My home phone rang this afternoon just as I had finished watching Sherlock: The Abdominal Bride - it was very good. I sighed and got off the couch, it could only be one of two things, my parents or scammers. It was the later. An Indian accent informed me that they were from Telstra and they needed to fix my machine because it had an issue. I was bored, so I decided to go along with it. I booted a Windows machine at home, while logging into AWS and creating a new Windows instance if things got interesting. At the very least the time they spent trying to do stuff to me would mean they weren’t scamming real people.
Step 1 - run some commands.
They wanted me to run a few commands on my machine so they could prove that they were Telstra, this was an interesting move. They asked me to start a command prompt (using Win+R then typing cmd) and then type assoc. This lists out a bunch of random looking things on the screen, including a few entries with ‘CLSIDs’ in them - long GUIDs which are well known, and the same on every machine.
That long one, third from the bottom, can you see it?
I had to make up some excuses here, I hadn’t yet gotten into my Windows machine, and the AWS instance wasn’t ready - I was just telling him what he wanted to hear while I waited for things to happen.
Eventually I knew what he was after and let him rattle off a long GUID that ‘proved’ that he was from Telstra, as only they would know the ‘CLient Secure ID’ was on the SendTo entry. This is of course identical on all Windows machines since Windows 7.
Step 2 - you have so many issues.
Now they asked my to type e for everyone v for something starting with v e for … seriously, they did that for every letter … when I worked out they wanted the Event Viewer I asked, do you want me to open the Event Viewer?
Had I gone too quick? Did they know I knew what I was doing? Had I ruined it all? I was still on my home machine - there is a 4min delay in getting the password for a new AWS instance, and it wasn’t ready yet.
Yes, please going into the event viewer.
I clicked around and they asked me to go into Custom Views -> Administrative Events.
Look at all the red and yellow warning icons, you have very many issues. We need to fix all the corrupted files, this is very bad.
Ok, how do I do this? Can you tell me please how to fix this?
Step 3 - Team Viewer install.
Now I had them convinced that I was convinced that I had (computer) issues and they were going to help me fix them I asked what I needed to do. They directed me to type in www.teamviewer.com into the command prompt - again w for water w for water w for water dot t for tree …
I loaded the site on my Mac - still waiting for the password for the new AWS virtual machine - just so I could tell them what is going on, so they thought I was still hooked. I download the client and said it was taking a long time, slow internet. I could hear the caller speaking to someone off in the background, complaining it was taking a while.
Right, now I needed the AWS machine, they were asking for the client ID to connect to and the password, I had neither.
Ohh dear, it is asking to reboot my machine - it says it installed updates and needs to reboot right way.
A Windows machine installing updates and needed a reboot? The sky is still blue.
OK, ok, please let me know when it is done and ready so I can fix your machine.
*Finding key pair to get AWS password*
*Copying complicated password to Mac RDP client*
It is very slow coming up.
How old is this computer?
It is a few (seconds) years old.
Right, I was good to go, launch IE, go to Team Viewer website, download client - add site as trusted, because Protected Mode in IE on Windows Server (2012 R2), attempt download again, add second content cache mirror because it had refreshed while I was adding the site to the trusted list, download, install.
OK, I have the connection ID and password.
OK, ok, we will connect your machine to the Telstra repair machine to repair your machine, what is the connection ID?
Some numbers
What is the password?
A few numbers
OK, ok, ok, in a moment you will get a box, it is a warning about hackers and people trying to steal your information, you must me be very quick and click trustworthy in the bottom right of the box, you have 5 seconds, it is in your hands, you must click trustworthy very quickly, only 5 seconds, it is in your hands.
I don’t see it.
It will be there, trustworthy, otherwise bad things might happen, this is in your hands, you must be very quick, you have 5 seconds.
They didn’t want you to read the warning message the Team Viewer client displays explaining that the incoming connection could be scammers or hackers trying to steal your information and take over your computer.
It is in your hands, you have 5 seconds, you must be quick, click trustworthy, it is in your hands.
I clicked trustworthy.
At this point the caller started complaining that my machine was very slow - yeah well, it was only a micro instance, so it wasn’t going to be very fast, was it.
I had to click trustworthy a few more times, and then the connection was completed, and they had control my mouse and keyboard.
Step 4 - backup scam.
The first thing they did when they connected was open a run window and type syskey.
They typed in an unknown password - effectively locking out my machine from booting and clicked ok - if I had more time I would have installed a keylogger to capture everything they did.
I ignored this and let them do their thing. They opened IE and Googled google chrome. Clearly even scammers needs a proper browser.
This is when they hung up the phone, they were connected, and had control of the machine, they also had the key for booting the machine - as a backup should you disconnect them when you realise they are just scammers. They did this VERY quickly. Clearly this is important and they’ve done it all before.
I started a screen recording on my Mac - i stopped and restarted it a couple of times, but here it is, sped up - watch the clock in the bottom right hand corner.
Step 5 - install some software.
(0:00 -> 1:20)
This didn’t go well, they couldn’t work out why they couldn’t download or run anything from any of the web pages they went to. Protected Mode in IE was doing their head in. They kept clicking around the screen, ignoring error messages that were coming up, searching for Google Chrome Download instead of Google Chrome.
After a while they gave up on that and tried Mozilla. They navigated to google.com.au then searched for the mozilla download, and went through the process again of trying to download a file, and not working out they needed to add the site to the trusted site list in IE. They tried a couple of different sites, including filehippo, with the same outcome. At one point they even clicked on the ‘more information’ link on the error message in IE. Trying random file download sites wasn’t working, the download path would change to a new cache server every time they added a path to the trusted sites.
I was getting frustrated, I wanted to just getting it installed to see what they would do next. Eventually they worked out they needed to add the site to the trusted site list and they managed to install Firefox.
Now that was done, they searched for the Google Chrome to try and install that again. They managed that and then installed uTorrent - I have no idea why.
(1:20 -> 2:20)
Step 6 - get angry.
This whole thing had taken the best part of 45 minutes, and during that time the caller hadn’t realised the computer they were trying to take over was completely blank. There were no documents, no downloads, no bookmarks in any browser, no software at all.
They opened a notepad document and started typing a message.
(2:20 -> 3:23)
you there …. ????????
I had lost control at this point. I think the Team Viewer client didn’t like me connecting through RDP. I managed to send Ctrl Alt Del, and get mouse and keyboard back.
You having fun yet?
I disabled their control in Team Viewer, and started chatting in the client. This took them a long time to understand. They just clicked all around the screen trying to do stuff. A giant blue cursor showed their desperate attempt to get back control.
(3:23 -> 4:33)
They eventually worked out how to chat.
Your computer is locked by a password.
Ahh, but the computer is empty
I showed them explorer with nothing in it. They tried to click around again.
I turned off, and destroyed the machine before going back to watching TV.
The second season of Sherlock is very good. The first episode especially. But really, you just watch that set up the final episode and then the big reveal at the start of season 3.