This post may take a few days, so keep coming back!
Some background first. I repair computers, and a few customers (3 or 4) have been hit by the “Windows Corporation” scam, where someone thief rings up with a very Indian accent, but with a very English name, claiming to be from the Windows Corporation, or Microsoft, and tells the victim that their PC has been infected with malware and is busy infecting others and other bad things. Most people are not taken in by this but some customers get confused, maybe they have just seen an adware or malware message on their PC, or have just changed email addresses, or are not well at the time, and they are taken in to some extent. Most don’t actually pay these thieves any money, claiming to not have a credit card and are housebound etc. But by the time they get to this stage, the damage has been done. Next time they log on, the system asks for a Startup Password, which they of course don’t know. Soon after they get the second call from the thieves telling them what has happened and how much they have to pay. Fortunately for some, they call me rather than pay the thieves. I have a couple of effective solutions to unlocking the ransomed PCs in this case, and it normally takes just 30 minutes to undo the damage.
Strangely, I am also on every single list there is for these people, and I get several phone calls a week from similar callers. Because my home phone is forwarded to my cellphone, I can ignore them most of the time, but occasionally I get to the home phone in time and field the call. At first I called them names, or led them on and then told them they were stupid and hung up, but more recently I have decided to find out more about the scam and have been actively using the calls to get more information. It takes a good 30 minutes of my time, but some days I can spare it! To this end I have a “disposable” PC set up with nothing on it, which has no access to the rest of my network.
So, how do these calls go?
The opening blurb is much the same, introduces themselves with an English name (Jack Dawson was the latest, and the technician was Will Harris or something similar). They tell me that my PC has been monitored and has malware infections and has been doing all sorts of things, all of which are bad. This is designed to scare and confuse.
I am told to get to a PC and switch it on, and pestered until I say it is on. In the meantime, they are asking questions about who uses the computer, how old it is, and whether I use it for secure applications, such as banking, shopping etc.
When the computer is going, they ask which key is at the bottom left of the keyboard, and then which key is next to it. They are obviously finding out if the keyboard has a windows key, but depending on the answers could be gauging the level of knowledge of the victim.
When answering these questions I have been a bit silly in the past, if I want to trap these people better, I need to pretend I know nothing about computers, but that I do internet banking with three banks, manage my stock portfolio and keep my bitcoin wallet on there!
Any way, once they know the keyboard layout, the fear and confusion continues. I am told to press the Windows key and hold it, then press the “r” key, and am asked what I see on the screen now. What you see of course is the run dialog box, and I am then asked whether the box on it is empty.
The thief then asks you to type in, one letter at a time (e for elephant, v for victor, e for elephant again etc) the word “eventvrw’, and as with all steps below, I am asked what I see now.
From here I am told to click on Custom Views in the left pane, then Administrative Events in the middle pane, and am asked what I see, which of course is red exclamation marks and yellow warning triangles with hundreds of errors. When I admit I don’t know what these are, they are described in gory detail as errors caused by all the bad software on my PC, and how only they can fix it. This spiel can take many minutes!
So having agreed that this is very bad and should be fixed, the thief offers to fix them for me. OK says I, let’s do it!
So, Windows R again, and www.1234computer.com in the white box. I have complained to the powers that be about this website, so it may be something different when you get your call! Of course this starts up a web browser with a quite sophisticated web page on it, very little of which actually works. At the bottom of the page are four flashing buttons labelled Server One, Two, Three and Four. Clicking on Server One starts a download of Teamviewer. All this is done while comforting words about how normal all this is and how it will help get rid of the malware.
Teamviewer is a legitimate application, which is used to give people you trust access to your computer, so that they can fix errors on it etc. Some computer technicians use this a lot rather than travel to customers sites. Personally, I like the personal interaction occasionally. However, when thieves and scoundrels get access to it, they can do so much bad stuff to your PC.
The other three buttons are links to alternatives to Teamviewer, like Supremo, ShowMyPc and AnyDesk. Other web pages such as AMMY.COM carry the same links.
So OK and download are clicked as requested, and TeamViewer downloads, installs and runs for the first time all with no further intervention. After describing what I see, it is explained that I am going to give their technician access to my computer.
This is the clever bit, I thought they would ask for the partner ID and password that is shown on the left of the TeamViewer screen, but what they actually do is give the victim the Partner ID and password generated on their technicians PC by team viewer. Now this would normally give me control of their computer, but a menu appears at the top of the screen, and I have to select/click the “Switch sides” button, which then gives them access to my desktop. At this point I am handed over to a technician on the phone.
The technician starts by repeating the eventvrw demonstration, adding the technical confusion to what the first guy said. He then uses Windows R and types in “inf”. This displays the contents of the /windows/system32/inf directory, which I never seen before. He then asks if I recognize any of these folders and files, to which I answer, honestly for the first time, “No”. Finally, he gets up a list of services, and explains that some of these services are stopped. Yes, I agreed. He then asks me to scroll down and see how many there are. I declined, saying I believed him, but then he came over all “school teacher”ish, and insisted I scroll down through the list and counted them one by one out loud! I gave him a not so small piece of my mind about what I thought he could do with that idea, which he accepted and moved on from.
Now, while continuing to talk about malware, stopped services etc. once again I saw the run dialog appear, and the word syskey typed in. Syskey would normally allow him to encrypt a very important part of the file system, and add a password to the encryption so that the computer will not start without the password. Unfortunately for him, I recently upgraded this PC to the very latest version of Windows 10 – the Fall Creators update, aka 1709. 1709 has many improvements, but an interesting one is that SYSKEY no longer works on this version of windows! I watched him try a few more times in obvious confusion.
In the meantime, the voice changed again, and I started to get the hard sell, that they would repair and maintain my PC for a payment of just $400 odd dollars, and how would I like to pay. I was going to go through the process and pull out at the last minute of give false credit card details when I realised I would be wasting my time, because they had no leverage over me (they could not hold my computer to ransom) they would just give up and not ring back. So I switched off the router and hung up before they got malicious and started deleting files etc.
So the anatomy of a scam is not complete, I need to take it to the point where they think they can ransom my PC, i.e where SYSKEY was successful.
I have two options, firstly I just finished building a Windows 7 Pro pc up from a cast off by a local business, and I could sacrifice that, allowing them to really use SYSKEY and lock it up. I would have no problems unlocking it.
Secondly and much more fun, I have developed a Windows application that exactly mimics the windows and navigation flow of the SYSKEY application. This took a few hours of development, it is just two screens and a couple of message dialogs, with radio buttons and buttons to navigate by. The main difference is that instead of encrypting the SAM hive file and adding a start up password, it just records the password on a text file. There is no real indication that it is not the real thing.
This program has been compiled into an .exe file, and it is just placed into the c:/windows/system32 folder, and it will run just like the real thing. Download a copy of the fake syskey in zip format here. Of course you could use this to replace the real syskey on any computer, just back up the original and replace it with the fake. You will need a folder c:\secret to store the password file in, otherwise the program will fail with a suspicious error message. Test it before you use it for real, to make sure it is allowed to run by windows, but set the password to spaces before letting a scammer loose on your PC.
This program displays the password if you need to demonstrate it to a scammer, all in the spirit of good fun of course. I leave it on the desktop, if no password exists it doesn’t do much, if one does exist it shows it.
So now I am just waiting for the next call!
I watched a video recently about scam baiting (one of thousands out there), and I am pretty certain it was the same guy as I dealt with, same script delivered in the same way, same web site, and the same method of using Teamviewer. The scambaiter didn’t click on the switch sides button, instead he clicked on actions/disable remote input, then attempted a syskey on the scammer. The scammer was immediately suspicious and disconnected the connection to his computer pretty quickly (I would switch the router off – by far the quickest option). I just tried it on my workshop machines, and if you worked really quickly you might just get away with it, the trick is to say the right things while you are doing it, the scammer can’t see what you are doing, but neither can he move his mouse or use his keyboard. Maybe something along the lines of “Hey, my Teamviewer has locked up, how about yours?”. Maybe I will try that in subsequent calls, or maybe after they have attempted a syskey on me!