Last Updated on February 10, 2019 by Dave Farquhar
The Tampa Post’s technology Q&A columnist received a letter this weekend (toward the bottom of the link) about Windows tech support scammers. From the article:
The people performing the hoax sound remarkably professional and officious.
Depending on what you say to them, results vary a lot. When they call me, they’re anything but professional. Especially lately. They seem to be OK when they don’t think they’re talking to a computer professional. Mention that you do this for a living, that you have an advanced certification, or that you wrote a book, and they turn vicious fast.I agree that if the idea of talking at length with criminals makes you uncomfortable, the best thing to do is hang up on them or tell them the only computer you own is a Macintosh or a Chromebook or a Commodore VIC-20 and let them hang up. Or better yet, block scam calls entirely.
Then again, if you’re moderately technical–and I’m pretty sure I lost almost all of my less-than-moderately-technical readership many years ago–you may very well be doing a service to society by messing with these guys. You can easily waste 15 minutes of their time by playing dumb and fumbling around trying to pull up Event Viewer. Then, once they manage to talk you through pulling up Event Viewer, you can turn the tables on them by discussing the difference between an event and an incident.
They would have you believe every event in your logs is an incident–some malicious person actively doing something to your computer that they ought not be doing. That’s not the case at all. Everything in Event Viewer is an event–the computer’s reaction to its environment. It’s data, pure and simple.
Determining whether those events mean there’s an incident going on is an entire field unto itself, and someone reading from a script for $6 an hour can’t do that kind of analysis. I worked in that field for about nine months before moving into threat and vulnerability management. I could be a competent incident responder but I find threat and vulnerability management work a lot more interesting. My brethren in incident response make a lot more than $6 an hour.
Whatever you do, don’t let these people scare you. I had one tell me he’d cancel my Windows license if I didn’t pay him $500. I didn’t pay him, and he didn’t cancel my Windows license–becuase (drum roll) he can’t do that.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
I haven’t been the lucky recipient of one of these calls yet. I would be tempted to tell him to yes, please cancel my Windows license and shut down my computer. My IP address is one ninety two dot one sixty eight dot . . .
I like that idea, but everyone knows your IP address is 127.0.0.1. Well, except those scammers perhaps.
“Oh, hi, thanks for calling! Do you mind just logging right in to my computer and checking it out? My IP address is 127.0.0.1.”
That long silence you hear will be them scanning their script to see what to say to that….
I heard a story – probably apocryphal, but I hope not – about a technical user who had been called by one of these scammers. The tension escalated, and the bad guy threatened to destroy the computer of the techie. “Go ahead and do it!” “What’s your IP address?” The techie told the evil script kiddie that it was 127.0.0.1 . . .