Playing with scammers

My wife got an unexpected call on her mobile:

“Hello, this is Kevin from BT Openreach. You have a problem with your Internet connection…”

“Kevin”, who has a suspiciously strong Indian accent

I’ve been waiting for one of these “tech support scams” for ages but, needless to say they never call when you’re ready. This one is particularly amusing because we have Virgin cable, which is completely independent of the BT local loop. Trying to keep a straight face, I strung him along while I fired up a Windows virtual machine and started my recording. This is what happened.

Step 1a. Establish credibility: namedropping

One study suggested that scammers deliberately make their approaches implausible to weed out the savvy. This triage step helps them focus their efforts on the (more lucrative) truly naïve. That’s why the famous Nigerian 419 scams keep coming: most of us laugh at them, but the few who pursue them are rich pickings. The art of marketing has been distilled[citation needed] into satisfying the three primary motivations of humans: namely, that they are lazy, greedy and horny. That certainly covers 419s and dating scams, but it misses the big one that has been used to motivate people for all of human history: fear.

FUD (fear, uncertainty and doubt) arguably helped Microsoft establish its dominant market position in the 1990s. I remember speaking to arguing with a computer salesman at the time who genuinely believed I was breaking the law by running Linux unless I’d paid Microsoft for a “Linux licence”. That kind of ignorance is (mostly) historic now, but new fears have arisen in its place.

Teh Cyberz. 1337.

Yup, “teh cyberz”. OK, mea culpa. I’ve spoken at conferences about the threats and risks of information systems and operational technology. I’ve cited case studies of destroyed equipment and billion-dollar losses. It’s certainly helped keep me in business, but now I tone it down. Why? If the threat is presented as being like nuclear annihilation then my customers won’t buy my services. They’ll go to the pub singing “Always look on the bright side of life”. It’s important to offer a path out: a step-by-step roadmap toward a better future. People will gravitate towards someone who promises lead to this promised land. “Buy my services and I’ll make your computers safe” or, at macro level, “vote for me and I’ll deal with your perceived threats”.

If I’m not very tech-savvy and someone clever from BT Openreach told me I had a complicated problem that they could fix, I’d likely accept it with gratitude.

Step 1b. Establish credibility: use big words

This is another example of the convergence between marketing and scamming (I leave it as an exercise to the reader to determine the width of that distinction).

My washing powder has Enzymes! That’s awfully clever, it must work very well. I’d be happy to spend a fortune on something containing “Aqua”, but would not be so happy to spend my money on something that’s mostly water. And so on.

A casual user has probably heard words such as “bandwidth” and “latency” thrown around in the context of their Internet connection. In this case, the scammer directed me to visit www.speedtest.net. This is entirely legitimate: it has no connection to the scammers and is indeed a useful way of checking your Internet connection.

The results page contains… many numbers and acronyms! As an average user, I’d be feeling a bit lost. Fortunately, Kevin-who-is-definitely-not-in-Bangalore talks me through it and tells me that my ping time is “very bad sir”. (It’s actually under 20ms, but I told him 100ms to see his reaction).

The script writers of Star Trek: The Next Generation would write “(TECH)” as a filler when a character had to expound on some pseudo-scientific gobbledegook. It became known as “technobabble”, or “Piller-filler” (after the executive producer Michael Piller).

You’ll see something similar in the (original) Doctor Who. The Third Doctor, Jon Pertwee, wasn’t very good at remembering his “techie” lines so he focussed his efforts on perfecting one phrase. That’s why the solution to seemingly all of the Third Doctor’s conundrums was to “reverse the polarity“. You’ll witness the same thing in business these days when a senior executive learns terms like “Agile Development” or “DevOps”. Never let Dr Who touch your UPS.

So the clever man from BT Openreach says my ping time is bad, whatever that means. I guess I need his help then!

Step 2. Establish access

Right, we’re getting into Cyber Kill Chain® stuff now. So far we’ve had a nice chat and I’ve visited an innocuous website. Now he needs to get access to my computer and establish persistence.

Legitimate tech support services can access your computer remotely using a variety of tools. Obviously you have to trust the person at the other end. Kevin seems like a nice chap, so I follow his instructions to install AnyDesk on my virtual machine and to allow him to connect to it.

AnyDesk 
New Session 
Enter Remote Jes< IJ AZs 
This Desk G) 
x 
AnyDesk 
Your Desk can be a 
679 355 23 
Invitation emai 
Install AnyDesk 
Install AnyDesk on 
device... 
e BT OPENREACHm 
BT OPENREACH 
SERVER 
(934927285) 
would like to view your 
desk. 
Chat 
Open Chat Log 
8T OPENREACH SERVER 
Session request received 
Message 
File Transfer 
13:14 
Permissions 
Accept 
Dismiss 
like to access. 
Connect 
'Desk clients in 
work 
Enable now 
13:14
Windows 7 VM with the scammer connecting to my AnyDesk session.

Oh look, it even says “BT OPENREACH SERVER”. Must be legit. Better click Accept, then.

[Note: if you work for AnyDesk you may want to have another look at your customer with ID 934927285]

That’s got them access to my computer, which is fine until I close the window. Now any self-respecting black-hat will want to…

Step 3. Establish persistence

Fortunately, AnyDesk makes this easy. Kevin talks me through configuring AnyDesk to allow him to connect to my computer whenever he wants:

AnyDesk 
New Session 
e Settings/Security 
Settings 
9 
User Interface 
Security 
Privacy 
Display 
Audio 
Connection 
Capture 
File Transfer 
Recording 
Printer 
Wake-on-LAN 
License Key 
About AnyDesk 
Settings 
Security 
Interactive Access 
@ Always show incoming session requests 
O Only show incoming session requests if AnyDesk window is open 
O Never show incoming session requests 
Unattended Access 
Enable unattended access 
Set password for unattended accessm 
Allow other devices to save login information for this desk 
D Enable Two-Factor Authentication 
Enable for saved login information 
Enable for short-term passwords (e.g. remote restart) 
Override standard permissions 
Other users are allowed to.„ 
Hear my device's sound output 
Control my device's keyboard and mouse

As entertaining as this is, it’s coming to the end of my lunch break and I’ve got work to do. So I type in a different password to the one he tells me to use (specifically, I put a “1” on the end of it – they’ll never guess!).

Kevin takes me back to www.speedtest.net and, whaddya know, my ping time is 20ms! Thanks, Kevin!

Many cyber crime groups now specialise on a particular phase of the operation. Some organisations will gain persistent access to lots of computers and then sell this access to other organisations that wants to use those computers for nefarious means.

Kevin has now earnt his sales commission from this mug so he passes me on to the “Senior Department” to do this second-stage mischief.

Step 4. Profit! Oh, wait…

Oh noes! Their password doesn’t work!

Here’s a recording of the last minute. Some vague technobabble about my firewall.

Was it something I said?

You can almost hear the cogs turning: that’s weird… there doesn’t seem to be much installed on this computer and the desktop contains instructions for rearming the VM.

Wait, did he just say “I want you to minimise the payload”? Oops!

So yeah, he hangs up on me. How rude!

It’s possible that they planned to come back later, but I wiped the VM so that won’t be happening. I guess Kevin didn’t get to ring the bell this time.

He’ll be fine. He’s a scammer, and there’s one born every minute.

Be First to Comment

Leave a Reply

Your email address will not be published.