The IT Nerd

In part one of this investigation I dealt with the initial threat. In part two I tracked down the scammers and I unwrapped what these scammers were up to in part three. Now I will tell you how to avoid a scam like this.

Here’s the big hint that this is a scam. The scammers will likely be pretending they are calling from Microsoft or from “Windows,” “Windows Tech Support” or “Windows Service Center.” or even your ISP.

Fact: A legitimate company such as Microsoft, Apple, or Google would never call you in this manner. The exception might be your ISP. There’s a minute possibility that your ISP would call you if your computer has been infected with malware that could be sending out something from your computer. If a caller claims to be from your ISP, ask for the caller’s name, where his or her office is located, and for the office telephone number. Ask why you’re being contacted by telephone, what the issue with your computer is and how the ISP could tell it was your PC specifically that had a problem. If a call sounds legit, hang up and call the ISP yourself, then ask for the tech support department or for the person who called you specifically. Use a phone number listed on your ISP’s website or on your bill, not a number that the caller gave you. That way, you could confirm or deny if this is legit.

Now, if you get a call from a scammer. The best way to deal with them is to hang up. But if you want to do the world a favor, do the following….. Though I will not exactly go out of my way to recommend vigilante behavior like this:

1. The name of the company the scammer claims to work for, and the company’s website, phone number or address. Even the smallest pieces of info can lead one down the road of finding out who the scammers are and you’d be surprised how willing they are to give up this information to try and gain your confidence.
2. Hang up.
3. Report it. Microsoft has a Web page dedicated to reporting tech-support scams. The U.S. Federal Trade Commission has a website for fielding complaints, while the Canadian Anti-Fraud Center is the place to go if you’re in Canada.

So, what happens if you get scammed? You need to act fast. First, shut down the computer. Then do this:

1. First download and install legitimate antivirus software. Then, run a scan to see if anything has been left behind. Then change the passwords on the user accounts on your PC. You don’t have passwords on the user accounts? You should precisely for this reason. If you don’t feel comfortable doing any of these items, call an IT expert for help.
2. If you gave the scammer your credit card number, then you really need to act fast. Call your credit card provider and either reverse the charges or cancel the card (my client did the latter).  Then you should also contact one of the three credit-reporting agencies. Namely Equifax, Experian or TransUnion and ask them to place a free 90-day credit alert on your file. For the record, Experian doesn’t operate in Canada but the other two do. The agency you contact will alert the others and you’ll be notified if someone tries to do something in your name.
3. Report it.

As you can see, getting hit by a scammer is not a trivial matter. You need to be on your toes to avoid this sort of thing. If you are, then you should never have to worry about the negative effects of being scammed. I’ve documented what People Connect Inc. were up to in this case, but there are lots of others who are just as evil. I hope this information helps to make sure that you are not a victim of something like this.

In part one of this investigation I dealt with the initial threat. In part two I looked at who the scammers who do business as People Connect Inc. are and showing that they are scammers. Now I will show you what these scammers were up to. Though, that took some effort.

First of all, I grabbed a ZIP file that was encrypted. I needed to break into it. Thus I reached out to a friend of mine who is a white hat hacker (in other words, a hacker that hacks to helps people rather than hurt them) to help with this. We used a program called John The Ripper on a custom computer with a series of Nvidia graphics cards to add computing power to the CPU to help to crack this ZIP file. It took several hours, but I had it cracked. When I got to look at the files, this is what I saw:

Here’s what these files do. First, there were four batch files:

• The first one is called execlock.bat and it takes away Internet access from dozens of websites using a supplied application called hosts.exe which is a Russian designed application that modifies a file on your computer called “hosts” which controls how your computer gets to the Internet. By doing this, it can make you think that you had a serious problem. But not enough to outright kill your Internet access (which would disconnect the scammers of course and keep the scammers from “fixing” things).
• The second one is called execunlock.bat and it restores the Internet access that was removed by the previous batch file.
• The third one is called lock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execlock.bat batch file that I mentioned earlier. This elevate.exe application allows one to bypass any security that might be present on the PC.
• The fourth one is called unlock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execunlock.bat batch file that I mentioned earlier. This elevate.exe application again allows one to bypass any security that might be present on the PC.

Now I believe that the purpose of these batch files is to create a “problem” for the scammers to fix so that they can take your money. But they didn’t stop there. The real threat is three other files that were present.

• The first threat is a file that I found called air.exe. It appears to be a remote control application which would allow someone in some other location to control a PC. It appears it is based on this application:

• Next on the list is are two pieces of software called Nautilus Blue.exe and Nautilus Green.exe which appears to be another remote control application called Show My PC which is based on this:

https://showmypc.com

Here’s the catch, these apps run an install that appears to install other software. That of course isn’t good as it implies that it would create a problem that would be persistent.

One note: I figured out how what this stuff was doing using a piece of software called Process Monitor so that I could log everything that these pieces of software do at very low levels. Be it network access, reading or writing to the hard drive, or whatever else these pieces of software decided to do. On top of that, I used a Windows 10 virtual machine via Parallels Desktop to do my testing so that I could take a snapshot of the environment before running this stuff and go back to that snapshot over and over again during my testing. Plus I would not have to risk a a real PC being infected with something at the end of my testing.

I have reason to believe that if they got a chance to run these files (which they didn’t because I pulled the plug on these guys), the scammers could remote control a PC at will. Plus nothing from a malware or antivirus perspective will detect this stuff as it is based on commercially applications which makes this stuff very dangerous. That makes the scammers very dangerous. Thus I will be submitting all of this to antivirus vendors in the hopes that they will come up with countermeasures against this stuff so that these scammers cannot use these tools do do their evil deeds.

In the final part of this investigation, I will give you my tips in terms of avoiding a scam like this.

UPDATE: On top of submitting the files that I found to a variety of antivirus vendors, I have reached out to AeroAdmin and ShowMyPC as well to inform them that their software is being used in this scam and might have been modified. I will update you if I hear from them.

UPDATE #2: ShowMyPC has been very helpful in terms of unwrapping the files named Nautilus Blue.exe and Nautilus Green.exe. Here’s what they said:

Of the 2 files you sent one of them, green one, it seems like a renamed/perhaps re-bundled or modified file of our free version.

Our free version has an interface that has to be launched, explicitly press a button to start, next a warning dialog to accept settings and before a user could use it. It is very restrictive in time and usage and unlike many other programs has no inbuilt functionality to start remotely.

Our exe does not install anything but does extract files while in use.
Just delete the main exe and if any temporary files exist. You can read about uninstalling and any temp files on this link.
http://showmypc.com/faq/uninstall-showmypc.html

Although its hard to say how the program was modified, however if it was used on your customers pc, we maybe able to help you track the remote IP of the users if they made any connection and we can block those users from using this.

Any session using our program can be easily reported here.
https://showmypc.com/faq/warning.html

Thanks for bring this to our notice, and we continue to keep a watch on any abuse report.

I’d like to thank ShowMyPC for their help with this, Now over to Aero Admin. I am working with them as well and I will update you when I have more info.

After dealing with the events of part one of this investigation , I turned my attention to finding out who People Connect Inc. were. As I mentioned in my previous post, I found that the name and the phone number that they are associated with tech support scams in the past. Thus I was really motivated to find out who these people were and expose them for the scammers that they are. Before going further, I want to point out that I have hyperlinked some info that doesn’t go to this group of scammers, and anything that goes directly to the scammers is not hyperlinked. The latter can be easily found via Google or whatever search engine that you prefer if you’re interested.

The first thing that I looked at was the phone number that the scammers were using which is 1-800-690-3683. A Google search indicated that this number has been associated with tech support scams using a variety of company names. That suggests that this scammer has been around for a while and has used or is using a number of business names to scam people and avoid detection. But they don’t seem to change the phone number. The other thing that this Google search did is that it led me to the website of People Connect Inc:

The company claims to offer these services:

Two things got my attention. The first is the fact that they claim to be a Microsoft Partner. I can find no evidence that supports that this is true. The second was the ITES link is the one that got my attention. When I clicked on it, this is what I saw (Click to enlarge):

It says nothing about phoning people up and providing tech support. Real or otherwise. But it does say enough that a person who is not tech savvy may buy into what they are claiming.

But things got really interesting when I did a whois lookup on peopleconnectusa.com and got this result back (Click to enlarge):

The registrant has an address in Plainview New York, and the location turns out to be a house according to Google Street View which is strange seeing as search on Google Maps comes back with a different address in Uniondale NY with a different phone number that is tied to this domain name. The funny thing about this address is that Google Maps lists them as “computer support and services” with a couple of 5 star reviews which I would say are likely fake. On top of that, there is no suite number listed in this Google Maps entry. If you take that and combine it with the fact that there is a company that operate short term office space rentals in the same building, it leads one to suspect that this address is a front for this scam so that people are more likely to hand over credit card info and the like.

On top of that the technical contact is located in Kolkata India which is a known hotbed for tech support scams coming from India. Here’s where things get interesting. If you look at the e-mail addresses you’ll see that the ones for the registrant and admin contact (who are the same person) have the same first name as the technical contact, who strangely uses a Gmail address. That suggests that the person behind this scam might be the tech contact, or he at least is responsible at least in part in terms of setting it up, and the scam is run out of India.

Another couple of things to point out, at the bottom of their website they have links to a Facebook page where they post their own content to so that they can look legitimate. However, they also have a link to what I suspect should be their Twitter feed, but it simply goes to Twitter.com. Clearly attention to detail is not a strong point with these scammers. They also have a LinkedIn page that doesn’t have a whole lot of content on it. Finally, People Connect Inc are using a website called provencredible.com to try to add to the impression that they are legitimate. Ignoring the fact that only a tiny number of companies use this service, when you go there to see what’s listed there for People Connect Inc. you see this (Click to enlarge):

I am going to go out on a limb and suggest that the first testimonial is fake, and the second one is real.

Clearly, there’s enough evidence here to support the fact that these people are scammers, and they’ve been running this scam for a while. Thus if you get a call from People Connect Inc., hang up the phone. Or if you get a call from 1-800-690-3683, don’t even pick up the phone.

In the next part of this investigation, I going to focus on what software that these scammers tried to install on my client’s PC so that you can see what an operation like this does to the unsuspecting. What I will do is install this software on a virtual machine and analyze what it does. As soon as I have completed that, I will post the results here so that you can see how dangerous scammers like these are.

I got a panic call from a client on Thursday who went over to his parents house and apparently, his mother had received a call from someone claiming to be from Microsoft and saying that her computer had viruses. She had then initiated a remote access session with this “technician” and he was doing stuff to the computer. I literally dropped what I was doing and raced over there. The reason for my urgency was simple. The scammer will typically attempt to get the victim to allow remote access to their computer. After remote access is gained, the scammer relies on confidence tricks and social engineering.  Typically involving utilities built into Windows and other software in order to gain the victim’s trust to pay for the supposed “support” services, when the scammer actually steals the victim’s credit card account information, or to persuade the victim to login to Internet banking. Sometimes they will even steal files off of the computer. Clearly this sort of scam is very dangerous.

When I got there, I saw someone controlling the computer remotely. I put an end to that by pulling the power plug. I then warned the clients that the scammers would be phoning back and when that happened (which it did about 5 minutes later), the scammer needed to be told that the Internet is out. Meanwhile, I went about seeing what these scumbags had done. There was a remote access program running with the name People Connect Inc. I Googled the name and found that the name and the phone number that they are associated with this sort of scam. The remote access session showed that they had uploaded a number of files to the computers:

• A text file that was meant to show that these scammers were legit.
• CCleaner which is a utility to clean up a computer.
• The installer for the Chrome web browser
• Several files named unlock.bat, hosts.exe, lock.bat, execunlock.bat, execlock.bat, Nautilus Blue.exe, Nautilus Green.exe as well as a encrypted zip file that had the same files.

I took a copy of the ZIP file and deleted the rest. The reason why I took the ZIP file is I wanted to see what they were up to using a pristine copy of all of these items. As I type this, I am running a password cracker on it in a Windows 7 virtual machine. Once I crack it, I will test out the utilities to see what these files are and what effect they have on a Windows computer. I will then submit them to various anti-virus makers so that they can add these files to their virus definitions.

I ran a virus scanner that boots the computer from a USB thumb drive. I found nothing. I then went through the system and I ended up not really finding anything. From what I could tell, there were still in the process of setting up shop to carry the scam forward. I then ran several other malware and antivirus scanners and found nothing. I then ensured that the system was properly protected and left.

Now to protect themselves, the client cancelled the credit card that they used to stop the scumbags from getting paid. And to ensure that everything is okay, I will be doing a follow up. Meanwhile I will be looking at the files that these scumbags left behind after I break into the ZIP file. I’ll report on both of those in the coming days. In closing, I will also give you tips on how not to become a victim of a scam like this. Please stay tuned for further developments.