Note: I wrote this almost a year ago. It wasn’t good enough to publish then, I thought. This week I’m slammed, and it’s better than anything I can write this week, so, it’s time to release it. -Dave
As my regulars will be aware, for the past few weeks I’ve been getting lots of phone calls from “Peggy” from “Computer Maintenance Department.” What I’ve found during these phone calls is that debating with them does no good, and saying that your computer is crazy fast gets them to hang up on you, but they’ll call back again in a few days anyway.
Last week, I had lunch with a group of future coworkers–I’ll be joining them once my background check results come in–and I mentioned these phone calls. The guy sitting across the table from me said he wants their malware, so he can reverse-engineer it. So I said I would cooperate the next time I got a phone call.
I happen to have a junker PC sitting under my desk with Windows XP on it. When I got my next call, it turned out the machine’s network card was disabled so I couldn’t download their malware. That exchange proved beyond a reasonable doubt that these guys are scammers, because the problem was very simple to fix. Any legitimate technician would have located the issue in a matter of minutes, because whoever used this particular machine last had disabled the network card in Windows Control Panel.
Once I fixed that, I decided to clean the machine up a bit. I installed Avast on it, because it can do a boot-time scan and cleanup. That was good, because it found a couple of things. Finding that kind of stuff on a secondhand hard drive I bought at a garage sale or thrift store is no surprise. I also defragmented the machine, so it would run a little bit faster, and ran Malwarebytes on it as well.
Another, much better approach would have been to just reformat the hard drive and install a fresh copy of Windows on it, but I didn’t give myself time for that. Cleanup is time consuming too, but it’s passive–I can start it up, walk away, and come back in a few hours and it’s done.
Once the machine was clean enough for reinfection, I disabled Avast by right-clicking its toolbar icon and selecting Avast shields control -> Disable permanently. As scary as that sounds, re-enabling it is just a click away. This is important because I didn’t want Avast to detect and block whatever Peggy has me download. It’s possible that what they’ll have you download is legitimate software that they’re misusing, or it could be malware.
That’s a good investigation to conduct after the fact. After downloading the software, don’t run it, but save a copy of it. Hang up the phone, visit Virustotal, and upload it. If one antivirus vendor knows about this particular file, Virustotal will tell you what they know. If it’s legitimate, you’ll get nothing. If it’s unknown, you’ll get nothing, but Virustotal will submit it to various antivirus vendors for analysis, which will make the scammers’ lives more difficult at the very least.
And that’s what this is all about. These scammers are breaking several local and national laws, but since they disguise their caller ID and they’re calling from overseas, they’ve been operating for years without getting caught.