Tech Support Scammer Calls Tech Expert, Gets Trolled For Two Hours

Image courtesy of Mr. Seb

Computers are everywhere, and lots of people don’t know very much about their inner workings. That creates an ample playground for scammers who use a combination of social engineering and scary-sounding words in order to bilk people out of money, or even sensitive data. The scammers are legion, and so, unfortunately are targets… but when one scammer recently tried to pull one over on a tech expert with time to kill, the tables were briefly turned.

There are lots of tech support scams out there; some use pop-ups or place false ads to lure victims in. There’s also a kind, though, that relies on good old-fashioned phone calls.

These scams tend to work in a pretty predictable way: you get a call from “tech support,” asking you to take a certain series of actions with your Windows PC, including giving the scammer remote access to the machine, then demanding a large sum of money to “fix” a problem that doesn’t exist.

Folks who don’t know much about the workings of their computers, especially those who are kind of scared of or intimidated by their machines, can be susceptible targets. But this particular scammer, randomly dialing numbers, happened to hit an extremely knowledgable, experienced tech expert: Sean Gallagher, currently an editor for tech site Ars Technica.

Gallagher, both knowing his stuff and also being in a position to write stories about it, decided to have a little fun with the scammer who called him on Monday, and kept him on the line for two hours while pretending to be an easy mark.

“I was thrilled,” Gallagher opens, “displaying what my wife Paula felt was an inordinate amount of glee about getting the call. Over the next two hours, I subjected the scammers to such misery that Paula later told me she felt bad for them.”

The scammers first called merely to identify if the person on the other end of the line could be a potential mark. Gallagher identified himself as one by waiting for a “technician” to call him back when available. While waiting, he set up a recorder and Windows XP virtual machine. (That’s an emulated computer system, running on a different computer system in a contained way.)

The scammers called back and fed Gallagher a half-plausible line about “junk files” accumulating on his system and “decreasing the functionality of [his] computer day by day” while conducting ordinary activities online.

(Using a browser regularly does generate some temporary files on your machine — your computer has a cache, and it can fill up over time — but your entire hard drive is not flooded with them, and the amount of space they can take up is limited.)

That led to an exchange where Gallagher agreed that his “unsecured junk files” needed fixing, and the call took off from there.

First, Gallagher stalled the scammer while rebooting and pretending to reboot his machine a few times. “It must have been doing an update or something, I don’t know,” he told them.

Then they got into it in earnest. The scammer instructed Gallagher on how to execute a few very basic, ordinary Windows commands that make visible some system files and processes that can look complex if you have literally no idea what they are. This took some time; “Also, I was not helpful,” Gallagher gleefully adds.

While going through a lengthy rigamarole with the scammer, Gallagher was having some trouble actually accessing the files and sites the scammer told him to, so he took a moment to go find an old, Linux-running laptop from his basement. Using both, he was eventually to access the remote support tool the scammers wanted him to download.

But while he was installing the tool, he happened to use some of the correct terminology for what his computer was doing, and nearly gave up the game:

“Sir, you are not actually doing anything, are you?” the “technician” asked accusingly. “You know the reason why sir. You are acting like you are doing something. No. I understand sir, you took so much time to joke with me, you think you are very smart. You have some knowledge of your computer, and you are pretending that you are doing something but you are not doing anything, yes?”

Gallagher managed to keep them on the line a while longer, playing stupid.

The scammers managed to get their end of the remote-access tool running, and saw Gallagher’s whole screen. One of the scammers on the line asked him point-blank what operating system he was running, and he answered honestly: “Debian Linux. The Kali distribution.”

That was the beginning of the end, and the call wrapped up a few moments later.

Gallagher, however, wasn’t just having fun with some would-be scammers by keeping them on the line: he was able to use that time to capture information about everything they did.

Using packet tracing and a log of the session, the remote access tool was indeed able to pin the caller as using a free account, operating from India.

Gallagher was able to provide logs to the abuse teams at the remote access tool. He also sent information to Time Warner Cable’s (now Charter) abuse-reporting e-mail address, since the scam fraudulently took advantage of a RoadRunner residential account.

He also traced the phone number backwards, and found the company whose ID came up on the call. It is, indeed, a legitimate company using a VoIP phone system — but the company said that its phone system has not been infiltrated, and so the more likely answer is that the callers were spoofing the number.

Unfortunately, while this particular scammer might get its access to one particular tool taken away for a short while, taking them out is indeed basically a whack-a-mole game.

“If we’re really going to ever put a dent in these sorts of scams in a meaningful way,” Gallagher concludes, “it will instead take actual engagement — both with everyday computer users and with companies that may haplessly provide infrastructure that scammers can leverage to reach potential victims.”

You can read the full saga, with more of the technical details — or just listen to the condensed 27-minute recording of the two-hour call — over at Ars Technica.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.