Dec 3, 2012

Theory to Action: the Anatomy of a Computer Scam Call

Photo by David Ritter, via
There I was, peacefully enjoying a "Calgon, take me away" bath soak when my father-in-law knocked at the door. He said there was a computer guy on the phone who was saying all sorts of stuff about the computer, servers, etc. Could I talk with him?

He then opened the door, his eyes pressed closed, and handed me the phone, a pad, and a pencil. The next few minutes were spent with me figuring out what in the world was going on. When I finally realized that my father-in-law did not initiate the call, it became clear that it was a scam to get either access to his computer or to have him plant a program in his computer to send vital information to their system.

For my father-in-law, and all the older, less tech savvy folks who these people prey on, I'll give a run down of how you can know it's a scam... and why the scam is so very clever for those unfamiliar with computers.

 Just as with credit card or bank scams, your first red flag is that they call you, "unsolicited" calls as Microsoft's help page calls it. Computer companies, like banks, assure you that they will never initiate a call to you regarding your security. That means you have to be vigilant about checking for updates on current viruses yourself or find trusted sources for this information (like going to the McAfee or other antivirus program site). Going there yourself, getting the information yourself at a URL that you know is much like calling the bank yourself. You know that you are talking to the bank, not someone who says they are the bank.

With this situation, when I finally asked what company the caller was with, I knew there were problems when he said "Windows." Microsoft is the actual company, and when I asked "Microsoft?" He said, "Yes, Windows." I don't know if this is a loophole that they try to use in case they get caught (lawyer friends out there would need to let me know!), but he was very careful to avoid saying "I am with Microsoft." -- Although later, after I kept insisting that Windows was not a company, was he with Microsoft? he said, yes, we are Microsoft.

 The next red flag is when he started saying a bunch of technical sounding terms, and ended with "in short, you have a virus that is sending things to our server." I have taught about computers and networking and this sounded very fishy. Let me lay it out: He was trying to convince me that there was a program on the computer (this is all that virus is) that was sending information "out into the internet". His supposedly legal Microsoft server was getting messages from my computer. He said that if we could check the license ID on his server with the license ID on my computer and they matched, then there was an error because he was getting information from me without my knowing.

The whole idea of a license ID, of them receiving things from my computer which indicated a virus, and then the idea that they knew the phone number to call from that information... all smelled very fishy. The reality of the last item was the most suspicious. No system in your computer will automatically attach your phone number to the message. That's like saying that when you call someone, they will know your blood type. These are completely different systems that know nothing about each other.

He tried to tell me that the marketing department got the phone number and asked them (technical support) to call us. This has a whole lot of stink on it, too. First, why would the marketing (sales) department know whether we were sending out messages. And if, he actually got it reversed and they (tech support) was so concerned about our computer that they called marketing for the phone number attached to the license, this wouldn't happen: 1) there are confidentiality laws about phone numbers being distributed for other purposes, even within the same company and 2) technical support and marketing barely work well together on jobs they are supposed to work on together (really).

He wanted me to go to the computer and do what he instructed me to do in order to check for the license ID. I informed him that wasn't going to happen because I was currently in the bathtub (perhaps you should use this tact when you get a call like this), but if he gave me the instructions, I would write them down and get to them when I got out. He offered to call me back, but I said, no. I wanted to understand the situation before we wasted more time so giving me the instructions now would help.

First, he said, he wanted me to check to see if this was my license ID: 888DCA60FC0A11CFF0F00C04D7. He even went through using the phonetic alphabet to sound really sophisticated: "D as in Delta, C as in Charlie, A as in Alpha". He ended with, "If they match, we definitely have a virus and we can help you remove them in the registry."

 Alarms went off in my head when he talked about going into the registry. Entering things or even deleting some things from the registry is like giving someone the key to your house. The registry is the way that some programs are automatically run (it is a pain in the butt to those of us who grew up with DOS in the '80s). Never ever do anything with the registry unless you initiated the call and know the company on the other side of the line is legitimate.

After this event, I scanned the web and found that some of the scammers do one better: they get you to go to a particular website where they can get control of your computer, under the auspices of helping you out. Giving an unknown person control of your computer is like giving them your social security number. They can leave programs of their own (viruses simply because you don't want them there) that send all information or key entries to their system all the time. Identity theft is often their goal, as well as access to any other business you may do on the internet like banking, purchases with a credit card, etc.

Windows has the ability to open a DOS window and since it's a black screen and you type in commands that don't spell English words, people don't know what's going on. But unfortunately for this scammer, I do know DOS. In fact, I made my students use DOS so they got used to command line operating systems. It's not that hard, but you do have to know the commands. Here are the ones they have you do and what you are really doing:
  • They have you press the Windows key and R: This is the short cut key to Run a program (hence the R key)
  • They have you type "cmd" (they go through the whole phonetic alphabet again): This is short for "command prompt" which is the DOS window. It's what used to come up when you started computers in the 80s (instead of the Windows waving screen). 
  • In the black DOS window, they have you type in "assoc" (again, you will be "gently guided" through using the phoentic alphabet: alpha-sierra-sierra-oscar-charlie): This command simply shows you which program is used to run which file extension. For example, you will see ".doc" which will most likely be attached to Microsoft Word. This means that all files with the .doc extension will automatically be run with the Microsoft Word program when you double click on that file's icon. Other extensions you should see are .xls associated with MS Excel, .html associated with Firefox, Internet Explorer, Safari, or Chrome.
  • They have you scroll past all the other lines (which would have the extensions listed above) to look for the one "that starts with .zf and is the longest line there"): They want you to find the extension .zfsendtotarget because instead of a readable name, it is, you guessed it, that string of numbers and letters they called a "license ID". It, of course, isn't. It's the program to unzip compressed files, which is common to almost all Microsoft-based computers.
So, after writing this all down, he told me to call back when I was out of the tub at 302-482-8070. Really? I asked. This is not a 1-800 number? No, he replied. I later looked up this number and found it to be the US number for Itchy Global Inc (I didn't want to call it) which was supposedly located in Panama. Ask for "Kevin Miller" he said  or any of the engineers here. Oh, I was livid... here they go giving engineers a bad name...