Investigating A Tech Support Scam – Part 1: The Call

I got a panic call from a client on Thursday who went over to his parents house and apparently, his mother had received a call from someone claiming to be from Microsoft and saying that her computer had viruses. She had then initiated a remote access session with this “technician” and he was doing stuff to the computer. I literally dropped what I was doing and raced over there. The reason for my urgency was simple. The scammer will typically attempt to get the victim to allow remote access to their computer. After remote access is gained, the scammer relies on confidence tricks and social engineering.  Typically involving utilities built into Windows and other software in order to gain the victim’s trust to pay for the supposed “support” services, when the scammer actually steals the victim’s credit card account information, or to persuade the victim to login to Internet banking. Sometimes they will even steal files off of the computer. Clearly this sort of scam is very dangerous.

When I got there, I saw someone controlling the computer remotely. I put an end to that by pulling the power plug. I then warned the clients that the scammers would be phoning back and when that happened (which it did about 5 minutes later), the scammer needed to be told that the Internet is out. Meanwhile, I went about seeing what these scumbags had done. There was a remote access program running with the name People Connect Inc. I Googled the name and found that the name and the phone number that they are associated with this sort of scam. The remote access session showed that they had uploaded a number of files to the computers:

  • A text file that was meant to show that these scammers were legit.
  • CCleaner which is a utility to clean up a computer.
  • The installer for the Chrome web browser
  • Several files named unlock.bat, hosts.exe, lock.bat, execunlock.bat, execlock.bat, Nautilus Blue.exe, Nautilus Green.exe as well as a encrypted zip file that had the same files.

I took a copy of the ZIP file and deleted the rest. The reason why I took the ZIP file is I wanted to see what they were up to using a pristine copy of all of these items. As I type this, I am running a password cracker on it in a Windows 7 virtual machine. Once I crack it, I will test out the utilities to see what these files are and what effect they have on a Windows computer. I will then submit them to various anti-virus makers so that they can add these files to their virus definitions.

I ran a virus scanner that boots the computer from a USB thumb drive. I found nothing. I then went through the system and I ended up not really finding anything. From what I could tell, there were still in the process of setting up shop to carry the scam forward. I then ran several other malware and antivirus scanners and found nothing. I then ensured that the system was properly protected and left.

Now to protect themselves, the client cancelled the credit card that they used to stop the scumbags from getting paid. And to ensure that everything is okay, I will be doing a follow up. Meanwhile I will be looking at the files that these scumbags left behind after I break into the ZIP file. I’ll report on both of those in the coming days. In closing, I will also give you tips on how not to become a victim of a scam like this. Please stay tuned for further developments.

3 Responses to “Investigating A Tech Support Scam – Part 1: The Call”

  1. […] dealing with the events of part one of this story, I turned my attention to finding out who People Connect Inc. were. As I mentioned in my previous […]

  2. […] In part one of this investigation I dealt with the initial threat. In part two I looked at who the scammers who do business as People Connect Inc. are and showing that they are scammers. Now I will show you what these scammers were up to. Though, that took some effort. […]

  3. […] In part one of this investigation I dealt with the initial threat. In part two I tracked down the scammers and I unwrapped what these scammers were up to in part three. Now I will tell you how to avoid a scam like this. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: