My phone rang: it was my dad. Father/son combinations don’t ring to chat like mother/daughter ones do, and Dad had been having computer problems. Specifically, Excel had been crashing but managing to recover his work. Each time it had offered to send data to Microsoft and each time he had declined. Then his phone had rung and the caller said it was about the problems he was having problems with his computer.
To me this was immediately suspicious, there is nothing in the Microsoft reporting process which sends personal information like phone-numbers. In fact when you register Windows you don’t put a phone number in, and it is not stored anywhere in the configuration of the machine. Dad doesn’t have a support contract with anyone so even if personal information were being sent I wouldn’t expect a phone call. It would need quite some call centre to manage a courtesy call every time an app crashed. The only way the caller could know that there was a problem and have his details was if something malign on the machine was telling them.
Dad assumed the caller was legitimate: he assumed they’d been given his details by Microsoft, we only give your personal information to a 3rd party if you have requested a specific service which needs us to do that, or said you were happy to be called about something specific by a partner (which is Opt-in, not opt-out).
They had his confidence and things now went from bad to worse, the caller got Dad to give him remote access to the PC for 50 minutes. There’s no telling what went on in that time, but at this stage I had to assume his machine could be doing anything and everything on it machine was potentially compromised. Changing passwords would do no good if a key-logger had been installed.
After 50 minutes they called back and told Dad they’d removed 300 viruses from his machine (A bit of a dent for the Anti-virus software he was using, and almost certainly untrue) and signed him up for a £180 support contract which he paid by credit card. When he went to use the card… as if you couldn’t guess, it bounced.
I told him to turn everything off and quarantine the PC. Having realised he’d been taken in, he took steps to get his credit card re-issued, and he set about changing all the passwords which might have been exposed on this machine -using a different one. He’d heard about someone whose stock portfolio had been compromised: the crook had changed address and bank details and it was only when they tried to sell everything, that the broker’s system spotted something might be wrong. I had to visit, and
- Remove the hard disk and connect it to another machine.
- Copy all the data off, for safety,
- Scan for Malware (nothing found)
- Roll windows back to a checkpoint before all this occurred.
- Re-apply updates from Windows updates since that check point
- Replace the anti-virus he was using with Microsoft Security essentials and let it scan the machine (nothing found).
- Re-run the Malicious Software Removal tool (MRT.EXE) – again nothing was found.
My father was a smart man – smarter than me if I’m honest – and although he has been retired for nearly 20 years I don’t think he has lost his wits. I spent the afternoon of that phone call moving between rage and incomprehension – how could he be so stupid. (Many readers will know the famous “Word Perfect support call ” story – put that into Bing or Google if you don’t: it ends with "unplug your system and pack it up just like it was when you got it. Then take it back to the store you bought it from." “What do I tell them?" "Tell them you’re too stupid to own a computer." ) . The problem is – of course – that confidence tricksters are plausible, and anyone can fall for social engineering if it is well enough done.
It turns out that this is a scam being used by a couple of firms in India – they don’t get malware onto the machine and then call to fix it; they randomly call people and tell them they have a problem. It was a company using the name of OnlinePcCare.com who scammed my Dad . One interesting thing was they put the credit card transaction through a third party G2S.com, and it may be that which triggered a fraud alert, the credit card company wouldn’t say. A search on Bing for “onlinePcCare +scam” finds plenty of other victims or near misses. This one from Ireland was immediately familiar “can you start event viewer… are there any errors in the application log ?”. If the event log is empty, logging itself is broken. Some people recorded the scammers and have posted the call to you-tube – these come near the top in a search and Digital toast has a selection – together with a list of other names used by these people.
Charles Arthur at The Guardian has been covering this story for a little while, see Police crack down on computer support phone scam, and Virus phone scam being run from call centres in India. His blog post Those ‘PC virus’ phone call scams: the unanswered questions is a worth reading too; it confirms my finding that no malware seems to get installed, and shares my opinion that this fits the definition of obtaining money by deception. (Dad’s call to the police got a response of “here’s a crime number – we’ve got a big file on this and we’ll add you to it”)
If you act as family tech support, do yourselves a favour. As well as pointing out that none of those nice men in Nigeria will really have a fortune which they will share, and that it is statistically nearly impossible to have a large lottery win and at the same time be unaware of entering the draw, now you need to add “no one really knows if you have a problem with your computer and calls to fix it” (you may be yelling at the computer but in cyberspace no-one can hear you scream.)
You might add “If you don’t like unsolicited calls register with the telephone preference service, no reputable company will call you once you’ve registered and any company which does call you is, by definition, not reputable
Postscript. While I was working on this post I got a call from OnlinePcCare. It may be one of those random things or they may be stepping up their activities.
This post originally appeared on my technet blog.