I guess Matt Weeks is as sick as I am of tech support scammers, because he developed a way to fight back, in the form of a Metasploit module that exploits a software defect in the AMMYY remote access tool that these scammers sometimes use. Metasploit is a tool that penetration testers use to demonstrate–with permission–how hackable a computer network is. In this case, the would-be victim is penetration testing someone without permission. Run the module when the scammer connects to the would-be victim, and he or she gets a command prompt on the criminal’s PC. At that point, the would-be victim can break their computer, perhaps by deleting critical files, corrupting the Windows registry, or something else. Anything you can do from a command prompt would be possible at that point.
I’m anything but heartbroken that this threat exists, although I’m not going to do this myself. Let me explain.
First, even though they have every intention of hacking your computer and destroying information if you don’t buy their service, it’s illegal for a would-be victim to act first. It may even be illegal to wait for them to delete files–always use a dummy machine you don’t care about when trolling these crooks–and then to delete their stuff after they delete first. Self-defense laws are very much stuck in the physical domain at this point.
Second, even though they’re obviously working from someplace that won’t cooperate with U.S. authorities, I don’t know that the reverse is true. Even though we can’t prosecute them, they may be able cause legal trouble for us. And these callers do sometimes know a frightening amount about us–one of these guys once told me my full name, address, and phone number, then told me he would be sending me a bill for $500 if I didn’t cooperate with him. He never sent the bill, and of course I have no intention of paying it, but if I’m going to have legal trouble from these guys, I want to be completely innocent.
Third, for me at least, is that I signed a piece of paper that said I wouldn’t do things like this. As annoying as these scammers are, they aren’t worth losing my CISSP over. But nothing in the (ISC)² code of ethics has any problem with me wasting these guys’ time so they can victimize fewer people.
In a way I feel sorry for these crooks. As a Slashdot commenter said, they’re eeking out a living scamming people they see as very rich. Then again, the career path I followed to get a three-bedroom house in working-class suburban St. Louis doesn’t exist in the United States anymore–the middle half of my career has been outsourced to India. The company I work for has offshored a great deal of its sysadmin work and even some of its entry-level security work, not to mention all of its helpdesk work. Some of our offshore workers are very good. Some will get fired just as soon as their supervisor finds a competent replacement. So there is plenty of opportunity in the IT industry in India for someone willing to learn. My States-side colleagues who are still in their 20s had to follow a very different career path than I did.
If you’re reading this from India and aren’t finding that opportunity, leave me a comment on a recent post on this blog. If you include a hyperlink in the comment–it can be a hyperlink to anything–it will go into moderation where only I can see it, so you can provide contact information.
That gives me an idea. The next time one of these scammers calls me, I’ll try recruiting him.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.