Tech support scammer tricked into installing ransomware

First things first, we do not recommend that you screw around with crooks.

That includes fake support calls, 419 scammers and fake tech support outfits.

If you’re talking to them on the phone, they know your phone number. If somebody in the scam outfit got your number via a data breach, the caller might even know where you live.

All you really know for sure is that they’re crooks.

Our advice is to just hang up, lest you be on the receiving end of threats to, say, chop you up and feed you to the fishes.

Having said that, there’s a set of people who most certainly don’t hang up.

D*** the potential risk, full speed ahead. They do things like draw out the conversations to waste the crooks’ time. One guy even cooked up an autobot to do the work for him: he’d forward calls to it, thereby automatically (and hilariously) wasting the fraudsters’ time.

There’s a new one to add to that turn-the-tables genre. His name is Ivan Kwiatkowski, and his modus operandi was to infect the caller with Locky ransomware.

As Kwiatkowski tells it, earlier in the month, his parents somehow managed to land on a page (now defunct, but here’s a screenshot) telling them that their brand-new system – it had been in use for only 30 minutes! – had somehow been infected with the notorious Zeus malware.

As tech support scams go, this one was replete, blinking and flashing like the Strip in Las Vegas on a Friday night:

This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows’ BSoD days, and yet somehow it displayed a random IP address instead of the visitor’s one.

Kwiatkowski decided to mess with the crooks. So he fired up an old Windows XP virtual machine (VM), got in touch with “tech support,” got past a prerecorded message, and eventually reached a human who identified herself as “Patricia.”

The typical tech support scam ensued:

She guides me through the steps needed to download some kind of remote-assistance client: Windows+R, type in iexplore remote.join360.net, jump through a few more hoops and run whatever executable is offered to you. From what I gather, this is actually a legitimate tech-support program, it being digitally signed and all.

In these scams, the caller won’t take no for an answer until you give them remote access to your computer and let them “fix” the “threat” – for a fee, of course.

You also need to buy their super duper antivirus software, of course, and open up whatever executable files they want you to click on.

It used to be that these fake tech support callers would call us, but nowadays, as more and more people refuse to take calls from unknown numbers, the crooks have been adapting.

Instead of them calling you, it’s increasingly common that they’ll use a web ad or popup that simply runs the scam in reverse: like what happened to Kwiatkowski’s parents, the crook will display a warning and advise you to call them, typically on a toll-free number.

Toll-free! Hey, they’re paying for the call, so they’ve got skin in the game, right? Well, that’s what they’re hoping you’ll figure, at any rate.

So “Patricia” got access to Kwiatkowski’s VM, typed in commands that returned results that she knew would frighten the na?ve and supposedly give her tech cred – “1452 virus found!” or “ip hacked!” – and yet, in spite of her purported tech sophistication, missed the fact that the VM had a few interesting icons kicking around: OllyDbg, a 32-bit assembler level analyzing debugger for Windows, as well as IDA: a hosted multi-processor disassembler and debugger.

Oops! Your 15 minutes of free support are over, Mr. Kwiatkowski. She’ll call back so you don’t have to pay for more of this benevolence.

And that’s just what she did: she called back, berated him for not running antivirus software (which he told her he wasn’t), and encouraged him to buy ANTI SPY or ANTI TROJAN, “for the measly sum of $189.90.”

As a matter of fact, there’s somebody connected to your system right now! she says.

The conversation that ensues:

Isn’t that you? I ask. This says it’s someone from Delhi.
An awkward pause follows. She tells me that she’s actually the “localhost” line, because localhost means secure connexion. I fight back:
— Are you sure? I thought localhost meant the local machine.
She mumbles a little then proceeds to read me that whole section of her script again, asserting once again that this other IP belongs to [someone] who lives in Delhi like her but is a totally different person – a malicious hacker.

Back to the software sale, Patricia booted her uncooperative “client” up to her boss. Kwiatkowski sent the guy test credit card numbers that were sure to fail payment processing.

Eventually, claiming bad eyesight, Kwiatkowski sent a “photo of his credit card” and told the caller to try inputting the number himself.

That was no photo of a credit card.

He’d gone into his junk email folder and found samples of the latest Locky campaign: .zip files with a script that downloads ransomware.

Kwiatkowski had already noted that the remote-assistance client was a two-way street: he could use it to upload to the scammer’s PC as well as to download.

He grabbed a piece of malware at random and uploaded it, telling the caller that…

Look, Dileep, I’m old and my sight is not so good. It’s starting to hurt, having to squint to read those tiny numbers. Also, we’ve established I’m no good with computers, how about you give me a hand here?

That was followed by silence, after which the caller said that he had tried to open it, but nothing happened.

The scammer was wrong, of course: there was indeed something happening.

In the background, a process was running to encrypt the files on the tech support scammer’s system. The only way to get them back: to buy the decryption key from the crooks via the dark web.

As of February, we were seeing prices to decrypt Locky-ransomed files that varied from 0.5 to 1.00 bitcoin, with one bitcoin being worth about $400/?280.

Kwiatkowski says he’s contacted the scammer’s ISP to report abuse, as well as their webhost and authorities.

He’s considering this a solid win in the war against tech support scammers and is recommending that others do the same, even listing a phone number to call.

But I’m not so sure. It’s a great story, but we don’t tend to give hip-hip-hurrays to people who inflict ransomware.

Do two wrongs make a right?

Let us know your thoughts in the comments section below.

In the meantime, if you’re wondering…

What to do?

• If you receive a cold call about accepting support – just hang up.
• If you receive a web popup or ad urging you to call for support – ignore it.
• If you need help with your computer – ask someone whom you know, and like, and trust.

In this case, when we say “someone you know,” we mean “someone you’ve actually met in person,” as opposed to just online.

You know that old truism that on the internet, nobody can tell you’re a dog? Just take out “dog” and substitute “Donald Trump himself,” “Justin Bieber,” or “legitimate tech support,” and that equation’s still solid.

In the case of PC technical support, especially to do with malware or any sort of cyberattack, don’t look for help online. In fact, if you use Bing, you can’t look online: in May, they threw out the whole lot of tech support offers, instituting a blanket ban on all online tech support ads.

Were there any babies in that bath water? Sure, probably. There might well have been legitimate tech support outfits that got banned from the search engine.

But how can you find them? Scammers have ruined it for everyone, turning that bath water into a toxic swamp.