Coldcall scams still truckin’

3046a79e46629dbcd8a6259c6653A woman gets a call from a heavily Indian accented woman from something called ‘Windows Security’. Apparently something happened and she has errors that will invalidate her license. She can get it fixed of course, but its a costly endeavour.

Heard this one before? So have many Calgarians, and people all around the world. These calls have been going out to many of our clients for some time now. And though there’s recently been a lull in their attacks, they are continuing to occur consistently and even in some cases evolving.

The above example is only part of the story. You see, the above mentioned woman, received a different sort of call before hand. The classic one that many of you have heard before: Representative calls, says there’s viruses on your computer and offers to remove them for a fee.

So not only did they already try to get her, but when she decided she wanted no part in their activities they called back with a shock tactic style. But the goal isn’t to make her say yes to the Windows Security person in this case, it is to get her to call back (which in this case she was given a phone number, traced back to an anonymous VoIP service) the original gentleman and say yes to the cleaning, instead of having to buy a new license.

Over at the esteemed anti-malware company, MalwareBytes.org, Jerome Segura got one such call and chronicled the whole affair in his blog. You can check out the original article by him here if you want. I would suggest doing so, as he recorded the whole conversation in audio format and chronicles it in detail.

However, they indeed pulled another trick out of their hat on Segura. He explains a trick along the same lines, but one a bit different then what we usually hear from our clients, using the system utility MSCONFIG.

You see, MSCONFIG displays a list of different components of Windows called ‘services’. Each of these has a different task inside Windows. Here’s where it gets tricky though, check out the graphic below from my own personal laptop. The very one I am writing this article on in fact.

services

See above there where it says BitLocker Drive Encryption Servce? Notice how it is stopped? According to scammers this is a symptom of a severe malware infection.

Is it really? Not even remotely. The service in the above example is simply a component of Windows that makes BitLocker, something that encrypts your hard drive, work. If you don’t encrypt your hard drive (or in my case use an alternative method like TrueCrypt), of course the service isn’t going to be running.

Services are only run if the functionality they provide is necessary. And many of the components of Windows are geared towards supporting businesses, exotic hardware, and communication methods across the board. So for the home user, there’s ALWAYS going to be a few services stopped.

However, once this so called ‘technician’ had been allowed access to Segura’s system using Team Viewer, the tech seems to have reacted rather rashly when he realized that the payment that he expected to get wasn’t coming, deleting files and trashing the ethernet driver, effectively trashing the Internet connection.

Of course, in this case, Segura was using a virtual machine so he really didn’t damage anything. Segura noted that he “wasn’t going to play tricks on them or make fun of them. I just wanted to see for myself how the scam was conducted and learn more about it.” But in this case the scammer must have assumed that Segura was deliberately wasting his time (as so many people have taken to doing), and wanted to get some sort of revenge.

Either way it seems that the cold calling scam rampage continues on albeit a little more cautiously.

The moral of the story: Microsoft doesn’t care about you enough to EVER call you. So if Windows, Microsoft, Windows Security, or any variation thereof shows up on your phone, do what I do: Make fun of them and laugh in their faces until they hang up. Some of the rage fits they have are worth the inconvenience of the call.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>