HTG (So We Had Fun with Them) - The “Tech Support” Scammers Called HTG (So We Had Fun with Them) - The “Tech Support” Scammers Called HTG (So We Had Fun with Them) - The “Tech Support” Scammers Called It seems like every day there’s a new scam targeting unsuspecting victims. And this time, it was the “tech support” scammers who got our attention. Here’s what you need to know if you’re ever contacted by someone claiming to be from tech support. ..


The caller said “I’m calling you from Windows tech support.” The fake tech support scammers made the mistake of calling us today and we played along to learn their tricks just for fun. Here’s what happened.

RELATED: Tell Your Relatives: No, Microsoft Won’t Call You About Your Computer

For the uninitiated, we’ve already covered this subject before — for years now, these scammers have been cold-calling people, claiming to be from Microsoft, trying to convince them that their computer has viruses, and then asking the “customer” to pay them to fix the problem. You’d think the government would make this type of thing stop… but years later, these scams still exist.

Today, we received one of these calls and decided to play along just for fun. Here’s our story.

“I’m Calling You From Windows”

The phone rang, an unknown caller from (404) 891-5588, an area code that covers Atlanta, Georgia. The person on the other end seemed like they were fumbling around with something, and didn’t say anything right away. In the background, you could hear the busy sounds of a badly organized call center, barely different than somebody calling you from a bar.

“Hello? I’m calling you from Windows tech support“, he started with, in a thick accent that I could barely understand. “Our servers have detected viruses on your PC. Are you aware of this?“. This was the second time in a week that he had called me — the first time I couldn’t understand what he was saying, so he hung up on me, but this time I was prepared. “No, I didn’t know about that. What does that mean?”

He proceeded to tell me that my computer was reporting viruses to their servers, and he needed me to verify my consumer license ID to make sure that it is really my PC with the viruses. “Can you write down this number?” he asked, before rattling off an alpha-numeric code for me to jot down. 8, 8, 8, D as in dog, C as in cat, A as in apple, 6, zero. Can I read that back to him? I did, 888DCA60, and he confirmed it.

At this point I scrambled to boot up a newly installed copy of Windows in a virtual machine that I luckily had ready.

Next he asked me if I was in front of my computer, and once I was, he asked me to press the Windows key and the R key at the same time, and then told me to type C, M, D and press enter. Once I had done so, he asked if I could type “assoc” and press Enter again. The desire to start laughing was almost unbearable, but my curiosity made me hold on to see what nonsense they were about to tell me.

“Can you read the longest line near the end please?” I did so, noting that the numbers were the same ones that they had made me write down earlier, as I finally started to figure out the game.

That long code, {888DCA60-FC0A-11CF-8F0F-00C04FD7D062}, is actually a CLSID, a globally unique identifier found in the Windows registry, and it’s used to tell Windows the place in the registry that handles that file extension. Because assoc.exe, the command they asked me to type, is actually used to display which file extensions are associated with which applications, and has nothing to do with viruses at all. The added benefit to the scam is that the ZFSendToTarget extension is always going to be near the end, and look scary to your grandmother.

“See, that is the same code we asked you to write down. That confirms that we are calling you from Windows and you have a virus on your computer“.  Ahh… this is going to be fun. “Can you type the following into the window now?” 

He proceeded to ask me to open Event Viewer by typing eventvwr and pressing enter, and at this point I was growing tired of verifying every single thing that I was seeing on the screen to him. What do you see in the upper left corner of the screen? What do you see in the upper right corner? The sheer precision of this cold-calling script was impressive, but very irritating when when you know what’s coming next.

Which, of course, was to filter the System Event Log by only critical errors, and then proceed to tell me that my computer is showing a lot of errors. He made me read off the number of total events before knowingly telling me that he was seeing the same thing on his end.

At this point he said that he was going to transfer me to his more advanced tech support guy to look into the problem further. I didn’t realize until later that this was part of their scheme to look like a real call center, but also to theoretically (and wrongly) avoid getting in trouble for scamming you.

You’re Going to Take Control of My PC with Weird Russian Software? Sure!

The next guy on the chain — who was much easier to understand — proceeded to get me to type in a URL into my preferred browser (yes, he asked me which browser I prefer), spelling out a tinyurl.com short URL character by character, and then asked me to read it back to him. Press enter, he said, and then once again with the extremely precise script…  “What do you see on the screen now?” I’m asked to go ahead and click the Run button, and then the script went off target a little, because he forgot to tell me to click Yes on the UAC prompt. I think he said something about Continue, but I was excited to see what was going to happen next and jumped the gun. Yes, connect to my virtual machine, you scammer! (No, I didn’t say that out loud)

I was surprised to see that they weren’t using TeamViewer like most of the scammers I’ve read about; instead, they were using a weird program called Ammyy Admin, which appears to be by some company in Russia. Common sense should tell you everything you need to know, but a little web research shows that it isn’t a company you should trust with your money. Or your computer. Avoid. I didn’t, and told him the ID code, clicked Remember and Accept to let him into my PC. In case you were wondering, the IP address mapped back to a server in the US.

At this point, the guy proceeded to look over a few things, and go through most of the same steps that the last guy just asked me to do. He explains that he needs to check Event Viewer, and then sounds troubled about what he’s finding. There are a lot of viruses all over my computer, he continues to tell me, and all these errors in Event Viewer are very bad.

They Pull in the Closer

He needs to transfer me to somebody else to try and see if they can diagnose the problem. The third guy has a different accent, more eastern. While the first guy was almost unintelligible, and the second guy spoke clearly, this accent was different enough that I immediately noticed the difference. Or was it something else?

Sure enough, it was more than just the accent: this guy wasn’t on the same script. He sounded a bit more knowledgeable, a little less scripted, and didn’t have any issues navigating the computer. That’s when I realized that he was the closer — it is his job to close the deal, convince you that your computer is infected and they can fix it for you. That’s also when it started getting fun.

First, he told me that he needed to run a scan of my computer to find out what is going on. He did so by opening a command prompt and running a tree /f command. Have you ever done this? It takes a fairly long time… because it’s listing out every single folder and file on your computer in a “tree” format, and of course, it has nothing to do with a virus scan. It’s just like typing dir or ls at a command prompt, it just shows you the list of files.

This is where he got really tricky. While the command was running (a good minute or so on my VM), he was typing in “security breach..trojans found..”. Of course, you won’t see what he was typing because everything is scrolling by, and the shell is holding that input until after the output is done. So once he’s done typing the message, he uses CTRL + C to stop the tree command from going forever. And now you see his fake error message. You have to admit, it’s a little awesome.

“Ohhhh“, he says, “That’s not good. Security breach and trojans are found. Do you know what a trojan is?“. He proceeds to tell me all about how trojans have infected my computer, and that he is going to need to look into it further, but it’s definitely not a good thing. Is my computer ever slow? Do I ever get error messages on web sites?

$175 to Clean My PC?

He’s pretty sure that I’m convinced, as I’ve done a pretty good job of leading him on, I hope. He goes in for the kill: “You are going to need somebody to clean your PC of all the viruses and trojans. You can either take it to a local repair shop or we can help clean it for you.” I respond with “OK, but how much is that going to cost me?” He starts rambling about how it will cost $175 but that will not only clean my computer but give me a year of support.

The cleaning process is going to take 1 to two hours, during which time they are going to install Windows Defender and run scans of my whole computer, and make sure everything is cleaned and updated. He’s going to need to transfer me to somebody else to actually collect my money and do the fixing, of course.

I’m a little skeptical. He can tell. What he doesn’t know is that I’m laughing and trying not to let him hear.

He proceeds to open up my System Information and start looking around, which is when I realized that the jig might be up — I mean, it’s a virtual machine. The system model is VirtualBox, and the name of the computer is WIN81VM10… how can he not notice? Somehow he doesn’t, and proceeds to tell me that my BIOS is really out of date, and hasn’t been updated since 2006, completely ignoring that my BIOS is by “VirtualBox”… but slowly the pieces start falling into place. He starts asking me when I got the computer, when the last time I updated it was. He’s doing his best to sell me, but at this point I’m laughing like crazy and trying to cover the phone so he doesn’t notice.

He notices that the virtual machine only has 1.49 GB of RAM, certainly not normal at all, and not exactly possible in a real computer. He’s still trying to tell me that there’s a problem with my computer, but he keeps puzzling over the RAM, and then he realizes that if I “just bought the PC”, it wouldn’t have a BIOS from 2006.

I can’t take it anymore, so I just flat out ask him “Do people really pay you $175 for this scam?”. He knows the jig is up, and starts laughing nervously for a brief moment, but he refuses to break character or give me any more information. He starts asking why on earth I am accusing him of trying to scam anybody. He’s just trying to help me clear off the viruses and trojans on my computer. Hilariously, he starts reading the definition of “scam” from the dictionary, and then tells me that I’m a bad liar. He knew the entire time that I was a computer person.

I start to ask him where he is really located, he says Sacramento. I point out that his area code is from Atlanta, and he says he doesn’t have time to answer silly questions. I ask if he’s really from Microsoft like he claimed he is. That’s when he points out that he never said anything of the sort. He never asked me for my credit card card or tried to screw me out of money. He isn’t doing anything wrong. If it was a scam why would he have suggested that I take it to a repair shop? (He repeats this at least 10 times. This can’t be a coincidence). And that’s the game he sticks to for at least 15 minutes of trying to get him to admit anything about his operation.

You see, the first guy calls and claims he is from “Windows” and you have viruses. Then the second guy gets you to connect, and then the third guy tells you that it’s going to cost you money, and transfers you to the fourth guy who we assume would take your money, do nothing useful with your PC, probably install trojans on it, and then leave you feeling like a sucker.

And that’s the tale of how I wasted 41 minutes having fun with a scammer.