We scam the Indian call centre scammers

The Indian call centre scam that warns users that their computers are infected is one of the longest running and most annoying Internet rackets. TechCentral’s Regardt van der Berg took one of the scammers for a ride.

Regard-van-der-Berg-180At TechCentral, we get called on average at least once a week — sometimes far more often — by a friendly sounding Indian national warning us that our Windows computer is infected with a virus. The call, which originates from a call centre, follows exactly the same script every time. Usually we shrug them off and put the phone down, but this week we thought we’d humour them to find out how they operate.

It should be noted that the consequences of their actions could lead to financial losses for you and you may even lose important documents on your computer. In short, never, ever, let these guys have access to your computer.

As this week’s call came in, the first thing the “operator” at the other end of the line tried to establish was who was owner of the Windows computer in the household. I’d taken the call. It was time to have some fun. I told the scammer that I was the PC owner. He proceeded to introduce himself as “John Connor”. I laughed quietly as I imagined Arnold Schwarzenegger’s Terminator hunting down this scamster in the streets of Calcutta. Perhaps he should have come up with a more convincing name.

“John” told me that my PC — along with my licence keys and personal information — was registered on their servers as being an infected device that was sending all my personal information out into the world.

He proceeded to tell me there were millions of users with the same problem and wanted me to believe his “company” was calling all of them to help disinfect their computers. He tried to sell his legitimacy by telling me that his company is a Microsoft affiliate called HelpnSecure.com. The website is clearly a front meant to make users feel more at ease.

This is where the scam starts getting clever, trying to fool the unsuspecting user that their computer is, in fact, infected with a virus. After I told “John” that I was sceptical, he proceeded to tell me that he would show me that my computer’s details were being broadcast to the world.

He asked me to jot down a number he said was my computer licence security ID, or CLSID. The number he gave me was 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. To prove to me that he was telling the truth, “John” asked me to open my PC’s command prompt window. He used layman’s terms and guided me through every step. Little did he know that I know my way around computers.

Once I had opened the command prompt, he told me to enter “assoc”. This command is usually used to display or change file extensions and their associations. At the bottom of the list the command generated, the number he told me to jot down earlier magically appeared and I gave a fake gasp of surprise when he pointed this out to me.

The average computer user would never know that the CLSID number is not unique to their PC. In fact, every Windows PC will display this number as it is associated with a Windows function called “Send zipped file to target”. I told the scammer that I was very worried and he proceeded to the next part of his scam — showing me how many dreadful viruses had made their way into my computer.

To do this, “John” asked me to open my PC’s “Event Viewer” window, which is accessible by entering “eventvwr” at the command prompt. The Event Viewer in Windows displays every event that happens on the computer and the notifications are just that, notifications. Every Windows machine will show numerous warnings and errors in Event Viewer, but these are harmless and log everything from a USB drive that was pulled out too soon to an application that failed to launch for whatever reason. It does not show computer infections, but to a casual computer user — the real target of the Indian scammers — these events could look very worrying.

Once we had established that my computer was “fraught with infections” and that all my personal information was being broadcast to the world, “John” went in for the kill. He told me that engineers were on standby to assist me. This is where things got a little scary and it’s here where you should probably put the phone down if you’re also going to take these jokers for a ride.

“John” asked me to go to Support.me, a remote access service similar to Team Viewer — a service also used for this scam —  that gives the crooks the ability to access your computer remotely. As I would be able to see everything that they were doing, “John” tried to reassure me that they would be able to solve the problem and that I shouldn’t worry.

We have a spare PC in the TechCentral office that has been newly installed and that contains no personal information. I used this machine for the next part of the ploy. I installed the Support.me application and provided “John” with the access details.

Once his “support engineer” was connected, “John” told me that there would be a service fee that I’d need to pay in order for them to help me. Prices ranged from R1 999/year to R3 500 for three years, he said, using South African currency.

The “engineer”, who now had access to the dummy computer, promptly proceeded to open PayPal in a Web browser. He then asked me to log into my account or pay via the credit card function on the PayPal website. Knowing that things were getting serious, I tried to stall him, but “John” realised I was not playing along.

Windows' Event Viewer

Windows’ Event Viewer

As they still had access to the computer, the next move proved a little puzzling. But I realised later what “John” and his “engineer” were trying to do.

Because I did not furnish my PayPal or credit card details, the scammers turned nasty and proceeded to my documents folder. I saw the engineer poking around in some folders, but I promptly disconnected the office Wi-Fi connection. After some research, I found out that they’ll delete system files and users’ personal documents.

Fortunately, I disconnected before they managed to delete files on the dummy PC — not that there was anything of value for them to delete.

If I had entered my credit card details or logged into my PayPal account, the scammers would have undoubtedly logged my details and stolen money as quickly as they could.

This scam can have serious repercussions, but considering the frequency of calls we get in the office, those behind it must have a reasonably high success rate.

So, if you get a call asking if you are the owner of the PC, just put the phone down. Or, if you’re tech savvy, why not have a little fun with them like I did? These crooks belong in prison, but there’s no harm in stringing them along provided you exercise due caution. In fact, it can prove quite entertaining if you have a bit of time to kill.  — © 2014 NewsCentral Media

Share this article

  • KeithJ

    A recent call:

    Scammer: We have detected a virus on your computer from someone who has been regularly hacking it, and they are stealing your personal information from your disk.
    Me: “Oh dear. A virus? That sounds bad. What can I do?”
    Scammer: “Don’t worry, we can help you. First, turn on your computer.”
    Me: “Ok, it will take a while. It’s a bit slow because it’s quite old” Then after 5 minutes of saying “it’s nearly there”: “Ok, it has booted up now. What next?”
    Scammer: “Can you see the Windows key? Press that.”
    Me: “What is the windows key?
    Scammer: “It’s got a picture of windows on it.”
    Me: “What shape windows? Round? Square? Arch shaped?
    Scammer: “Square.”
    Me: “I don’t have one of those.”
    Scammer: “Ok, just click on the Start button instead.”
    Me: “Where is the Start button?”
    Scammer: “It should be at the bottom of the screen. Do you have windows 8?”
    Me: “Ok, I’m pressing the On-Off button… Now!”
    Scammer: “NO NOT THAT ONE”.
    Me: “Oh! The screen has gone black!”
    Scammer: “Ok, just turn the computer back on.”
    Me: “Alright, it will take a while. It’s a bit slow because it’s quite old” Then after 5 minutes of saying “it’s nearly there”: “Ok, it has booted up now. What next?”
    Scammer: “Press the Windows key?”
    Me: “I still can’t see a Windows key.”
    Scammer: “No, Ok. Can you see the start button now?”
    Me: I can’t see a start button. What should I see?
    Scammer: Unless you have windows 8 you should see a start button at the bottom of the screen.
    Me: “No all I can see is ‘D:>’ at the top of the screen.
    Scammer: “Have you pressed F8 when you started up?
    Me: “No, why?”
    Scammer: “It doesn’t matter. You must be already in the Command box. You do have Windows don’t you? Are you connected to the internet?
    Me: “Windows? No, I can’t be doing with that new fangled nonsense. I’m running DOS 3.2. And what’s ‘the internet’?”
    Scammer: Silence, then “f*** off you white ****!”
    Me: “Goodbye. Thanks for your call.”

  • TR M

    My fav reply is to pretend I’m whispering to someone else “Get the other phone and have the cops trace this call. It’s the scammers” then keep them on the phone as long as possible without ever giving them access to anything.

    Another is to do the Cheech and Chong routine “Sorry man, windows isn’t here. I’m totally Mac”.

    Lastly I tell them I work for Microsoft and if they know what is good for them … hello, hello

  • modern.ie
  • MOV AX , 0xffff

    Indians….Lol

  • irkitated

    I feel like you’ll enjoy this website!! they bait scammers and have fun with them then post the results on their forum. some of them are truely brilliant!

    http://www.419eater.com/

  • http://www.letsgethighandmarrygaypeople.com/ Gregory S. Balchin

    shut up vegan, the grown ups are talking

  • Ross Banick

    There is a guy on USENET yesterday who kept them on for a half hour, and he uploaded his record of the conversation to alt.os.linux. The “victim” was on Linux, so, he was able to do everything in VM, so there was no danger (other than to his VM). The Indian support caller turned nasty at the 20 minute mark, and swore like a sailor for more than two full minutes but then turned nice and tried for another 10 minutes. It was hilarious. https://app.box.com/s/0yluyszg1qj2l83ynbm2

  • k sterner

    I used to play with them and it was fun. Then the last time when I started pretending to be cooperating and it got obvious, he told me he was going to “f@#$ me in the a$$” and got all explicit on me and it wasn’t fun anymore.

  • Christine Bauman Romahn

    I just got scammed by these people, and now am terrified, and don’t know what to do?

  • Dustin Horne

    Immediately change your account passwords for one.

  • Dustin Horne

    I haven’t gotten a call from these guys yet but I think I’m going to spin up a VM and have it ready when they call. As a developer, I think I’ll also write a nice little app that masquerades as a virus and pretends to be installing itself to the machine of the connected party. ;)

  • ranger@mybroadband

    You should probably re-install it just to be safe.

    It might be better to use an isolated virtual machine next time (either a snapshot, or a VM you have a copy of).

  • paulinesheakey

    One call I got, I was told to “F you” … seems they don’t like being ‘found out’ :)

  • LamiaLove
  • Madan Raja

    The reason I read this post with great interest was to find out how you ‘scammed’ this SOB. Something you did which would force him to rethink doing anything wrong again in his life. But, if using up his few precious minutes was scamming then, I would say your time was more valuable that this asshole’s time.

    I hate such folks, trolls who post stupid comments everywhere, who mess up my NFL mock drafts just for the sake of it (yes, I think I am slightly mentally disturbed). So next time you make me read your article, please make sure you did something.

  • SteveALee

    I recently decided to scam them back and used my Linux desktop. It took
    them ages but the still cheerfully found a remote access that worked.
    When It can time to fill the the Card details I wrote a rude message and
    said something about wasting their time for a change.

  • PlayTOE

    I get these calls and always tell them my computer uses windows 3.1. They eventually get discouraged and begin swearing.

  • CD

    Help! I got scammed by this.
    What should I do next?!?

  • CD

    Me too….
    Do I need to have someone look at my PC to remove anything they may have put on it?

  • Mac816

    I decided to have some fun with these guys one day, so I played along, but when we got to the running the Event Viewer nothing showed up, since I have it turned off. That threw him for a loop. When I then informed him that he’d next tell me to give him control of my computer, then try to sell me some expensive software that I didn’t need and that I was well aware that his company wasn’t affiliated with Microsoft, he got quite flustered.

    The killer was that I called him “Apu” after the Simpson’s character from India who runs the Quickie Mart during our entire conversation, despite him claiming to have some American sounding name, and he STILL bulled ahead following his script!

    When I told him I’d recorded the entire conversation (which I HAD) he promptly hung up.

    Sadly they called me twice today while I was trying to NAP! Time to ditch the land line!

  • Wing Wong Wu Leroy Patel Smith

    I screamed at the little shit with every obscenity I know as many of my elderly customers have been duped before. This guy was nearly in tears and hasn’t called me back for any reason since. Be nasty, very nasty they are trying to rob you.

  • Wing Wong Wu Leroy Patel Smith

    Speak to card company if you typed your details, change any pc passwords and check for logmein in the add remove programs, if your still worried get someone to do a check of your PC health, not any Indians though

  • lord cheeseburger

    Now you’re assuming the machine wasn’t wiped effectively. The only persistent locations to store malware are in BIOS or a hard drive. It’s the only non-volatile storage locations on a computer. If a virtual machine was used, is irrelevant either way.

    If you’ve never seen wireless systems logically separated then you really have no business commenting on this article. It’s really simple, WAP is trunked into switch, SSIDs are mapped to multiple VLANs and the only gateway is a firewall.

Why TechCentral?

We know that as a prospective advertiser, you are spoilt for choice. Our job is to demonstrate why TechCentral delivers the best return for your advertising spend.

TechCentral is South Africa’s online technology news leader. We don’t say that lightly. We believe we produce the country’s best and most insightful online tech news aimed at industry professionals and those interested in the fast-changing world of technology.

We provide news, reviews and comment, without fear or favour, that is of direct relevance to our fast-expanding audience. Proportionately, we provide the largest local audience of all technology-focused online publishers.

We do not constantly regurgitate press releases to draw in search engine traffic — we believe websites that do so are doing their readers and advertisers a disservice. Nor do we sell “editorial features”, offer advertising “press offices” or rely on online bulletin-board forums of questionable value to advertisers to bolster our traffic.

TechCentral, which is edited and written by award-winning South African journalists, cares about delivering top-quality content to draw in the business and consumer readers that are of most interest to technology advertisers.

We’d like the opportunity to demonstrate the value of directing a portion of your advertising budget to TechCentral, whether your company is in the technology field or not. Numerous opportunities exist for companies interested in reaching our audience of key decision-makers in South Africa’s dynamic information and communications technology sector. We offer packages that will deliver among the best returns on investment available in the online technology news space.

For more information about advertising opportunities, and how your organisation can benefit by publicising itself on TechCentral, please call us on 011-792-0449 during office hours. Or send us an e-mail and ask for our latest rate card and brochure.