Thursday, March 14, 2013

Scummy Behavior: Preying on Windows Users

I got a call from one of those "There's a problem with your computer" places a few days ago.  Since I had some free time, I decided to talk to them to see what it was all about.  What I found is a group of people who have some of the scummiest behavior that I've seen in a while.  The worst part of it is that it would be very easy to fall for, not just for people who are computer illiterate, but for computer literate people as well.

The Scenario
So, I got a call from someone telling me that my computer was reporting errors.  The first thing I do is ask how they know that the errors are coming from my computer.  This particular person didn't leave the script, so I kept interrupting him.  I asked him what IP address the errors were coming from.  He just went back to the script.  When he saw that I wasn't going to stop asking questions, he decided to transfer me to his supervisor.

The Hook
The next person I talked to actually left the script for a little bit.  When I asked how he knew that the errors were coming from my computer, he said that Windows collects errors and sends them back to Microsoft.  They get these errors and help people fix the problem.

Now, I didn't get into "how did you get my phone number" because I knew that wouldn't get me anywhere.  So, I asked how he knew that these errors were coming from *my* computer.  He said he'd show me.

I won't go through step by step what he asked me to do.  But it is very apparent that their script was designed for people who didn't use the computer much.  Things along the line of "next to the Control key there's a key with the Windows logo on it. Do you see that?"

Ultimately, he had me open a command prompt and asked me to type "assoc".  This primarily displays a list of file associations -- like that .xls is an Excel spreadsheet file.  But these folks take advantage of something else that displays in the list.

The person asked me about the "longest line near the bottom."  Now, the stuff at the bottom of my list were associations that had to do with Visual Studio, so I figured that he wanted me to find something a little further up.  Ultimately, he had me look at this line:


He then proceeded to read off the GUID part to "prove" that the errors were coming from my machine.  That really pissed me off, because I know that this value is not unique to my machine (more on this below), but the average Windows user would not necessarily know that.

A Little Bit of Humor
The next thing I asked him was if he knew that a CLSID was?

For those of you who have done COM programming (twitch, twitch), then you know that class ids for COM objects *must* be the same on every single machine.  That's the whole point.  That's how Windows identifies COM objects.

I told the person on the phone that CLSIDs were not unique to the computer, and that they are the same on every single machine.  I even told him that I was sitting in front of two computers that had the same value (which was a lie -- oops).

Finally, I asked him if he was sitting in front of a computer.  He said yes, so I asked him to look at his ZFSendToTarget value.  There was a slight pause, and then an "Oh, my."  Then he went to get his supervisor.

The only consolation that I get from this exchange is the hope that this person didn't realize that he was involved in a scam -- that he had just taken a job in a call center.  I hope that when he realized that what he was telling to the people he called was a lie, that he left.  That's what I'm really hoping.

The Technical Lead
The last person I talked to described himself as the technical lead for the center.  I was pretty much done with my exploration at this point.  So, I told him that he didn't know what he was talking about.  I asked him to follow the steps on his machine, and he told me that he got a different value (which was obviously a lie).

Eventually he got tired of me and hung up.

The Worst Part of This Scam
The worst part of this scam is that it sounds very reasonable.  I'm worried about people like my mom getting this type of call.  (Note: I'm not actually worried about my mom getting this call because she would call me to ask about it before doing anything.  She also has a tendency to leave dialog boxes on her screen until she has a chance to talk to me.  Better safe than sorry.  She also reads my blog: "Hi, Mom!").

If you don't know what a CLSID is, then it sounds reasonable that this long, scary-looking GUID is unique to your computer.  It certainly looks like a unique value.  And it's not just people like my mom I'm worried about.  Technically literate people like my brother could also be sucked in by this (again, not specifically my brother because he'd analyze this a bit more).  My brother uses Windows computers all the time, rebuilds laptops, and has done some programming in the past.  But I doubt that he's ever done COM programming (twitch, twitch), so he probably doesn't know what the CSLIDs are for.

This scam is nothing new.  Right after the call, I did some quick Bingling and found that there were lots of other people talking about this scam.

BTW, if you're wondering what "ZFSendToTarget" means, it has to do with the right-click option in File Explorer.  If you right-click on a file, select "Send To", then you see an option for "Zipped (compressed) folder".  This CLSID is for that.

Again, what I hate about this is that it targets everyone who's never done COM programming (twitch, twitch), which is a huge number of Windows users and even a large number of Windows developers.  (And you can always recognize someone who's done COM programming by the uncontrolled twitch whenever it's mentioned.)

Happy Coding!

No comments:

Post a Comment