While the big security news was happening in Las Vegas at conferences, security researcher Ivan Kwiatkowski’s story was too funny to pass up—at least if you loathe scareware scams.
After only 30 minutes on a new computer, his parents surfed to an online tech support scam that claimed their PC was infected with Zeus.
Of course, he fixed his parents’ browser, but the truth is that people who are not especially tech-savvy can find trouble online almost immediately. For example, my mom’s very first download on her new computer was a malware-infected version of Chrome; she had clicked on one of the top search results and then freaked out and called me.
At any rate, Kwiatkowski decided to bring on the pain; he fired up a virtual machine to run Windows XP and called the fake tech support scammers. He’s French, and the tech support chick was not fluent enough for her to go off-script. However, she was able to berate him after he said he used no antivirus, since Google Project Zero security researcher Tavis Ormandy keeps exposing holes in them; that reference soared over her head.
She attempted to scare him into believing his box was infected with 1,452 viruses and his IP had been “hacked”—all could be remedied by $189.90 to purchase exclusive software supposedly offered through Microsoft premium partners and secure channels.
The “free” 15 minutes of tech support was up, so she called him back from a Pennsylvania phone number. Her next terminal trick was an attempt to scare him into believing the person in Delhi connected to his computer at that moment wasn’t her. He called her on that lie, but she claimed to be ‘localhost,’ which meant “secure connection.” Remember, this guy is a security researcher. By the time the call ended, she sounded fairly frustrated.
Fast forward a little bit, and Kwiatkowski called the number again. This time he totally trolled the fake tech support scammer, who seemed to be more experienced and offered to sell an even higher-priced version of software to fix all of the alleged problems with Kwiatkowski’s PC. This time Kwiatkowski agreed to buy it. He gave the scammer a valid yet fake credit card number. Then surprise, surprise: the transaction wouldn’t go through no matter how many times the scammer asked for the information.
Then he gave a second fake credit card number (testing number) to the scammer. “Hit by a stroke of genius,” Kwiatkowski pulled a sample of Locky ransomware from his junk email folder; it was a .zip file that contained JS script to download the ransomware. He renamed it and then uploaded the archive via the remote-assistance client to the fake tech support scammer, saying he had taken a picture of his credit card so the scammer could enter the details.
Kwiatkowski said the scammer finally admitted: “I tried opening your photo, nothing happens.”
Kwiatkowski, trying not to laugh, then asked if the scammer was sure.
The tech support scammer claimed, “Your pictures are corrupted because your computer is infected. This is why we need to take care of this.”
Meanwhile, as “a background process quietly encrypts his [scammer’s] files,” they continued to go back and forth with credit card information so the purchase would go through. The frustrated scammer gave up, telling Kwiatkowski to call his bank about the credit card problem. Imagine how frustrated the fake tech support dude was after his PC was locked down by Locky.
Kwiatkowski concluded, “Whenever one stumbles on an obvious scam, the civic thing to do is to act like you buy it. ...Their business model relies on the fact that only gullible people will reply.”
Scamming the scammers takes up so much time that it makes the scams unprofitable. After giving the fake tech support phone number, he encouraged the tech-savvy to take 15 minutes to “try to social engineer them into doing something funny.”
I highly you encourage you to read Kwiatkowski’s full accounting of how he tricked the phony tech support scammer into infecting his own PC with Locky.