Windows tech support scammers have fleeced an unbelievable number of people out of their hard-earned cash. One geeky vigilante decided to turn the tables.
Now, plenty of tech-savvy folks have had a little fun at the expense of these fraudsters. Generally they play along and waste as much of the caller’s time as possible and watch them harmlessly fiddle with a virtual machine. This guy took things to the next level.
Ivan Kwiatkowski knows plenty about how these shenanigans go down, and unfortunately for the would-be scammer on the other end of the remote connection he also knows a fair bit about social malware. Kwiatkowski played along, allowing a scammer named Dileep to connect to his virtual machine — which he’d intentionally left vulnerable — and played dumb while various DOS commands were run to make him think his machine was riddled with malware.
He was told that everything could be remedied by purchasing a “tech protection package” for the bargain price of €299.99 (about $335 at today’s exchange). That’s pretty steep — more than the ransoms demanded by some malware — but Kwiatkowski played along. He quickly produced some test credit card digits and relayed them to Dileep.
When the charge wouldn’t go through, he pretended to be confused and produced a new set of numbers. Those didn’t work either, so while his “tech support agent” tried to figure out why with his “manager” Kwiatkowski got an idea… an awful idea. He got a wonderful, awful idea.
He’d already noticed that the remote control software the scammer was using allowed him to send and receive files. So he turned to his inbox, where he had several samples of Locky ransomware variants. He grabbed one, renamed it to look like a digital photo, and fired it over.
Kwiatkowski feigned vision trouble and suggested that Dileep just have a look at a picture of the credit card instead. It certainly sounds like he did, though, strangely, the picture must’ve been corrupted… because nothing came up on his screen when he double-clicked it.
That’ll soon change, though. A ransom notice ought to be appearing any time now.
Aug. 14, 2016