Today, someone called me and tried to hack my computer over the phone.
I was hanging out with my kids when the phone rang. I don’t usually answer the house line. It’s almost never for me. This time, however, it was from a 212 area code. New York. And caller ID identified it as what appeared to be a regular person, K. Bernstein, not “Unknown Caller” or “Unavailable”. Those are most definitely someone asking for money or some other person I’m really not interested in talking to, but I thought I’d see what K Bernstein in New York wanted to discuss.
Enter Matthew. Well, I don’t remember what exact name he used. But it was a common American name, which didn’t necessarily go along with the thick accent I could barely interpret. All I knew was, Matthew was calling me from a very busy call center. The background noise made it even harder to figure out what he was saying. But he made sure to let me know why he was calling right away. He let me know that he was from Microsoft. And he wanted to let me know that my computer let him know that it had viruses all over it.
Microsoft? Calling me? Wow. I’m impressed. Microsoft isn’t quite known for their free customer service. But Matthew wanted me to know that he was calling because he wanted to clean the viruses off of my computer. Matthew doesn’t know me. He doesn’t know that I’ve been working in computer security for a long time. And he doesn’t know that I am well aware that not only does Microsoft NOT call people, but my computer also doesn’t let Microsoft know about its current state of virus infection. But, as one in my profession can often be, I was curious. I wanted to see where he was going with this. So I played along.
I acted surprised, of course. And I acted as if I wasn’t very knowledgeable about computers. So then he said he would get his technical engineer to handle my call. He had me wait, listening to a lot of background noise for a minute, then he came back on and said he was “David”. Same guy, different name. Very covert.
He told me to turn on my computer. He didn’t point out which computer it was, should I happen to have more than one Microsoft computer in my house (which I do), but he was prepped should I mention that, as you’ll see in a moment. He said he wanted to “run some tests”.
He asked me about the keyboard on my computer, fishing for me to acknowledge that I had a “Windows key” (what I described as a key with four squares on it). He then had me hit that key and the letter R at the same time. This brings up a window that allows you to run commands. This is his attempt at being sneaky. He could have had me open up Internet Explorer or Chrome and type in a website. By making me do it this way, it was more “covert” and seemed “more technical”, but it does the same thing.
So, he tells me to type in a URL (a computer geek term for a website name). The website he wanted me to go to was one of the many “remote control” sites out there. If you’ve ever used technical support and allowed someone to take control of your computer, that’s the type of site. It wasn’t GoToMyPC or Join.Me, but it was something like that, called TeamViewer (don’t visit this site right now). Since this was where I knew he was going to “have” me (or, “0wn” me, for you computer geeks out there), I thought it was time to “validate” that he really worked for Microsoft.
It’s a Matter of TrustWhen I asked him how I could trust him, he said he understood I was cautious, so he would show me that he was getting information from my computer by validating my CL SID. Do you know what a CL SID is? Um, neither did I, and I work with computers for a living. But that’s cool. I Googled it while on the phone with him.
So, he has me run a command to show “my computer’s CL SID”. Then he reads me the CL SID that he thinks I have, to “confirm” that he’s got the right computer. It’s a long string of letters and numbers, confusing, and really official sounding. And, he had me run a command on my computer, and he knew the output, so the fact that he knew what it said must validate his authority, right?
Google “are clsids unique?” and you’ll see a bunch of articles (965,000+ as of this writing) about how not only is this value shown with this guy’s command the same for every computer, but how people all use this trick as part of the “help desk scam”.
I totally get it. So, to the average person, a string of characters may seem valid, especially by someone who says they know what they are talking about. And, the words “computer virus” scare a lot of people! But do people still fall for this? Well, yep, I guess so. They must fall for it enough that there is a call center in New York filled with loud people trying to get people to visit the TeamViewer website. (Public Service Announcement: Don’t go to it.)
I Finally Call Out The Help Desk Hacker
I think it’s time to call BS on this Matthew David guy, my personal help desk hacker. So the next question he asks me is, “What do you see now?” And I respond with, “I see a bunch of Google links saying that this is a scam.” He immediately responds, very calmly, “You can just close that.” Smoooooth. Well, I do have to say that he gets an A for effort there.
That’s when I decided to tell him that I knew he didn’t work for Microsoft, and there was no way he was going to get me to give him access to my computer. I may have called him an “Internet Troll” as well. I know that’s not the exact usage for the term, but it just came out. Ah, well. He can correct me in his own blog. Instead of saying anything at that time, he just let me listen to the incessant background noise without responding until I hung up.
So, there you have it. I wanted to see what he’d do. He tried a common hacking technique called Social Engineering. It’s basically an official sounding term for conning someone. Trying to get them to give you information or do something for you by making it sound “really official.” Sometimes they try to sound like they are helping you, or like they need help from you (lots of people still like helping their fellow man so they fall for this one). Sometimes they try to sound like a high ranking company official. Or maybe they are just calling to get you to donate money to them, pretending to be from a cause. Either way, it’s all the same con/hacking technique.
What’s the Point?
So why did he want this in the first place? If I had logged into his website, he would have tried to take control of my computer. He could then upload software, download my files, make my computer a SPAM generator, place software (called a bot) on there so he could get to it in the future and use it for hacking other sites, storing illegal stuff, etc. There are so many things that people can do with your computer, you may be very surprised.
Anyway, that’s my tale of the evening. I hope someone read it and learned something. And it does seem like common sense to not fall for this kind of thing, but we all do have our moments, and anyone can be conned under the right circumstances. Yep. Even you. Even me. It just wasn’t my turn.
Thanks for reading. I generally write about islands and Jim Thorpe and business, but if you are interested in more about computer security and defending yourself against hackers, leave me a comment or send me a message. I’d love to hear from you. And before my nephew asks, no, I won’t explain how to hack, just how to protect against it.