Fighting Back Against a Fake Tech Support Call

Share Now

Facebook
Twitter
LinkedIn

’Tis the season for phishing emails, scams, and fake tech support calls. We recently investigated such a call received by one of PhishMe’s employees. After saying that he would call the “technician” back, the employee passed the number over to us and we began to investigate.

The number the technician provided us was “646-568-7609.” A quick Google search of the number shows that other users have received similar calls from the same number. In one example, “Peter from Windows” was the person calling. In our case, it was Alex Jordan from Seattle.

Figure 1 - Google Search
Figure 1 — Google search for phone number provided

Once connected, I was directed to a website, “www.pcefix.webscom” where I could download the information to allow the computer technicians to “fix” my system. These downloads were riddled with viruses.

Figure 2 Website download
Figure 2 — Website to download tools

 

Next, the technician instructed me to download Ammyy, a free tool for remote assistance. Downloading this file allowed the attackers to establish a remote connection back to their systems.

Figure 3 Ammyy config
Figure 3 — Ammyy configuration used by the attackers

 

For a more secure system, they switched to team viewer, which allowed a technician to take a look at the system. Once there, they opened Event Viewer in an attempt to show the number of viruses I had on the system. The screenshot is rather comical; as it’s blatantly obvious this is running in VMWare.

Figure 4 Technician showing errors
Figure 4 — Technician showing me the viruses and errors on my system

 

“Alex” also told me that hackers were in my system. I asked, “You mean like the ones from North Korea that hacked Sony?” With a chuckle…he confirmed that North Korean hackers were attacking my system. He even pulled up my INF files (Figure 5) to show me all of the files that the hackers added. (Figure 6)

Figure 5 search for files
Figure 5 — Search to see which files the hackers added

 

Figure 6 hacker files
Figure 6 — Files from hacker

 

He even went to the extent of opening one of the files and asking if I recognized it. When I didn’t know what the file was, he said, “This was added by the hacker.” He instructed me to run the scanning file “Router Tracer.bat” which would scan the system. From more of his analysis, it turns out I had 130 critical system files, expired protection, active hacking from China, as well as seven different hacking attempts. Not to mention that the file “hax.exe” was executed from startup h4x, as well as 100 viruses being sent by “Hacker”. (Figure 7)

 

Figure 7 infected system
Figure 7 — “Infected” system

 

It turns out this was a simple batch script that did nothing except echo these things out to the terminal.

Figure 8 Batch Script
Figure 8 — Batch script to check if my system was infected

 

Once Alex “convinced” me that my computer was infected, he offered me a few different payment options. The basic option was $199 for a 2-year warranty to fix my computer, $299 bought another 2 years, and $399 bought lifetime service for fixing every system in my house. What a deal! I agreed to the lifetime support, and he quickly presented me with a screen to enter my information, including a Government-issued ID number.

Figure 9 beginning of payment transaction
Figure 9 — Beginning of payment transaction

 

He was so kind as to fill in the token key as well.

 

Figure 10 token key
Figure 10 — Token key for payment

 

Next, I filled in credentials for a credit card for them to take a payment.

Figure 11 filling in banking information
Figure 11 — Filling in banking information for payment

 

It turns out that “Dine-Media Interactive”, the payment center who was taking the payment, has a Facebook page, and they are a startup in Bangalore, India that does rails development.

Figure 12 Dine media
Figure 12 — Dine Media, payment center that would receive payment

 

It looks like the company is doing pretty well for themselves, given that they are taking $399 dollars at a clip.

Dine media office photo
Figure 13 — Dine Media Office photo

 

All in all, no money was lost, and they lost a $399 dollar sale to fix my computers for life. Even through my many attempts at messing with them, they still continued through many iterations of me loudly playing Youtube clips of trollolol, nyan nyan cat, and “Gangnam Style”. Alex even said “Gangnam Style? This is one of my favorite songs!” “You mean the hackers are playing that through my computer?” “Yes, the hackers are playing that through the computer speakers.”

Read More Related Phishing Blog Posts

Search

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.