Cyber Criminals Just Came A Callin’ At My House

Sunday, July 17, 2011

Rebecca Herold


I just got off a 30-minute call that came unsolicited from a young-sounding man with a very thick Indian accent who, when I asked him his name, said it was Jason Anderson (doesn’t sound like an authentic name of someone from India). 

He told me he was calling me because there had been a lot of complaints in my area about malicious code damaging operating system software and he wanted to be sure my operating system was not impacted.

I’m sure I made his call a nightmare with all the questions I had for him.  And after he insulted my intelligence (Him: “that little blinking thing; that is where your letters show up when you type.  Look at that please, ma’am.” 

I decided I’d just play dumb and go along with him to see what he would have me do.  Oh, and I asked a lot of questions along the way to gather as much information about him and his organization as possible. 

Here are some key facts about the call:

  • His phone number is 201-338-6170.  I told him I had to go to a different part of the house to get in front of my computer, which is how I got his phone number from him; it does not show up on caller ID.  When I called this number someone else (it sounded like) with a very thick Indian accent answered, and then transferred me to “Jason.”
  • His company is EProtectionz NOTE:  I advise you to not order anything from this site!
  • When I asked him why he called me in particular, he tried to avoid the question or say he was calling to help me.  I persisted.  Finally I asked him if Microsoft had contracted his company to call me.  He then said, “Yes! My company was subcontracted by Microsoft to call me, and that is how I got your information!”
  • He told me to enter “eventvwr” in the command line.  Well, HE didn’t say “command line”…he walked me through how to get there as though I had never touched a computer before. 
  • NOTE: Be on the look-out for a caller such as this who calls unsolicited and tells you to enter “cmd” and also “assoc”.
  • After going through a few more steps, he had me check my CLSID and said, “Is your CLSID number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062?” 
  • Of course I said, in amazement, “Why yes?  How did you know that?”
  • He said, “See!?  I know because I’m trying to help you!  I was asked by Microsoft to help you!  I wouldn’t have known that information otherwise, would I!  That is specific to your computer.  I wouldn’t have known it unless I was asked to help you specifically!”
  • NOTE: Techie friends, correct me if I’m wrong, but isn’t the CLSID code on all MS OS’s, at least late model ones, the same?
  • When he told me to go to (NOTE: Don’t go to this site unless you’re an information security expert and know what you’re doing) and said he would be happy to tell me the code so I could log into the site, I asked him why I needed to.  He said so he could download software to my computer to scan and clean my operating system.
  • I then said that I would not download software from a site I knew nothing about.  He then tried for a minute or so to convince me, and then finally said, “Well, then close down that screen.”  Me, “What screen?” Him, “The logmein screen” Me, “No, I think I’ll keep it here for a while,” Him (voice raised), “Close it down now!” Me, “Why are you yelling at me?” Him, “Sorry, I wasn’t yelling, that is just how I talk.” Me, “It sounded like yelling to me.”
  • After a few more minutes of such talk, and yes, he started almost yelling again, I stopped and started telling him about the reasons why I would not do as he asked, and then I started explaining to him about cyber scammers and cybercriminals.
  • Sadly, then, dear “Jason” then hung up. 

Yes, I will report this scam to the FTC as a type of phone fraud:

Please be on the lookout for this scam!  I don’t want you to fall for what is a pretty convincing reason from these crooks for why you should accept their “help,” this guy was pretty good at social engineering.  

If you DO receive a call, please report it so these crooks can be caught.  The more evidence against them, the better.

Cross-posted from Privacy Professor

Possibly Related Articles:
Information Security
Support scams Social Engineering Windows Remote Access Cyber Crime EProtectionz
Post Rating I Like this!
Kevin McAleavey And now for the other side of the scam. That call wasn't a random dial. Folks in the security business are still looking into this but the bottom line is that victims of these calls merrily input their phone number on a site that needed that "for verification" or to "win prizes."

What happened to you is becoming *very* widespread and that's the one thing all victims so far had in common. Of course triangulating _who_ it is that's harvesting and reselling the numbers is the remaining mystery. But so far in interviewing about fifty people who've reported this, ALL of them remember being asked recently for their phone number but no common denominator has been determined so far.

It would be most interesting if they can be (forgive me here) "backtraced."
madeline sawyer really?? I also placed my number on a certain site where I am very eager to win on a promo.whoa! what can I then do to avoid these cyber criminals?? I hate being bothered by the thought that they might have access on some of my accounts.I guess these problems is also brought by recession we are suffering from. Many criminals tried hard to look for vulnerable victims and I hope that doesn't include me. Anyway just wanna share with you that we can still be able to make a living for those who were in the middle of financial crisis, we all know that foreclosure rates continue to be astronomical as several of us scurry like mice before the lending institution's menacing plow. It is also a fantastic option if you are able to purchase in. Read on and learn the way to finance a foreclosure residence. I found this here: How to finance a foreclosure property
Vulcan Mindm3ld @Madeline... are you serious? Are you being facetious or are your simply trying to spam an information security website?
Javvad Malik Great write-up Rebecca thanks, it's always interesting to hear how these scammers operate from first hand experience.

Anup Shetty Creepy old scamming technique on the rise again...
The guardian reported this a few months back too

You might wanna log you complaint here too..

Read the FAQs first

About the CLSID..

This should be same on all XP machines..might differ on a Vista or a 7 box....

Windows Object CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

File Extension .zfsendtotarget

Description: Compressed (zipped) Folder SendTo Target

The ZFSENDTOTARGET file type is primarily associated with 'Compressed Folder SendTo Target File' by Microsoft Corporation. Under Windows XP normally there will be a Compressed (zipped) Folder option in the SendTo menu when you right click on a file. This option creates a .ZIP file containing the clicked on file in the same folder.
Vulcan Mindm3ld Great article and I've already shared it with several friends. @Anup.. thanks for the additional information.
Rebecca Herold Thanks for the comments, folks!

@Kevin, I anticipate your theory is valid for many situations, however, in this case the land line number used was never used for such purposes (to win "free" stuff). However, it is a number that is listed in the public phone book, so it could have been simply been harvested from the online white pages.
Josh Stemp While surfing the interwebs of the security world, I have found several instances where security professionals have gotten called regarding this type of thing (@Kevin, it very well could be a spouse or child who felt they were just claiming the newest gadget for free, and not a infosec pro who would input such info). When the "Microsoft Rep" contacted them many of them had virtual machines that they attempted to do the system cleanup and "fix" on but that the downloaded software doesn't install in the virtual environment, and/or the rep asks to remote into the system to "clean" it but realizes that he remoted into a VM. Eventhough it's not too hard to identify a typical VM environment, I'll give it to them that some of those criminals are pretty savvy to avoid detection.
Terry Perkins Yes -- thanks Rebecca. It is very interesting to see how this all went down.
Kerry LeBlanc Great article and it sounds like you got to have some great fun,too. I do not like that they do this, but I live for calls like this just to screw with them. It would be fun to go through this, but have them going into the honey-pot instead of a good system. Something running painfully slow.
Great write up, thanks!
Robb Reck Thanks for the info, interesting write-up. I'd also like to have seen what he was actually going to have you do. If you could have had him install on a honeypot system that would have made any case against that company a lot stronger. As is, they can always claim they really were just trying to help you.
Kevin McAleavey @Rebecca

OK ... the reason why this raised my curiosity is that I follow a number of "end user security forums" and have chatted with quite a few who've received these calls and observed interaction by others and that is one of the paths to this happening. That was why I wanted to ask if your situation fit the pattern. Apparently not in your case ...
Kevin McAleavey @Josh

A good amount of malware is designed to detect virtual as well as debug hooks from other security software to prevent it from being installed or fully functional in the presence of "monitoring" of it. Amusingly, most malware analysts test malware on VM's.
Anup Shetty Read something that dates back to March last year... Site hosting company Hostgator shut down one of the longest-running sites used for the alleged scam,, after complaints.
After confirming with Microsoft that the site was not acting for it, Hostgator immediately shut it down. Josh Loe, Hostgator's co-founder, said that following the initial complaint, "we asked for more information regarding this to confirm. We received a message from a Microsoft representative via this particular person who contacted us first about this. At that time it was enough evidence to close the site and it was done so the same day."
But one investigator who has been tracking the growth of the scam says the challenge is that new sites offering the same fake "service" keep popping up "like mushrooms".

Not sure what happened after that...

Like any other scams...the brains behind this seldom get caught

@ Kevin.. I think there was a workaround for this by patching the malware routines that detect VM or modify the VM instance making it tough for the malware to detect it.

Kevin McAleavey It's been a couple of years since I did malware research now, but the methods involved some hardware tests, looking up registry keys for VM's and a couple of CPU checks in the source codes I saw then.

VM's *do* have signatures that can be determined, and the folks who write the stuff do have their incentives to find them. I'd be curious to see what they're doing lately.
Tom Wood I Also believe that many of these outfits are getting their contacts from legitimate call centers. In a couple of recent incidents I have investigated, they have quoted private information that would only be available to someone with access to that customers account details, and have called a customer not long after they have placed an enquiry or support call. It is known that these scams operate with a degree of immunity from Indian call centers. It is not too far a stretch of the imagination to see data being 'shared'.
Rebecca Herold This post has not only created some great comments here in the public forum, but I've been surprised to have over a dozen individuals contact me directly as a result, with not only similar stories, but to describe some situations that have evolved into much more serious situations for them, and spread to other types of serious crimes.

Cybercriminals, and criminals of all kinds, are becoming more bold. More reason to include risk detection and mitigation as the fourth "R" in education curriculum at all levels, starting with the very youngest.
Tony Patton OK, I am such an ass. I got this call last night and they are very smart (or I am very gullible). I fear the latter. I went all the way and made the money transfer. Now what can I do? Is it just a once off money loss or is there likely to be ongoing problems?

Tony - Johannesburg, South Africa.
Robb Reck Tony,

If you gave them your credit card number I recommend contacting your credit card company and asking for your options. You should operate under the assumption that any company that would follow these practices would not hesitate to use your payment details unethically as well.
Stephen Berry Yeah, they called my house again today. So, I played along to see how far they would get. As it turns out my WiFi is down at my house, so I have to go to Starbucks, Kinkos, the Library, etc. to get online. They gave me the website (which actually is a legitimate application). When I told him that I was using my XP laptop at the time, he still gave me instructions as if it was Windows 7. When I told him that I could not connect to the internet at the moment, he said, "that's OK I can fix that" (really!!! Is he really going to drive out to my house and re-connect my WiFi ???) He (and the others I've spoken with briefly are not vary bright. When I explained that I work with computers every day. Program them, Re-build them, Support them, Re-load them. He did not even miss a beat and just continued to go on the script he was reading from. When, in the past, I called them "Scam Artists" to their ear, they either start swearing, cursing, or simply try to "Deny" that another IT guy caught them red-handed.
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked