For the past few weeks, I have been receiving silent calls every day from the same fake number – 01001246. When I pick up, the other end is either silent, or a dial-tone. I have reported it, but was told nothing could be done because the caller-id was spoofed. Well duh – I wonder if the NSA and GCHQ are equally stumped by fake numbers?
Anyway, today’s call came through during my tea break, and this time there was a person on the other end, telling me that he was calling about the security of my Windows machine. “Oh, that one”, I thought; but didn’t hang up, as I was curious how these guys go about “proving” a machine is infected.
So on being asked to start up my computer, I made my way back to my office, and – just to be safe – fired up a brand new virtual PC. I told the guy my computer was old, and takes some time to boot – this made him very happy. I then sat back and drank my cuppa – as I’d rather he stew than my tea.
Although I have heard of these scams before, I have never had direct experience of one. I’d always assumed they “proved” an infection by taking you to a scaremongering (and possibly virus-infecting) website – hence the virtual PC. But it was simpler than that.
First he directed me – in baby terms – on how to bring up the Run box; and had me type into it “eventvw” – the Event Viewer. He then directed me to scroll through the Application Events – “You will see that the window is full of blue i’s, for information; but if you look through you will see some warnings and errors, which are serious”.
Now most, if not all Windows systems will generally have some warnings and errors in the events; but he was saying they were a sign of a major infection.
I let him wait, while I sent a customer an email.
“No, I can’t see any errors, only information.”
“Only blue i’s?”
“Yes, only blue i’s”
“Did you scroll down?”
“Yes, all the way to then end. No warnings or errors.”
“Oh I am sorry, I misread the report, it is not an application problem, it is a system problem”, and directed me to the System Events.
“No, only blue i’s there too. Doesn’t this mean my computer is OK?”
“Oh, no – it just means the infection is sophisticated, it has removed the event from your computer.”
He then directed me back to the run box, and got me to bring up the c:\windows\inf folder.
“You see all of those files? They are all infected files.” (inf = infected, get it?)
“Wow,” I said, “there are lot of files there.”
He started back into his spiel, but I interupted him.
“You know, there’s something else that I just realised, that might be very relevent to all of this?”
“Really?” he said. He probably expected me to mention something that had happened to my old computer yesterday or the day before, and would spin that into his story.
“Yes,” I said, “I am an IT professional, and I have been wasting your time for the last 15 minutes.”
I expected the line to go dead then, but it didn’t. I could hear breathing down the phone, and then he said “I’m sorry, what?”
“You are a scammer, a con-artist, a flim-flam man, you are a… ”