Archive for July 8, 2017

Investigating A Tech Support Scam – Part 1: The Call

Posted in Commentary with tags on July 8, 2017 by itnerd

I got a panic call from a client on Thursday who went over to his parents house and apparently, his mother had received a call from someone claiming to be from Microsoft and saying that her computer had viruses. She had then initiated a remote access session with this “technician” and he was doing stuff to the computer. I literally dropped what I was doing and raced over there. The reason for my urgency was simple. The scammer will typically attempt to get the victim to allow remote access to their computer. After remote access is gained, the scammer relies on confidence tricks and social engineering.  Typically involving utilities built into Windows and other software in order to gain the victim’s trust to pay for the supposed “support” services, when the scammer actually steals the victim’s credit card account information, or to persuade the victim to login to Internet banking. Sometimes they will even steal files off of the computer. Clearly this sort of scam is very dangerous.

When I got there, I saw someone controlling the computer remotely. I put an end to that by pulling the power plug. I then warned the clients that the scammers would be phoning back and when that happened (which it did about 5 minutes later), the scammer needed to be told that the Internet is out. Meanwhile, I went about seeing what these scumbags had done. There was a remote access program running with the name People Connect Inc. I Googled the name and found that the name and the phone number that they are associated with this sort of scam. The remote access session showed that they had uploaded a number of files to the computers:

  • A text file that was meant to show that these scammers were legit.
  • CCleaner which is a utility to clean up a computer.
  • The installer for the Chrome web browser
  • Several files named unlock.bat, hosts.exe, lock.bat, execunlock.bat, execlock.bat, Nautilus Blue.exe, Nautilus Green.exe as well as a encrypted zip file that had the same files.

I took a copy of the ZIP file and deleted the rest. The reason why I took the ZIP file is I wanted to see what they were up to using a pristine copy of all of these items. As I type this, I am running a password cracker on it in a Windows 7 virtual machine. Once I crack it, I will test out the utilities to see what these files are and what effect they have on a Windows computer. I will then submit them to various anti-virus makers so that they can add these files to their virus definitions.

I ran a virus scanner that boots the computer from a USB thumb drive. I found nothing. I then went through the system and I ended up not really finding anything. From what I could tell, there were still in the process of setting up shop to carry the scam forward. I then ran several other malware and antivirus scanners and found nothing. I then ensured that the system was properly protected and left.

Now to protect themselves, the client cancelled the credit card that they used to stop the scumbags from getting paid. And to ensure that everything is okay, I will be doing a follow up. Meanwhile I will be looking at the files that these scumbags left behind after I break into the ZIP file. I’ll report on both of those in the coming days. In closing, I will also give you tips on how not to become a victim of a scam like this. Please stay tuned for further developments.