Hello, we are calling from Windows and your computer looks like it is infected. Our Microsoft Certified Technician can fix it for you. Sound familiar? Whether you have just been scammed or simply want to find out more on the topic, you have come to the right place. Let’s find out more about tech support scam.
Beware Of Tech Support Scam:
Anyone claiming to be from “Windows” could be expected to know if there was a virus on your PC, right? And when they guide you into checking the Windows Event Viewer (where harmless errors are logged) and reading out a string of numbers, they usually manage to snare you into their swindle. After all, you don’t want to lose your hard work, or be without your computer due a virus, right?
The aim of the scammers is to talk you into installing remote software on your computer, so that they might then take control. Once done, this will either allow them to steal data, introduce a Trojan horse or other malware (the remote software itself may be a malicious tool) or just perform a bit of “tech support theater” to make it seem as though they know what they’re doing.
Once the “virus” is discovered, of course, the scammers will demand money for their services of “removing” it. This can go a number of ways, but if you refuse, there is the possibility that the scammers have remotely changed your password or encrypted your files, transforming this into a one-on-one ransomware scam.
The really interesting feature, though, is the way that the scam seems to have moved on from giving you your address (which they get from a telephone directory)and a fake IP number to convince you that they can really see your system. A quick google indicates that many people are experiencing much the same thing, the scammer now asks you to check a CLSID.
What is CLSID?
A CLSID is a Class Identifier stored in the Windows Registry — at HKEY_CLASSES_ROOTCLSID, but we don’t recommend that you go digging into the Registry unless you really know what you’re doing. Fortunately (from the point of view of interfering with Registry entries), the scammer doesn’t need you to edit the registry to find the CLSID he’s looking for. He simply has to persuade you to run the ASSOC command. It’s easy to do: you click on the Start button, Run, type in CMD to get to the command prompt (DOS prompt) and type ASSOC.
Since it’s a long file it scrolls straight to the bottom, but if you’re really interested in seeing exactly what it contains, you can get it to go through page by page by typing in “assoc | more”: however, the scammer wants you to go straight to the bottom so that you’ll see this entry:
That’s the CLSID on both the PCs open on my desk at the moment. Amazingly, it’s also the one that the scammer quote. And I bet that if you have a recent version of Windows and go through the same steps you’ll find that you have it too. In other words, the scammer can’t see your CLSID or anything else on your PC, including your Event Viewer logs. Unless, of course, you fall for the scam and give him remote access with AMMYY or TeamViewer.
Getting help if you have been scammed:
Getting scammed is one of the worst feelings to experience. In many ways you feel like you have been violated and are really angry to have let your guard down. Perhaps you are even shocked and scared and don’t really know what to do now. The following tips will hopefully provide you with some guidance.
If you already let them in
1. Revoke remote access (if unsure, restart your computer). That should cut the remote session and kick them out of your PC.
2. Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes Anti-Malware to quickly identify and remove threats.
3. Change all your passwords (Windows password, email, banking, etc).
In some cases (you did not pay or called them names), scammers will seek revenge on your machine. Here are some things they might try and what to do to recover from them:
Master password lock out
There are various ‘hacks’ to reset that password. One method is to use a Linux boot CD to mount Windows and then use the chntpw utilty. It is described here.
Missing software drivers
First, try to do a System Restore. If it fails, you should be able to reinstall them by going to the manufacturer’s website and download the appropriate driver.
First, try to do a System Restore. If it is not available, check for backups you may have made and stored somewhere else. As a last resort, there are programs that can scrape your hard drive and attempt to recover the missing files.
If you already paid
Contact your financial institution/credit card company to reverse the charges and keep an eye for future unwanted charges.
Reporting the scam
Report the scam
In Canada: Contact Law Enforcement
In Australia: Report a scam | Report telemarketing abuse
In India: Report Fraud
In Norway: Police Economic Crime Unit
In Ireland: Garda SiochÃ¡na Bureau of Fraud Investigation
In Germany: Daten Schutz
In Netherlands: Spam Vrij
In Belgium: FGov.be
In Denmark: Fs.dk
Report misleading ads
“TrustInAds.org comprises a group of Internet industry leaders that have come together to work toward a common goal: Protect people from malicious online advertisements and deceptive practices.” Report misleading ads here.
Shut down their remote software account
Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support (they can later on block people/companies with that information)
LogMeIn: Report abuse
I hope, it helps. Cheers.