Policy —

“I am calling you from Windows”: A tech support scammer dials Ars Technica

Cold caller from "Windows Technical Support" asks for remote access to my PC.

Aurich Lawson

When the call came yesterday morning, I assumed at first I was being trolled—it was just too perfect to be true. My phone showed only "Private Caller" and, when I answered out of curiosity, I was connected to "John," a young man with a clear Indian accent who said he was calling from "Windows Technical Support." My computer, he told me, had alerted him that it was infested with viruses. He wanted to show me the problem—then charge me to fix it.

This scam itself is a few years old now, but I had not personally received one of the calls until yesterday—the very day that the Federal Trade Commission (FTC) announced a major crackdown on such "boiler room" call center operations. The very day that six civil lawsuits were filed against the top practitioners. The very day on which I had just finished speaking with Ars IT reporter Jon Brodkin, who spent the morning on an FTC conference call about this exact issue. And here were the scammers on the other end of the line, in what could only be a cosmic coincidence.

I walked around my office with the phone against my ear, then settled into my desk chair and put the call on speakerphone. I wanted to know just what it felt like to be on the receiving end of such a call. I wanted to know how a group of scammers half a world away convinced random and often tech-illiterate people to do things like run the built-in Windows Event Viewer, then connect to a website, download software, and install it (together, no easy feat for many mainstream users). I wanted to know just how the scammers eventually convinced their marks to open up remote control of their PCs to strangers who had just called them on the telephone.

So I played along—which was difficult without a Windows PC in my office. To buy time, I told the scammer that I was waiting for my nonexistent computer to "boot up," then sent a furious blast of instant messages to Brodkin, asking him to do whatever the scammer told me to do and report back on the results. Luckily he was at his computer and immediately agreed—and we were off.

Typing, furiously

The scammer got right to it, as though it were a common thing for unknown callers to have me start rooting around inside my computer. I was immediately ordered to go to the Windows Start menu, then to right-click on "Computer."

"Can you tell me what options are you getting?" said the scammer.

"Ummm... just a second."

Furious typing followed, which must have been plainly audible, as I passed the instructions to Brodkin. Who knows what the scammer thought of this. It must have been clear that at the very least I was a serious incompetent who, when ordered to click some simple mouse buttons, instead began typing the Great American Novel. Yet my scammer showed a patience I had not expected.

"Maybe I'm not clicking on the right thing," I said in an effort to buy more time as Brodkin fired up a Windows virtual machine. "Where is it, on the Start menu?"

The scammer explained it all again. I was to right-click on Computer and tell him what I saw. I began to wonder just how long he would stay on the line without me providing a response when Brodkin got the VM running and typed back the correct responses. I passed them along.

"OK, it says Open or Manage," I said.

I was told to double-click Manage, then to select the Event Viewer from the Computer Management window that appeared.

"Below the Event Viewer, what options can you see?" my scammer asked.

(More furious typing.)

I knew already a key part of the scam involved showing people innocent error messages in the Windows Event Viewer, then trying to convince them these were caused by a virus. So I decided to guess what I should be seeing—and I got it wrong.

"I see a list of these different warnings or something. I dunno."

"No, sir, you have to double left click on Event Viewer. Just do it again."

Brodkin came through with the answers. "Okay, it says Custom Views, Windows Logs, Applications, and Settings," I said, reading right out of my instant messaging client.

"Yeah. Yeah. You have to double left click on Windows Logs, all right?"

"Okay, doing it."

"And below the Windows Logs, what options can you see?"

(Even more furious typing. That novel was really coming along now by the sound of things.)

"What options are you getting?" he repeated.

"Applications, Security Setups, Forwarded Events..." I said at last.

"Yeah, that's correct. You have to double left click on Applications, OK? And now what can you see from your computer screen?"

Because my scammer appeared to be a man of infinite patience, I simply waited ten seconds in silence and then repeated stupidly, "What can I see?"

"Yeah. what can you see?"

Scary errors in the Windows Event Viewer.
Scary errors in the Windows Event Viewer.

Brodkin's instant messages arrived, telling me that I was in fact seeing an error message.

"Um, I see some kind of error message."

"Yeah. These are the error messages which we get through your computer by date and time. This is the application part of your computer, OK? Let me check the system part of your computer, OK? Look at the right hand side—there's an option for Filter Current Log. Can you see Filter Current Log? Yeah, you have to double left click on Filter Current Log, OK? And there's a new box that came on your screen, and you have to check mark the options 'critical warning' and 'error.'"

"OK."

(But instead of clicking anything, I am of course typing to Brodkin. Furiously. The clack of the keys seems unbearably loud. Isn't he getting suspicious?)

"OK... Clicking 'critical warning' and 'error'... now it says 'warning and error.'" I had no idea if this even made sense, but it was what Brodkin had typed, and the scammer seemed to accept it.

"Yeah. Sir, these are the [garbled] viruses in your computer. They may harm your computer at any point of time. And these viruses are corrupting your data and using your personal information like that. So do one thing: can you try to delete any error, any warning?"

"Any one of them?"

"Yeah. Is it deleted or not?"

"How do I delete it?" I asked, not having done anything. But my scammer's patience was starting to slip. He simply went on as though I was in fact looking at a scary list of errors that could not be removed.

"It's not deleting," he informed me. "Yeah, sir, these are un-deletable viruses."

"I am calling you from Windows"

The main website.
The main website.

The scammer then directed me to "open your Internet Explorer" and visit a specific website. It was a basic free-to-create website labelled "Windows PC Tech Support." The company behind it, said the site's front page, had "deep experience in a full balance of practice areas. All working in cycle, at one place." Well—I like working in cycles, at one place, so this all sounded fine.

I told my scammer that the page had loaded. He directed me past the "About Us" tab ("At ALL times we hold the highest ethics and quality is the pre-requisite of everything we do") and past the "Services" tab ("So just come out of a doubtful and unsure situation and call for a support package") and over to "Instant Support."

The instant support page showed four links: Ammyy V3, Ammyy V2, TeamViewer, and ShowMyPC. All four pieces of software allow another machine to access your computer directly, across the Internet, for all sorts of quite legal and useful reasons. But they also make it simple for a cold-caller from India to rule your computer by tricking you into giving him permission to do so.

"You have to click on Ammyy V2," said my scammer. "And there is a new box which says run, save, or cancel. You have to click on run, OK?"

Come on—he was going to have work a little bit harder than that.

"Well, I don't know much about computers," I said, "but I know that I don't want—I dunno—just software from the Internet running on my computer."

"Sir, it's a connecting software to help you out, OK?" he said.

"Well, but... who are you with, again?"

"Sir, my name is John. I am calling you from Windows, OK?"

"What do you mean you're calling me from Windows?"

"Sir, because we are getting some information and warning like that. So click on 'run.'"

I wanted to see more of this process unfold, so I asked him to "tell me how to do it on my computer and I'll just do it. You can walk me through the steps."

"Sir, you are the Windows customer and you are registered here in Windows Company so that's why we are calling you," he said, one of several incongruous responses that made me feel like I was speaking with a chat bot instead of a human being. We continued:

"I'm sorry, I don't know anything about a 'Windows Company.' Do you mean Microsoft?"
"No, it's not a Microsoft, it's a Windows Technical Department, OK? And I am the Windows technical provider to help you out, OK?"
"OK, but I'm still... I didn't call you, you called me, so it seems kind of strange. I don't know if I want to let some program run on my computer."
"Sir, we are getting some information from your computer, some harmful information because these informations are damaging the [garbled] and some important [garbled] like that."
"You mean, I have viruses in my computer and you know about it somehow?"
"Yeah. Yeah."
"Wow."

Again he asked me to click "run." He was quite insistent on the point, coming back to it immediately every time the conversation veered away. Just. Click. Run.

So here it was—decision time. Was I willing to turn Brodkin's Windows install over to "John" from "Windows Technical Support" in order to clear it of the many viruses the Event Viewer showed? I decided that I was—in the name of journalism, of course.

"The line" is drawn here.
"The line" is drawn here.

The manager

But Brodkin wasn't. "Not sure I trust this!" he IMed me. "I don't want to let them into my PC. I draw the line there."

VM or no VM, he didn't want strange people controlling his main work computer, which was probably just as well. With the line drawn and little more to gain from the phone encounter, I switched gears. "So you're aware that this is a scam that you're pulling, right?" I said. "And that the US government has announced today a huge crackdown on exactly what you're doing?"

I expected John to hang up; clearly, I knew about his game. But he didn't miss a beat.

"No sir, I assure you, sir, it's not a scam. You can talk to my manager. I'm calling you from Windows."

"Oh, okay," I said; I mean, the guy was calling me from Windows. "Can I talk to your manager just to make sure?"

After a few seconds, another voice came on the line. He was the manager, he told me, and he laid out the whole situation.

"Sir, let me tell you, like when you buy an operating system like Microsoft Windows, we are the one who are able to provide the technical support regarding this operating system, OK? Microsoft never provides support for the Windows operating system and we are having official [garbled] of Microsoft, and that's why you are receiving this call."

"So you're like partners with them, you help them do support?" I asked.

"Right. And that's why my colleague has given you a call, because your computer was full of viruses. Whenever you are going on Internet, you are getting the viruses from the Internet. And you have also noticed that for the past few weeks your computer has been running a bit slow, right?"

"Yeah, it's been really slow," I agreed.

"That is all because of the viruses, sir... We are going to tell you how you can rectify all these problems from the computer."

I knew exactly how the problem would eventually be "rectified"—with my credit card. One Ars reader noted just how bad the situation could get when commenting on the FTC crackdown, writing, "One of my clients fell for this scam. Unfortunately, he paid over $500 to the scammers. When he refused to pay any more, they actually locked the computer, told him he wouldn't be able to use his computer anymore, and hung up on him."

With the call quickly coming to the end of its useful life, I decided to switch gears one last time.

"So are these viruses that I could get on a Mac or this is only on my Windows computers?"
"This is only for the Windows operating system. Viruses are not there in Macs. Mac is a virus-free edition."
"Oh, okay, it's a virus free edition."
"Right. Mac doesn't have viruses. Viruses are only there for Windows PCs."
"I have a question for you, then. I don't actually have any Windows PCs, I only run Macs. So I'm wondering how you found out I had viruses?"
"No, no. I think that you are having a partition of a Windows operating system in a Macintosh."
"No, I don't think so."
(Pause.)
"You are using Mac?"
"Let's be honest here. You guys are scamming me, and the US government just announced a major crackdown today on exactly what you guys are doing and I just wondered if you had any comment about that?... Hello?"

And with that, he was gone, having better sense than to waste any more time on me. No wonder he was the manager.

Calling Do Not Call

Such scams have proliferated around the globe, and their operators aren't very creative; many of them use nearly identical pitches. It can't be a fun job; an entire amateur industry has arisen around trolling the scammers, as did Australian Troy Hunt, who earlier this year set up a Windows virtual machine with the Dutch language selected just to see what would happen when he actually gave control of the machine to the scammers. (Hunt also tracked down and did an interview with the person behind one of the companies alleged to be a leader in this sort of activity; the man denied knowing anything about it.)

The scams have cost people around the world quite a bit of money, with scammers asking anywhere from $49 to $450 to fix the nonexistent problems they discover. The calls appear to be largely about making money, but there's no reason that such powerful remote access could not be used to install malware, build up botnets, participate in denial of service attacks, or steal personal information.

The companies behind such calls generally show a total disregard for local laws against telemarketing, but they aren't the only ones to do so. Just today I received two automated recordings, which also ignored the Do Not Call list here in the US, pitching me on the old "Card Member Services" scam and something separate involving home break-ins and security. While Do Not Call laws have stopped most reputable companies from harassing people over the telephone, they have had only limited effect against those whose reputation can't go any lower.

While the entire call seemed farcical—who would possibly fall for this?—people clearly do, all the time. Sure, it wasn't going to work on me, but I could easily imagine several members of my own extended family who might have had a harder time recognizing the fact that this was not legitimate.

The clear sense of impunity felt by the scammers was enraging. I had wasted a few minutes of his time, but who cared? Even now John was on to his next mark, ready to rope in the "manager" when needed, ready to lie about the Windows Event Log, ready to demand that someone just click "run." He may have assumed that no police officer would come knocking on the boiler room door; hopefully, yesterday's international enforcement efforts will at least sow the seed of doubt.

Channel Ars Technica