I was doing coding on my home machine when the phone rang. The Caller ID said “Out of State”. When Caller ID comes up like that, I know the call will not be in my benefit.
I answered the phone and there was a 30 second delay before someone speaks on the other end. I like to imagine that I was called by an ED-209 and it’s cycling down and that’s why there is a delay.
“Hello this is Andy from Windows, we have reported a security report with your computer. You have a virus and we are calling to fix it.”
Ok, this is the start of a scam. The right thing to do here is to just hang up. Don’t engage these idiots.
So I decided to play along. I was testing some code that I had written with a virtual machine of Windows 7 running. I had a few brain cycles to waste while I was working. This is what I replied back with:
Me: “Oh no, what happened? How do we fix it”
Andy: “We are from Windows, we received reports of malware running and you need to fix it”
Me: “Ok! What do we do?”
Andy: “Can you go to your computer? Take your time, I can wait.”
Me: “I’m sitting right in front of it now”.
Andy: “Please go to the computer”
Me: “I’m already at the computer. Take your time figuring that out, I can wait”
Andy: “Look at your keyboard. On the left side there is a button spelled C-T-R-L. Do you see that key?”
Me: “Yes, I do”
Andy: “What is on the key to the right of the CTRL key?”
Me: “It has a window on it. I love this key. It lets me do things”.
Andy: “Ok, I need to to press that window key and while holding it down, press the R key and then let go.
Me: “Ok, I did it”
Andy: “What do you see?”
Me: “Solitaire”
Andy: “What did you say?”
Me: “Solitaire just started”
Andy: “That should not happen”
Me: “Oh no, is that the virus?”
Andy: “Yes that is your virus. Please close Solitaire press the window key then the R key”
Me: “Solitaire!”
We repeat the Win-R shenanigans a few more times, then I tell him that the Run dialog came up.
Me: “A window named Run just came up. Is that the virus?”
Andy: “No, that is not the virus. What does this window have on it?”
Me: “The name of the program, folder, document, or Internet weasel, and Windows will open it for you.”
Andy: “Do you see a space panel next to the word open?”
Me: ” A SPACE PANEL? Did NASA install a virus on my PC?”
Andy: “No, NASA did not install a virus on your PC. It’s a box that you can type text into”
Me: “Do you mean the drop down combo box?”
Andy: “Yes, please type eventwr into the panel”
Me: “It started solitaire again. Is this the virus?”
Andy: “Lets try this again..”
Andy walk me through the launching of the Windows Event Log Viewer”. I had a idea of what he was going to do next, so I decided to ramp up things…
Andy: “What do you see now?”
Me: “It says Event Viewer”
Andy: “Great! Now we can show you evidence of the malware on your PC. On the left side of the Event Viewer, you should see Event View Local. Can you read to me what is listed under that?”
Me: “Custom Views, Windows Log, Application and Services Logs, Subscriptions, Pizza”.
That threw Andy and he made me repeat that list twice. But that didn’t stop Andy…
Andy: “I want you to left click Custom Views twice, quickly”
Me: “Ok! Did this fix the virus?”
Andy: “No, this will show you that you have a virus. You should see some text underneath Custom Views. Please read them to me.”
Me: “Cisco, Waffle, Administrative Events”
Andy: “Please click twice on Administrative Events. Now you will see the virus activity. Did you click on it?”
Me: “Yes, I did. No virus here! Yay!”
Andy: “No, do you see the red error messages? That’s from the virus”
Of course you would see error messages with the red icon in the event log. It wouldn’t be Windows if some app or service wasn’t complaining about something. But I was going to make him work a little harder…
Me: “I don’t see any error messages”
Andy: “What? There must be something there”
Me: “Nope”
Andy: “What does it say at the top?
Me: “Administrative Events and the Number of events is zero”
Andy is trooper and continues on. He has me click on the Application Log under Windows Logs. There’s always an error or two there. I play dump and tell him that there are only information messages
Andy: “Read me what it says for the first one”
Me: “The disk fragmenter successfully completed defragmentation on C:”
Andy: “That is your virus. We can fix you. You need to go to our website and we can fix it from there. Do you know which web browser you have”
Me: “Yes, I have the Internets. It’s running now”
Andy: “What do you see on your Internet?”
Me: “This page could not be loaded”
Andy: “You have to have Internet or we can’t help”
Me: “I have Internet, I can get to the Bing”
Andy walks me through how to identify the address field and asks me to type in http://www.support.me. That page will redirect to a LogMeIn page. LogMeIn is not part of the scam, but they provide tools so that support people can take remote control of your PC to fix problems. That’s usually a good thing. Just not in this case.
So that tells me that they are going to take over my PC remotely. Even though I’m playing with a virtual machine, I’m still not going to let that happen…
Andy: “Do you see the start download button?”
Me: “No”
Andy: “What do you see?”
Me: “Technology Support for a Connected World”
I was on support.com and we played the random url game for a minute. I then went to www.support.me
Me: “I keep going to www.support.me, but it keeps going to LogMeIn Rescue. Is that the virus?”
Andy: “No, that is the tool we use to fix your PC. You see a place to enter a code? I need you to enter that code” [Andy reads a 6 digit code to me] “and press the download button”
Me: “It doesn’t work”
Andy: “What? Please try it again, you maybe typed it wrong
Of course I was typing it in wrong. I was following the universal programmers rule of typing in all “9”s and hoping that it was an invalid code. it came back as invalid and with an error message.
Me: “It says Code does not exist. Please contact your support provider.”
Andy: “OK, I get you another code”
Andy gets another code and I report back that I get the same message. I can hear some tension in his voice now. He’s so close to taking over my machine. Andy tells me that he is putting his support manager on the line. I go through the same process with both codes with new guy. He gives up and says that I am being tranferred over to his IT guy. This guy does does the same bit and coughs up a 3rd code. I drive this guy nuts by repeating the numbers back to him transposed. He gets annoyed and hangs up on me.
So I click the “Report Abuse” button on the LogMeIn page and call the number listed on that page. After a remarkably short time on hold, I get a friendly CSR on the line and I start telling her what happened. She asked if I was given a 6 digit code. I told her that I had three of them. She asked how I got three and when I explained that I kept repeating the error message, she started laughing and said that I had made her day.
The end result was the accounts that these scammers had opened with LogMeIn have been burned and the LogMeIn people are going to look into how they were registered. Did I stop this people? No, they’ll just open some new accounts. But I did waste their time, the time spent trying to get me to play their game meant that one less person was targeted by them today.