Tag Archives: CLSID

Tech support scammers impersonating ISPs

 adds to our knowledge of current support scam tricks by describing how Scammers Impersonate ISPs in New Tech Support Campaign. Scammers have, in fact, impersonated ISPs before, though not as often as they’ve pretended to be Microsoft (or working on behalf of Microsoft), and not as often as I expected when I wrote about this possibility back in 2010.

The difference here is that they’re not simply ringing up and saying ‘I’m from your ISP’ or even ‘I’m from Verizon’ (which rings a slight alarm bell if you know your service provider is a completely different company). They’re using a nifty little wrinkle to determine the victim’s ISP from his or her IP address. I remember with some regret the days when a support scammer couldn’t even lie convincingly about knowing your IP address, but the scams have been based on increasingly sophisticated tricks, and on a barrage of pop-ups aimed at getting you to ring them rather than vice versa. Clearly, such a pop-up message is more effective if it’s actually customized to correspond to a potential victim’s real ISP, and may even take the form of a customized audio message.

Once they do get you on the phone, though, it seems they still lean heavily on old favourite ploys, for example the INF ploy noted in the Malwarebytes article. Here’s a description of how it works from another of my articles.

INF and PREFETCH are legitimate system utilities: The “Prefetch” command shows the contents of C:WindowsPrefetch, containing files used in loading programs. The “INF” command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system. So how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something “prefetch hidden virus” or “inf trojan malware”. When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type “inf elvish fantasy” or “prefetch me a gin and tonic” and you’d get exactly the same directory listing, showing legitimate files.

 And, of course, I still see innumerable reports of scammers using the tired old CLSID  gambit. Evidently these things still work. Perhaps they’re more convincing when they come from a ‘support desk’ that you’ve been misdirected into ringing, rather than from a random cold-caller, but they’re still the same old drivel.

David Harley

Advertisements

Tech Support Scams Latest

I’ve just added a link on the resource page to another article from Malwarebytes on support scams using a fake Blue Screen of Death, this time by Chris Boyd: Avoid this BSoD Tech Support Scam. Also some comment by John Leyden for The Register.

I also noticed today a comment to one of my ESET articles of some possible interest to support scam watchers. Actually, I think I approved the comment some time ago, but never got around to flagging it elsewhere.

I know these are scams, and I work in IT, but I had only heard these stories from my mom about them calling her. I wondered if this was a scam targeting older people, since I had never been called. Now they have started calling. 

While these scammers certainly seem more than happy to defraud older people, probably because they expect them to be less conversant with technology and therefore likelier to fall for the pitch, I doubt if the cold calls are, in general, actually targeting my generation. (I’m happy to note that – in the UK, at any rate – my generation is less gullible than you might think.)

The first time they call, about 3 weeks ago, the guy tells me my computer is infected. When I asked which computer he says my windows computer. I tell him I have, which computer is the problem. He tells my I am lying, that I don’t have 7 windows computers. He them hangs up on me for wasting his time. 

Today they called again. I played along, though I did say I had multiple computers, this guy said they were all likely infected. I asked him to verify the IP of the infected machine and he tells me he can’t but he can verify the CL SID. He rattles of the CLSID listed here and asks me to run the assoc command.

So far, so typical of many of the hundreds of reports I’ve seen.

By this time I already have this site open.

(The comment is one of nearly 500 attached to this article: Support desk scams: CLSID not unique.)

I string him along for a little bit when I finally tell him, politely, that I know this is BS. At first he denies it, then he actually acknowledges it, acknowledges that he is in Calcutta. Tells me a little about his family, and that he is in school. Tells me that work is hard to find, and asks if it’s as hard here as it is there. He tells me that the scam jobs make 14,000 a year, but the legit ones that he can find only make 7,500 a year. At the end of the call, he thanked me for not yelling and screaming profanities at him. Overall I was on the phone for 40 minutes and 20 of that was after I told him I knew.
Weirdest call ever. 

Well, it’s not quite the first time that a conversation somewhat like this has taken place. My friend and former colleague Craig Johnston recounted a similar encounter in Virus Bulletin back in 2011, which he also talked about in our joint presentation at Virus Bulletin with Steve Burn and Martijn Grooten. The guy Craig talked to was a little more self-deluded: as Craig said, ‘While the caller admitted that the methods used to convince the ‘customer’ were dodgy, he was keen to assure me that the product being sold was legitimate and that it would benefit the customer.’

In this case, the scammer didn’t try to offer such self-justification, but may give us some insight into the economics of scam versus legitimate call-centre jobs (though we believe that some call-centres use both scam and legit approaches to support). I’ve talked before about scammer motivation, but it does at least seem that not all support scammers are bullies and worse (like the unspeakable monsters who try to block their victim’s access to their own systems if they allow the scammer access and then decide not to purchase his ‘services’) and may even have the grace to be less than proud of the way they make their living.

David Harley
ESET Senior Research Fellow