“Hello? My name is Max and I’m calling from CSA. We got a report saying that services are stopped on your computer.”
I hung up, for lack of energy to fight with “Max,” or even to try to convince him my name is Suchita. But if that phone call sounds familiar, feel free to hang up on Max, or whatever he says his name is. It’s a scam. If you want to know why, read on.
“Daniel” from “Microsoft” called me the other day. The number looked halfway legit so I picked up. He out and out claimed to be from Microsoft and said he was getting alerts from my computer. His voice sounded familiar–I think I’d talked to him before.
“Which computer?” I asked.
“Your Microsoft computer,” he said.
A longtime friend’s aunt almost got taken by a fake tech support scammer. He told me about it, and in the process, this was also the first I’d heard of the netstat scam.
She saved herself by saying she’d have to check things out with her nephew first. That’s a good trick. Fortunately for her, the scammer didn’t try to delete anything, though he did immediately change from being very pleasant to being very rude. That matches my recent experience with these low-life crooks precisely.
She was vulnerable because the flawed MS14-045 gave her trouble and she had a case open with HP. So when this crook called, she thought at first that HP or Microsoft were folllowing up with her about that.
The scammer’s best trick was to get her to open a command prompt and type netstat. Read more
If you’re curious whether a particular piece of software might be spyware, or you have some other reason to believe your computer might have been compromised and might be talking to something it shouldn’t be, there’s a quick and easy way to find out besides using the standard netstat -an command.
Windows XP and 2003 (and, presumably, Vista) have the netstat -o command, which tells you what IP addresses your computer is talking to and on what ports, plus it adds the process IDs that have those ports open. There’s a hotfix to add that functionality to Windows 2000, but it appears you have to demonstrate a need for it in order for Microsoft to provide it.
Regardless, I like the Sysinternals tool TCPview better. The most important thing it does is give you the names of the application, instead of the process ID, using each port. That saves you from having to run task manager and figure it out yourself. It puts everything in a GUI window, making it a little bit easier to scroll around, and it also tries to resolve the IP addresses, which can be nice. So if all you have open is a web browser pointing at Google and you see processes talking to web addresses you’ve never heard of, you have reason to be suspicious.
The next time someone complains to me that a computer is running slow, once I think I’ve cleaned off the spyware I think I’ll run this utility just to see if there might be anything left.