Netstat scam and netstat scammers

Last Updated on May 10, 2023 by Dave Farquhar

A longtime friend’s aunt almost got taken by a fake tech support scammer. He told me about it, and in the process, this was also the first I’d heard of the netstat scam, or netstat scammers.

She saved herself by saying she’d have to check things out with her nephew first. That’s a good trick. Fortunately for her, the scammer didn’t try to delete anything, though he did immediately change from being very pleasant to being very rude. That matches my recent experience with these low-life crooks precisely.

She was vulnerable because the flawed MS14-045 gave her trouble and she had a case open with HP. So when this crook called, she thought at first that HP or Microsoft were following up with her about that.

The scammer’s best trick was to get her to open a command prompt and type netstat.

netstat foreign address
My computer talks to itself a lot. It’s normal. There’s nothing scary or inherently nefarious about a netstat foreign address but the netstat scam counts on you not knowing this.

He claimed every foreign IP address was a connection being let in by a virus.

What netstat is

Netstat actually is a legitimate troubleshooting tool. When I was a sysadmin, I used it a lot. But it can look scary when you haven’t seen it before. Here’s what the output looks like:

Active Connections
Proto Local Address Foreign Address State
TCP 10.1.1.72:6272 10.1.1.75:8009 ESTABLISHED
TCP 10.1.1.72:6274 10.1.1.75:8008 ESTABLISHED
TCP 10.1.1.72:10022 74.125.201.188:5228 ESTABLISHED
TCP 10.1.1.72:10801 iad23s23-in-f21:https ESTABLISHED
TCP 10.1.1.72:11496 edge-star-shv-03-ord1:https ESTABLISHED
TCP 10.1.1.72:11510 channel-proxy-shv-06-ash2:https ESTABLISHED
TCP 10.1.1.72:11568 atl14s07-in-f21:https ESTABLISHED
TCP 10.1.1.72:11577 sip:http ESTABLISHED
TCP 10.1.1.72:11578 sip:http ESTABLISHED
TCP 10.1.1.72:11579 sip:http ESTABLISHED
TCP 10.1.1.72:11580 sip:http ESTABLISHED
TCP 10.1.1.72:11581 sip:http ESTABLISHED
TCP 10.1.1.72:11582 sip:http ESTABLISHED
TCP 10.1.1.72:11583 atl14s07-in-f2:https ESTABLISHED
TCP 10.1.1.72:11599 a184-50-238-112:http ESTABLISHED
TCP 10.1.1.72:11601 iad23s06-in-f14:https ESTABLISHED
TCP 10.1.1.72:11618 iad23s06-in-f0:https ESTABLISHED
TCP 10.1.1.72:11619 108-193-150-12:http ESTABLISHED
TCP 10.1.1.72:20241 r-063-044-234-077:http ESTABLISHED

Like my 10-net? This is the output from my machine with way too many browser tabs open. Nothing to worry about here. Lots of web browser traffic and my machine is chatting up my wife’s machine. That’s normal. Windows computers talk to each other a lot.

Making matters worse, when the netstat scammer calls you and has you open a web browser, at least one of the connections you’ll see in the netstat output is your web browser connection. It’s akin to a mechanic planting a loose piece of wire in your car and then telling you that loose wire is a big problem.

Now, speaking as someone who’s used netstat to figure things out before, netstat isn’t the last step in anything. You run netstat when you’re trying to see if two computers are communicating, and then you run other tools to figure out why they are or aren’t. Netstat is very useful, but on its own, it doesn’t tell you much.

Here’s more about netstat and those scary-sounding foreign addresses. I’ll even point you toward a tool that will remove nefarious software, and it’s free.

Dealing with netstat scammers

Don’t let any scammer reading from a script tell you there’s anything wrong with your computer. Even if there is, he couldn’t fix it anyway. I’ve watched them try to fix legitimately broken computers before and fail. If he argues with you, tell him to hang on while you download and install Wireshark so you can investigate. When he asks what Wireshark is, tell him if he wants to ever progress beyond sitting on a helpdesk–which is a very generous assessment of his employment status–that knowing what Wireshark is and does would be a good start. I’ve had that conversation with them before too.

And tell him your buddy Dave, who really is a hacker, told you to tell him that. Oh, and when he talks about those evil hackers, feel free to claim to be a hacker yourself. You can also tell him that you think he must have called me before.

Or, if you’re uncomfortable engaging with a criminal, just hang up the phone and reboot your computer. There’s no harm in that. And while they may make some threats, once you disconnect them from your computer there’s nothing they can do to it.

If you think there really might be something wrong with your computer, here’s the test. Get the person’s name. Then tell him you’ll call Microsoft and ask for him. Their number is 1-800-426-9400. That practice works to eliminate credit card scams and it will stop Microsoft scams too.

If you’d rather they stop calling you entirely, here’s how to make that happen.

If you found this post informative or helpful, please share it!