We scam the Indian call centre scammers - TechCentral

We scam the Indian call centre scammers

Regard-van-der-Berg-180At TechCentral, we get called on average at least once a week — sometimes far more often — by a friendly sounding Indian national warning us that our Windows computer is infected with a virus. The call, which originates from a call centre, follows exactly the same script every time. Usually we shrug them off and put the phone down, but this week we thought we’d humour them to find out how they operate.

It should be noted that the consequences of their actions could lead to financial losses for you and you may even lose important documents on your computer. In short, never, ever, let these guys have access to your computer.

As this week’s call came in, the first thing the “operator” at the other end of the line tried to establish was who was owner of the Windows computer in the household. I’d taken the call. It was time to have some fun. I told the scammer that I was the PC owner. He proceeded to introduce himself as “John Connor”. I laughed quietly as I imagined Arnold Schwarzenegger’s Terminator hunting down this scamster in the streets of Calcutta. Perhaps he should have come up with a more convincing name.

“John” told me that my PC — along with my licence keys and personal information — was registered on their servers as being an infected device that was sending all my personal information out into the world.

He proceeded to tell me there were millions of users with the same problem and wanted me to believe his “company” was calling all of them to help disinfect their computers. He tried to sell his legitimacy by telling me that his company is a Microsoft affiliate called HelpnSecure.com. The website is clearly a front meant to make users feel more at ease.

This is where the scam starts getting clever, trying to fool the unsuspecting user that their computer is, in fact, infected with a virus. After I told “John” that I was sceptical, he proceeded to tell me that he would show me that my computer’s details were being broadcast to the world.

He asked me to jot down a number he said was my computer licence security ID, or CLSID. The number he gave me was 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. To prove to me that he was telling the truth, “John” asked me to open my PC’s command prompt window. He used layman’s terms and guided me through every step. Little did he know that I know my way around computers.

Once I had opened the command prompt, he told me to enter “assoc”. This command is usually used to display or change file extensions and their associations. At the bottom of the list the command generated, the number he told me to jot down earlier magically appeared and I gave a fake gasp of surprise when he pointed this out to me.

The average computer user would never know that the CLSID number is not unique to their PC. In fact, every Windows PC will display this number as it is associated with a Windows function called “Send zipped file to target”. I told the scammer that I was very worried and he proceeded to the next part of his scam — showing me how many dreadful viruses had made their way into my computer.

To do this, “John” asked me to open my PC’s “Event Viewer” window, which is accessible by entering “eventvwr” at the command prompt. The Event Viewer in Windows displays every event that happens on the computer and the notifications are just that, notifications. Every Windows machine will show numerous warnings and errors in Event Viewer, but these are harmless and log everything from a USB drive that was pulled out too soon to an application that failed to launch for whatever reason. It does not show computer infections, but to a casual computer user — the real target of the Indian scammers — these events could look very worrying.

Once we had established that my computer was “fraught with infections” and that all my personal information was being broadcast to the world, “John” went in for the kill. He told me that engineers were on standby to assist me. This is where things got a little scary and it’s here where you should probably put the phone down if you’re also going to take these jokers for a ride.

“John” asked me to go to Support.me, a remote access service similar to Team Viewer — a service also used for this scam —  that gives the crooks the ability to access your computer remotely. As I would be able to see everything that they were doing, “John” tried to reassure me that they would be able to solve the problem and that I shouldn’t worry.

We have a spare PC in the TechCentral office that has been newly installed and that contains no personal information. I used this machine for the next part of the ploy. I installed the Support.me application and provided “John” with the access details.

Once his “support engineer” was connected, “John” told me that there would be a service fee that I’d need to pay in order for them to help me. Prices ranged from R1 999/year to R3 500 for three years, he said, using South African currency.

The “engineer”, who now had access to the dummy computer, promptly proceeded to open PayPal in a Web browser. He then asked me to log into my account or pay via the credit card function on the PayPal website. Knowing that things were getting serious, I tried to stall him, but “John” realised I was not playing along.

Windows' Event Viewer

Windows’ Event Viewer

As they still had access to the computer, the next move proved a little puzzling. But I realised later what “John” and his “engineer” were trying to do.

Because I did not furnish my PayPal or credit card details, the scammers turned nasty and proceeded to my documents folder. I saw the engineer poking around in some folders, but I promptly disconnected the office Wi-Fi connection. After some research, I found out that they’ll delete system files and users’ personal documents.

Fortunately, I disconnected before they managed to delete files on the dummy PC — not that there was anything of value for them to delete.

If I had entered my credit card details or logged into my PayPal account, the scammers would have undoubtedly logged my details and stolen money as quickly as they could.

This scam can have serious repercussions, but considering the frequency of calls we get in the office, those behind it must have a reasonably high success rate.

So, if you get a call asking if you are the owner of the PC, just put the phone down. Or, if you’re tech savvy, why not have a little fun with them like I did? These crooks belong in prison, but there’s no harm in stringing them along provided you exercise due caution. In fact, it can prove quite entertaining if you have a bit of time to kill.  — © 2014 NewsCentral Media

73 Comments

  1. Well done. Im also annoyed with these people. I once warned them, falsely, that I need to inform them that ‘this call is being recorded’. The guy became very nasty after that and all his fake politeness disappeared.

    Am I dreaming or can Zuma use his connections with the Guptas to use their connections in india to get these people in jail?

  2. nice write-up regardt. i want somebody technical to go through with the whole thing of having stuff deleted and see what they say when they realise there is no end-game. “oh well buddy i just lost a dummy pc, what now?”

    gather details, report the IP addresses, and get your own back.

    maybe even set goatse as a wallpaper on the honeypot computer

  3. Wayne Potgieter on

    I often get these calls. I patiently wait until they advise me to click on the “start” icon.

    They always hang up when i tell them i cant find that icon on my mac.

  4. Or a picture of a big juicy hamburger and a cow. Just to drive the point home.

    Or goatse and the hamburger if you wanted them to hurl.

  5. I informed one of these fake tech support people that I would be recording the call and supplying information to authorities. It’s amazing how quickly they just hang up.

  6. That’s funny! I once played absolutely stupid and gave them an exercise in painful patience. After 30 minutes on the phone, I finally revealed that I was using Linux.

  7. “I promptly disconnected the office Wi-Fi connection”, you let a known malicious user get control of a system that was actively connected to your corporate network for the sake of a prank? Regardless of your skill level, this was probably not a smart choice.

    What if when hitting the fake Paypal site you loaded an applet/browser vuln that unknown to you compromised the machine, and was used to pivot into your network while you continued to talk to him?

    If that didn’t happen you were lucky. I hope the next thing you did was fully image that dummy machine before connecting it back to the corporate network.

  8. When there is off-the-shelf software that makes this type of attack simple for a Script Kiddie to pull of ( http://beefproject.com/ , Social Engineering Toolkit, etc), complete with Metasploit Integration, it isn’t a “Doomsday” situation, its being done in the wild daily. Take a look at what “El Machete” is doing in South America if you don’t believe me. Its simple malware which has an infection point based on those tools mentioned.

  9. Regardt van der Berg on

    You make a valid point and I should have been more cautious. Let my mistake be the lesson for other scam-pranksters out there. The dummy machine is fine and no malicious code was injected onto the PC.

  10. Roberto Davis on

    How do you think he would have skimmed your PayPal details on a computer he didn’t have a key logger on? There’s something off about this article

  11. You are assuming no malicous code was injected. Just because you didnt see it happen doesnt mean it didnt. How do you really know what installed for the remote desktop support?

  12. Nice story, but really, why did you used a real machine connected to a corporate network? Using a virtual machine would be much safer, you could let them do whatever they want all the way until the end… and there would be no need for reinstalling the machine. 😉

  13. With such software, the control of the PC is shared. Both people can type and click stuff around.

    Exactly like when they started deleting stuff around in vengeance.

    They are the one who opened the paypal log-in page, and once logged-in by the victim, they could again take control and quickly type into the form an order to send 10’000$ to their account, before the user has any chance to react.

    (But that would be still useless if the victim’s bank requires out-of-band confirmation)

  14. I was thinking the same: That would also allow monitoring the connection from within the host.

  15. I just had a similar thing happen. They called me from the Windows Department. They said hackers were on my system and sending personal detail out. They had me open certificate manager and pull up an expired Microsoft certificate and said hackers did that . I let them onto my VM that I stood up and took a snapshot prior to letting them on. They used Teamviewer for the initial connection and installed logmeinrescue for the persistent connection. They worked in teams one guy with fairly decent english skills (Still with a heavy Indian accent) spoke to me while another guy did all the work on the computer. They ran CCLEANER on it and showed me everything that the hacker had one and what ccleaner was able to clean. They said that the fee was 350 dollars a year and they will protect my machine from them. I said wow that’s such a great deal, at which point the guy said oh it’s 2 payments of 350.00. He tried to pull up a website for payment. I googled for visa test credit card numbers and used that. When the card was declined he asked who issued the card and when I said chase he had opened notepad on my PC with a script to read off and the number for chase fraud. So I called the chase fraud number and after I got the your call time is x minutes i had my wife pretend to be chase fraud. that lasted for about 2 hours.
    When they realized the payment wasn’t going to happen they launched syskey and set a boot password on windows. I called the guy out and he said too bad you can’t use your computer any more. I told him it was a VM and he didn’t do anything he told me you americans are so dumb we’ve been doing this all day. I just went back to the prior VM snapshot and when the windows sound came back up he hung up.

  16. Alex Mackinnon on

    Hey, lets just jump on the corporate share drive and drop little spores all over the file system. This should be a firing offence by the way, play at home with your own stuff dear Author.

  17. Alex Mackinnon on

    I agree Kevin, I would put a front up for the Paypal scam, while loading my attach software to zombie the entire network to be my slaves … Double score and the Victim even if playing along will be none the wiser.

    Go tell your Boss Regardt

  18. ⌈Phusion⌉ on

    What a let down, you ended this article with “I disconnected the wifi” — jeez..
    It’s a lot more fun to spin up a Virtual Machine full of infected binaries, images, pdfs and try to get them to download and run as many as possible. Expecting a lot more than you freaking out and dropping their connection 🙁

  19. lord cheeseburger on

    You made a lot of assumptions there.

    1) Could have been physically or logically seperated (eg: firewall’d)
    2) Was immediately wiped and had the OS reinstalled.

  20. Had a friend tell them “That’s very concerning! I work for Homeland Security, so I’d be very interested in learning how you discovered this.” **click**

  21. If you want to do this, you should use a modern.ie VM from Microsoft. You have 60 days to play along with your scammer. It has all the standard keys. When your scammer is done, you can delete the VM.

  22. Mr. Cheaseburger, I think you’ve made a number of assumptions if you think that simply having a firewall will stop all types of attacks, or if you think that wiping the machine AFTER it was used to infect other systems would somehow remove the problem.

    The only assumption I can see in my post is that at the other end of the “office wireless”, were other office systems. I’ve never seen an office wireless where this was not the case, but I suppose it is possible. The remainder of my comment was either based on things the Author stated, or listed as potential possible outcomes.

    These things may, or may not have happened. But as someone who makes his living as an ethical hacker, I can tell you that the scenarios I outlined are not only possible but relatively likely. If that system was not further infected, the Author was lucky.

  23. I’ve gotten quite a few of these calls myself. They always seem to call at a time when it’s too inconvenient for me to string them along like I would like to. But if I ever do get the chance, I’ve got a bookmark set up that I can make my homepage. I wonder what their reaction would be when they open my browser and see:

    http://cybercellmumbai.gov.in/index.html

  24. The next step when they ask you to sign in to PayPal is to use fake email and password credentials. Then as it fails again and again explain that the viruses must really have done some damage in a very worried tone.

  25. I love those guys they’re fun to play with! Next time use a VPN loaded with malware infected files with attractive names. Most of them use Windows XP so you can drop all sorts of nasty stuff on their asses. Since XP is not updated anymore abuse is becoming far easier than it already is.

  26. What if you let him enter a “windows equipped pc” that is in fact a
    linux one but running windows on a virtual machine ? Can you record or
    log all the machine input/output generated by the scammer or, even more
    entertaining perspective, put it on youtube or in a security blog?

  27. You need to set-up an VM machine with Windows XP on a highly secure *BSD machine or Linux machine with virus infected files in them. Not only would you trash the call centre computers, you would also do the world a favour in the process.

  28. Steve Treloar on

    “Two girls, One Cup”? Can a Windows desktop do a continuous slide show with adjustable intervals?

  29. My mom was conned by these guys out of a few grand. it’s fun for us tech savvy people to laugh about this around the table but let’s forward this article to the people who need it!

  30. Why is it that PayPal and the credit card companies generally get a pass — surely they should do a better job of responding to consumer complaints to shut these scans down and generally verify that merchants are legit.

  31. David Hinchliffe on

    the trick is not to reveal you use linux but to instead go ahead and let them log in then try not to wee yourself a little when they flap around and make every insane excuse under the sun when they can’t find the stuff they’re looking for.

  32. Best way to deal with these, plus all the sales pitches, is to start the discussion, then ask them to hold on while you quickly deal with another matter, and simply leave them hanging.

  33. I scream obscenities at these people; it’s amazing how many Anglo-Saxon words they come away with by the time I finish with them.

    My next ploy will be to use my referee’s whistle as loud as possible; after that it will be a gas-powered horn.

  34. Rayoph Lightman on

    Well, murdering cows for the un-health of yourself and your environment could be worse than scamming other humans of a few pieces of green paper.

  35. Ah, but I did. Eventually, I was getting bored so I asked, “Could it be that I am running something funny with a penguin that my friend put on?” Hehe. It was fun.

  36. Ethical Hacking is when you are given permission by the organization that owns the environment to attack it. The goal is to find potential vulnerabilities and holes in the system so that the organization can fix them before a malicious hacker has an opportunity to exploit them.

    There are two common ways to get paid doing this:
    1) The company hires you to perform an assessment and disclose vulnerabilities.
    2) The company grants permission for anyone to look for vulnerabilities in their system, (Often with restrictions on scope, etc), and they pay per vulnerability found. This is referred to as a “Bug Bounty”.

  37. You should also check out Troy Hunt’s blog, he’s being not only talking to these scammers, but recording the whole thing and putting everything online. He just starts up a VM and lets them do whatever they want, and plays dumb to annoy them and keep them on the line as long as possible.

    One of the episodes was particularly hilarious as, once the scammer figured out that he was caught, he actually tried to get Troy to buy him porn! It’s all up on YouTube.

  38. Someone should create a virtual image that we can all run, that contains a nice honey pot setup designed to frustrate and mislead them and waste their time, seeded with all sorts of juicy looking document names, and with a ‘virtual internet’ so it appears they’re on a real machine. In fact, create a virtual server farm of these, create virtualized phone numbers, inject the numbers into their stream, use pre-recorded AI to ‘interact’ with them, and tie up the scammers forever.

  39. the same things happened to my folks (83 & 84) years old.. FORTUNATELY I was visiting them.. and I had this guy on the phone for nearly an hour.. it was to darn funny.. I pretended to do all that he asked.. and then I would say hold it. its not working.. he would then explain again.. and then I would say THERE I got it.. .. then he would say its not working.. i told him i did what you said.. he then would say lets start back at the beginning.. i said ok.. and then shut down the computer…he said can you type the code in.. I said no.. the computer was off.. he asked why was the computer off, I said you told me to start at the beginning .. thats where I start.

  40. A recent call:

    Scammer: We have detected a virus on your computer from someone who has been regularly hacking it, and they are stealing your personal information from your disk.
    Me: “Oh dear. A virus? That sounds bad. What can I do?”
    Scammer: “Don’t worry, we can help you. First, turn on your computer.”
    Me: “Ok, it will take a while. It’s a bit slow because it’s quite old” Then after 5 minutes of saying “it’s nearly there”: “Ok, it has booted up now. What next?”
    Scammer: “Can you see the Windows key? Press that.”
    Me: “What is the windows key?
    Scammer: “It’s got a picture of windows on it.”
    Me: “What shape windows? Round? Square? Arch shaped?
    Scammer: “Square.”
    Me: “I don’t have one of those.”
    Scammer: “Ok, just click on the Start button instead.”
    Me: “Where is the Start button?”
    Scammer: “It should be at the bottom of the screen. Do you have windows 8?”
    Me: “Ok, I’m pressing the On-Off button… Now!”
    Scammer: “NO NOT THAT ONE”.
    Me: “Oh! The screen has gone black!”
    Scammer: “Ok, just turn the computer back on.”
    Me: “Alright, it will take a while. It’s a bit slow because it’s quite old” Then after 5 minutes of saying “it’s nearly there”: “Ok, it has booted up now. What next?”
    Scammer: “Press the Windows key?”
    Me: “I still can’t see a Windows key.”
    Scammer: “No, Ok. Can you see the start button now?”
    Me: I can’t see a start button. What should I see?
    Scammer: Unless you have windows 8 you should see a start button at the bottom of the screen.
    Me: “No all I can see is ‘D:>’ at the top of the screen.
    Scammer: “Have you pressed F8 when you started up?
    Me: “No, why?”
    Scammer: “It doesn’t matter. You must be already in the Command box. You do have Windows don’t you? Are you connected to the internet?
    Me: “Windows? No, I can’t be doing with that new fangled nonsense. I’m running DOS 3.2. And what’s ‘the internet’?”
    Scammer: Silence, then “f*** off you white ****!”
    Me: “Goodbye. Thanks for your call.”

  41. My fav reply is to pretend I’m whispering to someone else “Get the other phone and have the cops trace this call. It’s the scammers” then keep them on the phone as long as possible without ever giving them access to anything.

    Another is to do the Cheech and Chong routine “Sorry man, windows isn’t here. I’m totally Mac”.

    Lastly I tell them I work for Microsoft and if they know what is good for them … hello, hello

  42. There is a guy on USENET yesterday who kept them on for a half hour, and he uploaded his record of the conversation to alt.os.linux. The “victim” was on Linux, so, he was able to do everything in VM, so there was no danger (other than to his VM). The Indian support caller turned nasty at the 20 minute mark, and swore like a sailor for more than two full minutes but then turned nice and tried for another 10 minutes. It was hilarious. https://app.box.com/s/0yluyszg1qj2l83ynbm2

  43. I used to play with them and it was fun. Then the last time when I started pretending to be cooperating and it got obvious, he told me he was going to “f@#$ me in the a$$” and got all explicit on me and it wasn’t fun anymore.

  44. Christine Bauman Romahn on

    I just got scammed by these people, and now am terrified, and don’t know what to do?

  45. Dustin Horne on

    I haven’t gotten a call from these guys yet but I think I’m going to spin up a VM and have it ready when they call. As a developer, I think I’ll also write a nice little app that masquerades as a virus and pretends to be installing itself to the machine of the connected party. 😉

  46. ranger@mybroadband on

    You should probably re-install it just to be safe.

    It might be better to use an isolated virtual machine next time (either a snapshot, or a VM you have a copy of).

  47. paulinesheakey on

    One call I got, I was told to “F you” … seems they don’t like being ‘found out’ 🙂

  48. The reason I read this post with great interest was to find out how you ‘scammed’ this SOB. Something you did which would force him to rethink doing anything wrong again in his life. But, if using up his few precious minutes was scamming then, I would say your time was more valuable that this asshole’s time.

    I hate such folks, trolls who post stupid comments everywhere, who mess up my NFL mock drafts just for the sake of it (yes, I think I am slightly mentally disturbed). So next time you make me read your article, please make sure you did something.

  49. I recently decided to scam them back and used my Linux desktop. It took
    them ages but the still cheerfully found a remote access that worked.
    When It can time to fill the the Card details I wrote a rude message and
    said something about wasting their time for a change.

  50. I get these calls and always tell them my computer uses windows 3.1. They eventually get discouraged and begin swearing.

  51. I decided to have some fun with these guys one day, so I played along, but when we got to the running the Event Viewer nothing showed up, since I have it turned off. That threw him for a loop. When I then informed him that he’d next tell me to give him control of my computer, then try to sell me some expensive software that I didn’t need and that I was well aware that his company wasn’t affiliated with Microsoft, he got quite flustered.

    The killer was that I called him “Apu” after the Simpson’s character from India who runs the Quickie Mart during our entire conversation, despite him claiming to have some American sounding name, and he STILL bulled ahead following his script!

    When I told him I’d recorded the entire conversation (which I HAD) he promptly hung up.

    Sadly they called me twice today while I was trying to NAP! Time to ditch the land line!

  52. Wing Wong Wu Leroy Patel Smith on

    I screamed at the little shit with every obscenity I know as many of my elderly customers have been duped before. This guy was nearly in tears and hasn’t called me back for any reason since. Be nasty, very nasty they are trying to rob you.

  53. Wing Wong Wu Leroy Patel Smith on

    Speak to card company if you typed your details, change any pc passwords and check for logmein in the add remove programs, if your still worried get someone to do a check of your PC health, not any Indians though

  54. lord cheeseburger on

    Now you’re assuming the machine wasn’t wiped effectively. The only persistent locations to store malware are in BIOS or a hard drive. It’s the only non-volatile storage locations on a computer. If a virtual machine was used, is irrelevant either way.

    If you’ve never seen wireless systems logically separated then you really have no business commenting on this article. It’s really simple, WAP is trunked into switch, SSIDs are mapped to multiple VLANs and the only gateway is a firewall.