Inside the US government’s war on tech support scammers

PCCare247 allegedly collected millions in ill-gotten fees. But the FTC fought back.

Written by / Courtesy of Arstechnica

Sitting in front of her PC, the phone in her hand connected to a tech support company half a world away, Sheryl Novick was about to get scammed.

The company she had reached, PCCare247, was based in India but had built a lucrative business advertising over the Internet to Americans, encouraging them to call for tech support. After glimpsing something odd on her computer, Novick did so.

“I saw some sort of pop-up and I don’t know if there’s a problem,” she told a PCCare247 tech named Yakeen. He offered to check the “management part” of her computer for possible problems.

“This is very, very important part of the computer and it work like the human brain, all the major decision, all the action, all the result is taken by this management part,” Yakeen said in a strong accent relayed over a poor-quality phone line that sometimes made comprehension difficult. All he needed to run his test was total control of Novick’s Windows computer.

She agreed, downloading and installing a remote access tool. When it was in place, Yakeen reached out through the Internet, took control of Novick’s mouse cursor, and opened a program called Event Viewer. The scam was about to begin.

Event Viewer is a built-in Windows tool designed to make visible the millions of mostly unimportant background activities running beneath the hood of a modern computer. Few mainstream computer users have even heard of it, much less run Event Viewer of their own volition—which explains why few mainstream users would know that, in a system as complex as Windows, Event Viewer will always display errors, most of them trivial. Thus, should someone want to convince mainstream users that their computers are riddled with problems, Event Viewer is a reliable combination of the inscrutable and the terrifying.

Yakeen showed Novick a series of bright red warning messages in her Event Viewer logs.

“It has 30 errors,” he told her, while a separate subsection of Event Viewer showed 43 more. Based on these 73 problems, Yakeen formulated a quick and utterly improbable diagnosis for Novick’s problems.

“Your computer is hacked by someone,” he said. “They are using your name and your ID, your computer to do some cyber fraud and cyber terrorism.”

Leaving no time for Novick to raise questions about how obscure Windows errors might indicate the presence of terrorist hackers, Yakeen opened a command prompt on Novick’s machine and ran a text-based tool called “netstat.” Netstat shows all of a computer’s network connections, both inbound and outgoing, and in this case it showed a single established link—one that pointed outside the US.

“I’m 100 percent sure and I strongly believe that you have some hacking issue working in your computer,” Yakeen said as he pointed this out to Novick. “Your computer is being hacked by someone. And they are doing some criminal activity using your name, your computer, your computer address.”

This was a brazen lie; forensic examination would later conclude that the single connection displayed by netstat was in fact the remote access tool that Yakeen was using at that moment to control Novick’s machine.

To complete his examination, Yakeen then told Novick that he would scan her computer for viruses. To do so, he ran a command called “tree.” Filenames immediately filled the screen, scrolling away in a blur as hundreds of new names took their place. When the list stopped moving, the command prompt read:

C:\509 virus found

“Now can you see the number of virus found in your computer?” Yakeen asked.

“509 viruses?” Novick asked.

“Yeah, 509 virus working your computer. And they are—the hacker are directing your information and your—it might be possible your e-mail account and your Facebook account is also hacked by the hacker because hacker are using your name and your password. All the data, photographs, radio, and your e-mail are already hacked by the hackers, so we have tried to recover all the data from the hackers and install an anti-hacking tool in your computer, okay?”

The situation sounded bad—unless you knew that the tree command used by Yakeen has nothing to do with viruses. It merely lists all files within a directory, showing them in a hierarchical “tree” arrangement of folders, subfolders, and files. The scrolling list had been entirely ordinary files on Novick’s machine; it had stopped only because Yakeen had canceled its run. As for the words “509 virus found”—Yakeen had simply typed them out himself at the command prompt, hoping that Novick would believe them to be output from the “virus scanner.”

Continue reading over at Arstechnica.