Global IT Support Telephone Scam

Sometimes we get the scam phone calls ourselves and it gives us a chance to examine their current approach

Thursday, 9th August 2018, incoming call on my mobile from 02 6734 6767

  • Happy to answer these calls because I can block them if they are nuisance calls
  • In this case, trying to call back gives a "not connected" message
  • Clearly the call is coming from overseas and they have somehow got access to an Australian number to make the call seem legitimate

Hello, I am calling from Global IT Support

  • Yeah, right....

We have identified that your computer has been compromised by hackers and we are calling to assist you

  • Why thank you I said with a welcoming smile
  • I kind response does encourage them to jump in with both feet

Please hold down the Windows key and press the letter R

  • This is the known shortcut for the Windows Run command

Please type in the letters CMD and press the Enter key

  • This step takes one to the Command Screen, what we used to know as the DOS prompt
  • This allows system commands to be easily typed and run

What can you see?

  • I can see the Windows version (10) and a prompt containing my username

Please type in the letters ASSOC and press the Enter key

  • This runs the Windows system command assoc which is hardly ever used except by programmers and scammers!

What does the second-last line start with?

  • ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

I will now confirm the product key which you can see on your screen

  • He then reads out the alphanumeric expression within the brackets
  • This step is designed to convince me that they have identified my computer precisely which is why they have called me
  • In actual fact, they have called me randomly and the above expression is the same on pretty much all Windows computers
  • So it's a pretty good trick, the average user could not possibly know the expression is found on most computers

Please hold down the Windows key and press the letter R again

Please type in the letters MSCONFIG and press the Enter key

You can now see several tabs, please click on the tab marked "Services"

You will see that some are running and some are stopped

  • This is quite normal

Are there more than 20 which are stopped?

  • The scammer knows this is quite likely
  • I report that there about 50 services which are stopped
  • The scammer is delighted with this statement

Do you see the "Enable" button?

  • Yes I do

Is the "Enable" button "washed out" (he means greyed out but close enough)

  • Yes it is

Oh my golly goodness (OK, I made this bit up but he was Indian!) this is the work of the Cyber Hackers

They have stopped a large number of your services and you cannot re-enable them

We will fix this for you

Please hold down the Windows key and press the letter R again

Please type in the expression "www.gg.gg/technician" and press the Enter key

  • The "gg.gg" part is a bit odd but www.gg.gg is a legitimate website which shortens URLs (web page addresses)
  • You can safely browse to the web links above and no harm will befall you
  • You will simply be prompted to download and save the TeamViewerQS remote access software
  • Again, this is legitimate remote access software, we use it ourselves to provide technical support to our customers

Please download and run the file

  • I am not sure I should do this, I have heard it is not safe to download and run files from the internet

It is OK sir, there is no problem

  • So I download and run the file which installs TeamviewerQS
  • This is when the fun starts, there is no way I will let them login to my computer!
  • So up pops the TeamviewerQS Remote Access window
  • The Windows has two numbers in a large font
    • Your ID: which is a unique number which identifies your computer to the scammer
    • Password: which they need to gain access to your computer

What is Your ID?

  • 1 235 347 991 I say (it's not true though, the actual number on my screen was 1 235 347 919)

I am sorry sir that is incorrect

  • Well, I am just reading the number off my screen

Please tell us the correct number!

  • He is getting a bit toey now
  • I tell him I am reading the number which is on my screen
  • I know that when they type in the wrong number at their end it gives an error
  • So I tell them perhaps I should take my computer to my local computer repair shop

Oh no sir, we can fix the problem for you

  • Are you sure, it might be just easier to take my computer to them

No sir, they will not be able to fix it

I am pretty sure they would, perhaps they can help me fix the problem you have connecting to my computer?

<Click>

That's it, they lost interest

OK, even though I had a bit of fun with them, this is a deadly serious business, just last week we had a customer scammed out of $38,000 (yes, this is not a typo) because he allowed the scammers (fake Telstra support this time) to login to his computer, and while they were logged in to his computer he logged in to his bank account and paid $10 for postage for the new modem they were going to send him. That $10 payment was duly authorised with two-step verification but nek minnit his screen went blank and they proceeded to transfer ever increasing amounts of money to the same payee until the bank said stop. It happens because once you are convinced it really is Telstra, you are likely to be done like a dinner. Our job is to call out the scams and alert our customers where the knowledge that this can happen (and is happening locally) is the best defence. Please contact us if you would like additional information.