load. I switched back to the Kali machine and went through the motions, downloading the .EXE file for later examination (and forwarding everything to LogMeIn's abuse department).

Strike two for the scam. But the final tool in the mix was TeamViewer, a multi-platform remote support tool from the German software company TeamViewer GmbH. TeamViewer does have a Linux version, so I decided to install it and run it from a non-root account on the Kali machine.

TeamViewer encountered some rough seas last year when some of its account holders, who failed to use two factor authentication, had their accounts hijacked. At the time, TeamViewer told Ars that these breaches were the result of password reuse—the usernames and passwords had been obtained from other breaches. I thought there was the possibility that the scammers were using a hijacked account, but as it would turn out, they were again using a free trial.

We were already an hour and a half into this whole thing as I performed the install, and my scammer was beginning to get suspicious as I told him that TeamViewer was "unpacking."

"Sir, you are not actually doing anything, are you?" the "technician" asked accusingly. "You know the reason why, sir. You are acting like you are doing something. No. I understand, sir, you took so much time to joke with me, you think you are very smart. You have some knowledge of your computer, and you are pretending that you are doing something, but you are not doing anything, yes?"

I acted confused and rewarded him with news that it was asking for a license code. At this point, he brought in another technician, who called himself Albert Morris. Albert claimed that his company was based in Nevada but that his "outsourcing center" was in Southeast Asia. He asked me to read off an ID number and PIN to him to start the remote connection.

I gave him the numbers in the wrong order.

The line got switched back to the original scammer. This time, I gave the real numbers. Albert got back on the line and said the codes were wrong, and I repeated the correct codes back to him—as I started up a packet capture with WireShark.

Finally, Albert took control of the screen, saying "one of our technicians" was connecting. TeamViewer showed the remote account belonged to "GAIL_CHRISPEN," but it certainly wasn't Gail on the other end of the connection. Either the credentials for the TeamViewer account (which carries licensing fees starting at $849) was stolen, or they were obtained under false pretenses.

Albert moved the mouse tentatively. WireShark and a number of terminal windows—including the one I had run Debian Package Manager (dpkg) from to install TeamViewer—were up on the screen.

Albert repeated several of the questions I had been asked earlier: "Is this your only computer?"

"Yes," I lied.

"What operating system are you running?"

I finally answered straight. "Debian Linux. The Kali distribution."

"Debian Linux?" I heard him turn away from the phone. "Debian Linux?" he asked aloud to someone else in background.

Albert typed in the URL for Rescue's download page and pulled down the Windows remote access tool. He tried to start the download by clicking on it from the download list in my browser. It briefly flashed up a console window. He paused.

My cards now all laid out, I told Albert I needed to go. It was dinnertime. I asked him to call back tomorrow.

"Yes, tomorrow," he said. Sadly, he never called back.

Tracing the scammers' path

The packet capture I ran traced the TeamViewer session back to a curious location: a Time-Warner Internet Road Runner residential account. That meant that the scammers weren't using a traditional VPN to take remote control, and the UDP packets used by TeamViewer's streaming protocol were certainly not Tor friendly.

A screen shot of the packet capture from the support scammer's TeamViewer session.
A screen shot of the packet capture from the support scammer's TeamViewer session.

That left two likely options. The first was that they were using a computer they had already gained remote access to with another tool to attempt to take over mine. The second option was a peer-to-peer VPN like the one operated by Hola. Hola turns each of its VPN users into an exit node in exchange for free personal evasion of geo-blocking and privacy services. It also sells a premium service that doesn't require resource sharing and a business service for organizations doing perfectly legitimate things that require residential Internet nodes for egress.

The VPN was the most likely method in use—largely because when I provided TeamViewer a log of the session, they were able to identify it as a free account operating out of India. (They were unable to share further details with me because of European data privacy restrictions).

I sent information on the address to Time-Warner Internet's abuse e-mail address and tried to contact a media relations person at Charter Communications (which now owns Time-Warner Cable) about what their policy was regarding social engineering scams. At this time, I have not gotten a response.

Next, I turned to the source of the scam call itself. I dialed the number, which was answered by the automated greeting for a Cisco Unity voicemail system. After using the "dial by name" feature of the system, I managed to determine that it really belonged to MDU Resources, an energy and utility conglomerate based in North Dakota. I managed to name-dial myself to a receptionist and asked for the public relations department.

A quick search found that others had received the same call out of the MDU number, occasionally with the identifier "Knife River"—MDU's construction and materials subsidiary. The number itself was in Oregon, where MDU operates Knife River and Cascade Natural Gas. The number allowed dial-by-extension through the VoIP private branch exchange (PBX) to the entire company, including its North Dakota headquarters.

It seemed within the realm of possibility that the scammers were routing their calls through MDU's phone system. PBX "phreaking" has been around for a long time, and phone system hackers all too regularly manage to find a default or weak personal identification number on a corporate voice mail system and turn it into a money spigot. One PBX phreaking ring in the Philippines stole millions by using a hacked PBX to create a calling-card service and then to systematically call "premium rate" phone lines they had set up to tap directly into victims' phone bills.

But up until now, that hasn't been the way support scams have operated—there are entirely much more effective ways of concealing the point of origin of their calls. Windows support scammers have generally used a VoIP switch linked to a phone network gateway in the US like other borderline-legal telemarketing and "robocall" operations do. Initially, MDU spokesperson Laura Lueder denied that there was any misuse of MDU's phone systems, suggesting I talk to sources I've already spoken with to get a clue:

Third-party and internal investigations indicate our systems have not been compromised. We have mitigations in place to prevent the scenarios you describe. The appropriate authorities are investigating the scam. If you would like additional information on how these types of scams occur, or tips on how people can avoid falling victim to these scams, you may want to contact the FBI or a phone company, such as CenturyLink.

The alternative explanation to PBX hacking is that the scammers somehow cloned the caller ID information from MDU's line, using it to "spoof" the origin of the call. "Call spoofing is an industry-wide issue," said Mark Molzen, a spokesperson for CenturyLink, after I forwarded Lueder's e-mail to him in a followup.

Caller ID spoofing is trivial with the use of VoIP switches—the Caller ID system can be convinced to blindly accept the source phone number provided by the VoIP server and then deliver the ID that corresponds to that ID in the phone network's database if no override identification is given. In one case reported in a post by Andrew Johnson of the Federal Trade Commission, "One scammer recently used the phone number of an FTC employee."

There are even commercial services and applications, such as SpoofCard from the New Jersey-based TelTech that provides caller ID spoofing as a service. (Ironically, TelTech is also the company behind the technology of Team Robokiller, the winner of the FTC's anti-robocall competition.)

Reach out and touch someone

I reached out to TeamViewer, LogMeIn, and ScreenConnect to both provide information on the accounts being abused and to ask about what they were doing to counter abuse of their products—something that they're obviously aware of.

"Yes, we are aware that there's abuse of our software in social engineering scams," said Axel Schmidt, a spokesperson for the Germany-based remote support tool vendor TeamViewer. This was the only vendor to call me back. "Usually it's the less technically savvy people who will fall for those scams. In very general terms, what we do in these cases is we'll look at the log files, and if we find evidence for fraudulent use of our software we'll shut the accounts down. But sometimes [the scammers] are very technically apt people who know how to dodge landmines—and once we block one ID, they buy another one legitimately or seize someone else's account."

After I provided them with the log data, Schmidt said, "We blocked the ID so that it can no longer be used to connect to a device. Several cases like that are reported to us on a daily basis, and we always block the IDs in question to prevent them from doing further damage."

TeamViewer has not been sitting on its hands. In fact, TeamViewer is alone among the remote access tool vendors in taking things further to stop abuse of its tool—the company has worked with Google, Yahoo, Dell, Microsoft, and other companies "to take some more comprehensive steps," Schmidt explained. "One of the results that came of this initiative last month is that we managed to shut down four fraudulent call centers in India (in collaboration with local authorities)."

And while these sorts of fraud setups operate around the globe, India has remained a "hot spot" for them, Schmidt noted. For that reason, TeamViewer limits how customers in India can pay for their accounts, allowing purchases to go through from the country only "if the credit card is based on an Indian bank account," he explained.

Still, dealing with abuse of free accounts "remains a cat-and-mouse game," Schmidt said. "The thing that would help best is to educate computer users to be skeptical."

Sadly, there's a problem with user education, as noted at last week's Shmoocon security conference in Washington, DC, by Shmoo Group founder Bruce Potter. The security community has mostly done a good job of disempowering the general public on computer security, trolling organizations that get breached and spreading what people generally see as such portents of doom that they just give up on it. So if we're really going to ever put a dent in these sorts of scams in a meaningful way, it will instead take actual engagement—both with everyday computer users and with companies that may haplessly provide infrastructure that scammers can leverage to reach potential victims.

Scammers are adapting as well. Over the summer, I helped a retired college administrator deal with a scam that she stumbled into when she forgot her Facebook password over vacation—and Googled "Facebook Technical Support Phone Number" to get help. The scammers behind the website she landed at used similar tools and tactics to sell anti-virus scareware at an exorbitant price, and when she balked they attempted to hold her computer hostage (which failed because of her previously installed antivirus). While Facebook, Google, and others continually work to try to block the search terms used by these scammers to catch victims, it's certain they'll soon find some other avenue to find victims. All the while, they still mine the tried-and-true Windows support scam.

So, today, have a laugh but also do your part. Explain to a friend, relative, or neighbor how tech support really works in a non-judgmental way. That way you can laugh with them, not at them.

Listing image: Aurich Lawson

Photo of Sean Gallagher
Sean Gallagher IT Editor Emeritus
Sean was previously Ars Technica's IT and National Security Editor. After over 20 years in technology journalism, including over 9 at Ars, he pivoted to cybersecurity threat research, first at Sophos and now as a security research engineer at Cisco ‘s Talos Intelligence Group. A former Navy officer, he lives and works in Baltimore, Maryland.
209 Comments