Common tech support scams: How to identify and avoid them
Published by on May 1, 2017 in Information Security

tech support scam
One of the big scams running the rounds lately doesn’t start with an email. This one usually begins with a phone call. A computer tech claiming to represent a large, reputable firm, like Microsoft, calls their potential victim and tells them that their computer has been identified as having been infected with several viruses.

Alternatively, the user gets a web page that pops up full screen, front-and-center, claiming that a virus or even several viruses have been detected on their computer. Both the webpage and the phone call can contain a threat to disable the user’s computer to prevent further spreading of the infection.

The webpage will not have the option to close it like a normal web browser window, even though it is only a web page. It is possible to close the page, but it takes a bit of tech know-how. This provides a bit of incentive for the unsuspecting victim to call the tech support number on the page.

Common tactics

To legitimize their claim, a phone tech will direct the user to the Windows Event Viewer on their computer and the logs contained therein. These logs always contain at least a few error messages, but to the untrained eye, these errors can be a bit unnerving. The scammer relies on the inexperience of the average user to bait the trap.

These fake techs can also use various other technical tools built into Windows to trick their potential victim into believing that their computer is in need of support. They will even go so far as to threaten to have the user’s computer disabled so as to prevent the spread of infection.

To prove their point, the fake tech will lead the user through the steps to access the Windows Event Viewer logs, the system monitor, the system’s list of available services or any other technical tool that most users have never seen or even heard of:

  • Any errors in the log files will be used to prove that the operating system has been compromised by viruses
  • The peaks and valleys of the system’s performance monitor is compared to an ECG of a human having a heart attack
  • Any services that are not running are described as infected or disabled due to infection
  • Many other technical tools built into the OS can be exploited by a scammer to convince a user that their system is infected
  • Even some of the standard features of the operating system can be used to convince a user that there are problems with their computer

Victim Selection

While most of the scams doing the rounds these days do not discriminate who they scam, there is some evidence that this particular scam impacts the elderly more often than people of other age groups. In a recent prepared statement to the FTC on the subject of fraud, there is evidence showing that the elderly population is more severely impacted by this type of scam.

It’s not that the scammers single out the elderly for their con games. It would seem from the evidence at hand that the elderly are just more likely to be susceptible to the fake tech support scam.

The problem has gotten so bad that Microsoft has begun to take legal action against one of the main companies behind these scams and their affiliates. The civil suit, which has been filed in the federal court of the Central District of California, charges one company with unfair and deceptive business practices and trademark infringement.

In previous types of scams, older consumers were less likely to fall prey to the manipulations of these scammers. Of course, the most successful scams at the time revolved around fraudulent weight-loss products. And those were followed by fraudulent prize claims. Of course, the survey was conducted in 2011, and has not been updated since.

If you are wondering what you can tell someone in your immediate circle who is over the age of 65, it’s simple: Nobody monitors the health of their personal computer other than themselves. Microsoft doesn’t hire companies to call people to fix virus infections. For more details, jump down to the summary of this article.

Remote access

Once baited, the tech gets the user to download and install a remote access program like LogMeIn or TeamViewer. The tech then uses the same program on their computer to gain access to the user’s system, taking control of the computer remotely. The tech then has free reign to do as he wants. Users have reported infection by viruses, detection of keyloggers, trojans, worms, and even ransomware. As soon as the tech finishes, he demands payment for the “service” to the tune of anywhere from $100 to $600. Of course, once they have your credit or debit card information, they can, and often do, charge whatever they feel like charging, possibly multiple times.

The tech can then reconfigure the remote access software to automatically accept an incoming connection, allowing the fraudster to access that computer whenever they want. They can, and usually do, copy and install some files from their own computer to the victim’s computer containing all sorts of malware

  • Keyloggers are programs that record every click of the mouse, what was clicked on and every keystroke on the keyboard. These records are then uploaded to a server of the attacker’s choosing at regular intervals
  • Worms have also been installed by these fraudsters with their own nasty surprises for unsuspecting users. A worm is a type of virus that is self replicating. While it may not do as much harm, it usually eats up all of the available network bandwidth in the process of replicating itself to all of the computers that are connected to the infected machine.
  • They have also been known to install ransomware on their victims’ computers to extend their potential income from each and every tech support session. Ransomware encrypts all of the data on a device and demands ransom from the victim in exchange for a password to unencrypt it

One other side effect is the potential for identity theft. Like so many other types of scams, the attacker is after not just money, but saleable goods as well. The installation of a key logger on a computer allows them to see anything that is typed into the keyboard or anything that the mouse clicks on. If the user then clicks on a bookmark to their bank’s online banking website types in their username and password, that information is transmitted via the keylogger program to the fraudster, without the user ever knowing about it until it’s too late.

Scam signs

The first sign of this being a scam is the fact that they are calling you. Microsoft does contract out a lot of its tech support to third parties. However, none of those contracts include remote monitoring of any past or current version of the Windows operating system. That sort of thing is only viable in the world of corporate servers and is not handled by Microsoft or any of its third party contractors.

If they didn’t call you, then perhaps you got a pop up window or web page notifying you that your computer is infected. No website can detect viruses on computers that access them. A full virus scan can take up to 30 minutes for a home PC. No website has the resources or the permissions on your computer to perform anything resembling a viable malware scan.

Another tactic is the claim that your computer is going to be locked up, denied access to the internet, blocked from accessing any computer network or any other claim that it will become pretty much unusable. There are no internet police. Nobody is charged with the responsibility of making the internet safe.

Summary

Simply put, if you did not initiate the tech support call due to a legitimate problem that you detected, then it’s a scam. If someone contacts you claiming to have detected a problem with your computer, either through a phone call or a webpage, you can safely ignore them and continue with your day.

The only companies that make their living this way are scammers. No legitimate company makes their money by selling tech support services to random people on the internet or over the phone. Legitimate tech support companies sell their support services via contracts, mostly to other companies, on either a monthly allotment of hours or on an on-call basis. Currently, the technology to identify an infected personal computer over the internet does not exist.

What to do when you’ve been scammed

If you have been scammed in this manner, all is not lost. But you do need to begin your damage control right away to minimize the amount of havoc the scammers can wreak in your life and on your system. First and foremost, disconnect your PC from the internet. Shut it down if you want, but make sure that it cannot access the internet when it boots up.

If you gave the scammer your credit card or financial information then you need to call your bank. Let your bank know that you’ve been conned and you would like to go over your recent charges, starting from the day you were scammed, so that the bank can reverse any charges from the scammers. You might need to report the card as stolen depending on how much information you gave them. Talk it over with your banker and heed their advice.

If you have an attorney, let them know what’s going on as well. Cleaning up identity theft can be a struggle without legal counsel. You might end up getting your local law enforcement and maybe the FBI involved in your case. Get as much help as you can with this process. If you don’t yet have an attorney, you would do well to at least consult with one. The amount of legal legwork that goes into resolving a case of identity theft more than justifies the cost of retaining legal counsel.

To get your computer cleaned up, start with it disconnected from the internet. If you have an antivirus program already installed, run a full system scan, removing anything that it flags as a threat. Go into the control panel’s programs utility and remove the remote access software that the scammer had you install. While you’re in there, look for anything that you don’t recognize installing or that looks suspicious. If the date that it was installed or last accessed is the same date as your session with the fake tech, uninstall it. Finally, use another computer and a USB thumb drive to download another antivirus or antimalware program. Use the thumb drive to copy it from the other computer over to your compromised computer. Install and run it just in case your antivirus software might have missed something. Consider running a system restore to a restore point prior to installing the remote access software.

One of the big myths about anti-virus software is that your computer is safe from viruses when you run anti-virus software. The truth is that running antivirus software does make your computer safer, but nothing can make it 100 percent safe from infection. A new virus needs to be identified, analyzed and put into the anti-virus definition files before the anti-virus software can protect against it. The same applies to any other form of malware. The newer the virus, the lower the odds of any one antivirus program recognizing it as harmful to your computer.

Assuming your computer is running fine at this point, it should be safe to reconnect it to the internet, update your antivirus software and finish your damage control. You will want to start changing all of your online passwords for everything from banking to email and social media accounts. Everything. Assume that the fake tech copied your entire list of online accounts with usernames and passwords from your web browser. Once you’ve taken care of all of that, you can sit back and keep a wary eye on your computer and your various online accounts.


As always, you will want to keep backups of all of your important files, run regular antivirus and antimalware scans and keep your operating system updated with all of the latest security updates. Use unique, complex passwords, especially for critical accounts like online banking, PayPal, eBay and any other site that can have a direct affect on your finances. That can get a bit taxing, so you might want to look into a good password manager.


Technical know how


For those of you who are interested in seeing some of the tools these con artists use, here are some of the more common ones, broken down by operating system:


Windows 7


Event Viewer


Possibly the tool most used by IT professionals and scammers is the Windows Event Viewer. Windows is setup to keep track of just about everything that happens by logging different computer events. Below is just one set of instructions for accessing these logs. There are other ways to get to the same place, though.


  1. Click on the Windows Flag button at the bottom left of your screen to get the Start menu
  2. Right click on “Computer” in the column on the right of the menu
  3. Click on “Manage” to open the Computer Management tool
  4. In the column on the left, click on the small arrow next to “Event Viewer” to expand the list of logs
  5. The easiest one of these logs to exploit is the Application log, simply because it will normally have the most errors, so take a look at it first by clicking on “Application” in the left hand column
  6. The right hand side of the window will now populate with the list of event messages in the top and the details of the selected event in the bottom


Most of the events listed herein will be informative little notes that get written to the log all the time. However, there will be some errors recorded as well, and that’s OK. Most of the time, these errors do not affect the operation of your computer at all. The errors are easily identified by the red stop sign shaped icon with an “X” in the middle of it.


Feel free to skim through the other logs as well. There are a few others dealing with the setup and installation of new device drivers, security audits for keeping track of successful and unsuccessful logins as well as logs for recording various system events like the starting and stopping of services.


Running Services


The Windows operating system relies on a bunch of different programs running in the background. Each of these programs provides a different service to the operating system, allowing it to do it’s job, from maintaining the computer’s internet connection to keeping the hard drive spinning.


However, a whole bunch of services may not be needed for your computer to properly work. From remote login capability to database servers, there are a whole bunch of things that most computers simply aren’t being used for. The services are there in case they are needed, just not running.


To see the list of all the services on the computer, simply follow the above steps one through three to access the Computer Management tool. In the column on the left, click on “Services” to populate the right side of the window with the list of services.


The right hand panel will contain the full list, sorted alphabetically by name. There will also be a description, status, startup type and logon for each service.


Task Manager


Your computer does what it does because it has certain resources available to it. They are:


  • CPU – Central Processing Unit – This is what does all of the work of making sense of the operating system, device drivers and programs that are installed on your computer. It has it’s own small chunk of memory to hold things in while it works on them
  • RAM – Random Access Memory – This is where a big chunk of the currently running programs are stored, temporarily, while the CPU does it’s thing
  • Hard drive – This device is where everything lives on the computer. The operating system, all of the programs installed on the computer, your family vacation pictures and everything else


When your computer starts to run slow, it helps to know which of these resources is causing the lag. The task manager gives you a real time view of how these resources are being utilized.


In Windows 7, press three keyboard keys at the same time: CTRL, ALT and Delete. The menu that comes up will have “Start Task Manager” at the bottom of the list. Click on it.


The first tab shows what programs are running and what their current status is. If any of them have the status of “Not Responding” it means that the program is either very busy at the moment or it has crashed. To shut down any of them simply click on the program you wish to shut down and then click the “End Task” button at the bottom of the window.


The Processes tab lists each and every currently running program that allows Windows to function. Again, you have the ability to shut down individual processes, but as these are Windows specific processes, it is inadvisable. This is one area that fake techs like to manipulate because shutting down crucial processes can make the computer behave erratically.


The same applies to the Services tab. This is a list of all of the currently running services and the resources they are using. As was explained earlier, not all of the services built into the Windows operating system are needed, so many won’t be shown as running.


The Performance tab shows some graphs with usage levels of each of your CPU’s cores and the computer’s memory. As many as eight cores can be shown, each with their own graph. These graphs will spike each time that core performs any work. Seeing lots of spikes and valleys is perfectly normal. The only thing that is harmful to the computer is if one or more core’s graph is pegged at 100 percent for several minutes.


The memory graph won’t spike nearly as much as the CPUs, but rather will maintain a steady percentage of usage. The more programs you have running, the more memory is used. The more tabs you have open in your web browser, the more memory is needed to keep those web pages current. Again, the only danger sign is if the memory is pegged at 100 percent usage for any period of time, even if you close actively running programs.


Closing a program with the keyboard


At the beginning of this article there was mention of a web page that doesn’t close easily. Believe it or not, this is a feature of the web browser that makes it full screen and removes the close, minimize and maximize buttons. To get rid of one of these pages, hold down the ALT key on your keyboard (it’s beside the space bar) and hit the F4 key in the top row. An alternative is to use the Task Manager described above to shut down the web browser with the “End Task” button.


Note that some laptop keyboards use the F keys for other purposes, such as volume control and screen brightness. In this case, you might need to press the Function key (“Fn” or something similar) in addition to Alt+F4.


Manipulating the command prompt


The command prompt, or command line, has been around since the first personal computers hit the market back in the 1980s. However, the only people that make use of it these days are IT people, both real and fake. Even the simplest commands in this tool can be used to con people into believing that their system has been heavily infected.


To access it, click the Windows Flag at the lower left of your screen and type three letters into the search box at the bottom of the menu: “cmd”. As you type, the menu will change from your normal selection of programs to the search results. The top of the list will be “Command Prompt”, so click on that.


The command prompt is keyboard-centric so ignore the mouse for the following commands. Type each command as displayed, without the quotes, to get the output that is described next to the command. You will need to press “Enter” after typing each command to activate its functionality:


  • “dir /s” – The command “dir” by itself simply lists the contents of the current directory or folder. Adding the “/s” switch to that command makes it list the contents of the current directory and the contents of all the folders inside that directory. A fake tech will claim that this command lists infected files on the computer’s hard drive
  • “color 4” – This command changes the color of the text in the command prompt window to red. A fake tech will claim that the red text is an indication of the operating system or their software having detected a massive infection
  • “Ping 192.168.253.82” – Ping is quite often used to check a computer’s connection to other computers, whether they be on the internet or a local area network. The numbers that follow the ping command are the digital address, or IP address, of the computer that you are trying to reach. A fake tech will put in an address that is most likely not a valid address in order to get an error from the user’s computer. That error is then used to describe a problem that doesn’t really exist
  • “netstat -an” – This command displays the current network status of the computer. Specifically it lists all of the currently open network ports and their status. The port is just a number, but the status can be set to “listening”, “established” or “closed”. A fake tech will describe the status of “listening” as a hacker listening to everything your computer is doing


There may be other commands that these fake tech support people will use, simply because the command prompt is a powerful tool for running system diagnostics and various cleanup utilities. However, initial detection of viruses and malware is best left in the hands of programs that are running full time in the background, not one-off commands accessed through the command prompt.


Windows 8, 8.1 and 10


Event Viewerwindows event viewer


To get into the Event Viewer in the newer versions of Windows is a bit easier. From the desktop, simply right click on the Windows flag at the bottom left of the screen and select “Event Viewer” from the menu that comes up. Once it opens, you can click the arrow icon next to “Windows Logs” to see the list of log files. Clicking on any one of them shows the list of log messages on the top of the right side of the window. Clicking on any log message in that list displays the details of the event below the list.


Just like in previous versions of Windows, there are a few different logs for the different areas that Windows keeps logs for.


  • Applications, or the programs that are installed on the computer
  • Security log for tracking logins
  • The Setup log is mostly for recording what happened during the initial setup of the operating system and all of the device drivers
  • There is a System log for keeping track of the operating system’s service related events
  • To record forwarded events, the computer has to be receiving event messages from another computer for remote monitoring purposes


Running Serviceswindows services


You may have noticed in the above section that when you right click that Windows flag, the menu has quite a few options. One of the more robust tools is the “Computer Management” option near the middle of the list.


The Computer Management window contains the event viewer, the device manager, the list of services and a few other important tech tools. There are way too many to cover in just this one article, so click on the Services option in the left hand pane.


Just like in past versions of Windows, this list shows all of the available services listed alphabetically by name, a description of what the service does, it’s current running status, it’s startup type and the user logon that it runs under.


Many of these will not be started as they are not needed for every PC. This is perfectly normal and nothing to panic about.


Task Managertask manager windows 10


Accessing the task manager requires a simple right click on the Windows flag at the bottom left of your screen. The menu lists “Task Manager” near the bottom of the list. Clicking on that option gives you a window with up to seven tabs, each relating to the currently running programs and the resources in use by those resources.


  1. Processes – This tab gives you a list of currently running programs and what resources each one is using
  2. Performance – Here you see the graphs of utilization for each of the computer’s resources
  3. App History – The total amount of computer resources used by each program is listed on this tab
  4. Startup – Each program is listed here along with it’s startup settings. Most won’t start when the computer does so will have a startup impact of “None”
  5. Users – Since the introduction of Windows 2000, PCs have had the ability to have more than one user logged in at a time. This tab shows what resources are being used by each of those users
  6. Details – This lists each of the currently running Windows processes, what user account the process is running under, how much attention it’s getting from the CPU, how much memory it’s using and a brief description of what the process is or what it does
  7. Services – Another place to view the currently running services along with what resources are being used by those services


The graphs in the Performance tab are supposed to have peaks and valleys. Those are simply signs of the computer doing it’s job. The only thing here that should be cause for concern is if the CPU or the memory are pegged at 100 percent for more than a couple minutes.


Keyboard command to close a running program


Just like in past versions of Windows, holding down the ALT key and pressing the F4 key in the top row of the keyboard is a keyboard shortcut to close the active program. If you run into one of those annoying web pages that fills the screen and doesn’t have a close button, use this shortcut to get it out of your face. Alternatively, you could shut down the web browser using the Task Manager described above.


Using the Command Prompt


When Microsoft introduced the Windows 8 metro style, a lot of the old ways of doing things became a little difficult to find. Then again, some became really easy. If you simply start typing the letters “cmd”, the search tool automatically comes up and you will see “Command Prompt” in the search results.


In Windows 10 you can use the key combination of the Windows flag key on your keyboard along with the letter “x”. The menu that pops up will have “Command Prompt” as one of the options.


The command prompt is a very keyboard-centric tool. Type each of the following commands as displayed, without the quotes, to get the output that is described next to the command. You will need to press “Enter” after each command to activate its functionality:


  • “dir /s” – The command “dir” by itself simply lists the contents of the current directory or folder. Adding the “/s” switch to that command makes it list the contents of the current directory and the contents of all the folders inside that directory. A fake tech will claim that this command lists infected files on the computer’s hard drive
  • “color 4” – This command changes the color of the text in the command prompt window to red. A fake tech will claim that the red text is an indication of the operating system or their software having detected a massive infection
  • “Ping 192.168.253.82” – Ping is quite often used to check a computer’s connection to other computers, whether they be on the internet or a local area network. The numbers that follow the ping command are the digital address, or IP address, of the computer that you are trying t reach. A fake tech will put in an address that is most likely not a valid address in order to get an error from the user’s computer. That error is then used to describe a problem that doesn’t really exist
  • “netstat -an” – This command displays the current network status of the computer. Specifically it lists all of the currently open network ports and their status. The port is just a number, but the status can be set to “listening”, “established” or “closed”. A fake tech will describe the status of “listening” as a hacker listening to everything your computer is doing

Houston, we have a headset…” by Robert Murphy licensed under CC BY-SA 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *