Security: Scam Involving the "assoc" Command on Windows
My dad sent me the following:
Today I received a call from a Mark Atkison. He claims to be with Windows Technical Services, located in (or on) Brainbridge Island, Washington. Phone number 206-201-2413
Mark claims for the last two weeks my computer has been downloading online infections, junk files and miscellaneous viruses. I asked him about my “online ID number” Mark said my “customer license Security Identification number is: 888DCA60-FC0A-11CF-8F0F-[deleted]“. Mark said I could verify this by pressing the Windows key and r at the same time.... That would open a “run box” When the run box opens I was to type ASSOC. When I hit the Windows key + r, I saw a box open with “cmd”... which I figured stands for “command”. If I remember correctly, I erased the “cmd”. I was to type ASSOC. When I did, I saw something come up with “exe”. By the way, when I typed in ASSOC, I would not hit enter. I thought this might be some kink of scam or bull shit. I told Mark I was going to contact my son who is a high end programmer. Mark said I could call him back at the number listed above and refer to, “Docket number Yash 120695”. Mark told me they will show me the error and warning reports they have been receiving from my computer or lap top operating system.
This evening, I looked up Brainbridge Island, Washington... I found there was no Braindridge Island, Washington. There was however a Bainbridge Island, Washington (no “r”). Did I make a mistake? I'm not so sure I did. I had him spell out everything. I did a Google search for the phone number he gave me.... I found the following:
Match Found! We found phone number (206)201-2413
See Full Results
Received a call from (206)201-2413? View the comments below or add a comment of your own for 2062012413. Remember to not reveal personal information. Tell us about 206-201-2413. What time did they call and what was the call about?
Anonymous Monday, 19 May, 2014 15:19
Yes this is a scam call, beware do NOT install anything on your computer. They will records all your personal infoAnonymous Monday, 19 May, 2014 15:12
was this a scam call???Anonymous Friday, 16 May, 2014 16:00
They told me windows was receiving a virus report on from my computer.I think my instincts were good and your assessments were right on. Needless to say, I will not be calling Mark.
Best wishes to you and yours,
Dad
Apparently, the assoc command in Windows can be used to change file associations. The attacker could use this to convince you to treat .txt files as .exe files. Then, he could give you an executable that has a .txt extension. You would think it was safe, but when you opened it, it would run the executable, thereby taking over your computer.
At least, that's what I think is going on. I'm not 100% sure. It kind of seems like a like of work for the attacker since it involves him calling people manually.
Comments
http://arstechnica.com/tech-policy/2012/10/i-am-calling-you-from-windows-a-tech-support-scammer-dials-ars-technica/
I had had some fun with a woman with an Indian accent about a year ago, getting her as far as transferring me to a manager because I insisted that THEY tell ME my computer's ID, if they really had been able to see that it had viruses. (I was in a mean mood, a close friend having been scammed that way into giving her credit card number.) The new lady took the bait and gave me an ID for my computer that consisted of around 37 digits and letters (and every time there was an S or F, or a V or D or B, I "confirmed" by asking if it were the other letter. I hung on till the end, writing it all down, and then said I would check the ID myself and if the number they gave me was right, I would trust them if they called again. They didn't! To give them credit, neither lady got ruffled when I kept playing dumb and had to be instructed over and over.
This morning's caller was quite different. From the outset, he was breathing heavily after each sentence as if nervous. As the call progressed, he frequently adopted an angry or bullying tone and avoided giving real answers to questions. He claimed to be with a Windows Tech. support company "certified by Microsoft," and when I said I had heard that 'hackers do things like what he was doing to get access to people's computers,' oh, was he indignant, going on and on about how 'hackers would never call people in order to help them.' It was hard not to laugh.
When I insisted on his giving me my computer's ID number before I would look it up, he hesitated and said he would call me back. I said, "I doubt it, because you're a scammer," but he must not have heard me because he did phone again about 15 minutes later. (When I later checked it, the number he gave me was the one that I guess most--or many Windows PCs have near the bottom of the list in the event viewer, which I had declined to bring up, on the grounds that I was afraid to hit enter after typing "assoc.")
But now, before I agreed to bring up the event viewer, I insisted on one last test: checking his credentials by using his name or the name or number of his company by which Microsoft would recognize them, if they were really certified by MS. Asked for his name or his company's ID, he evaded by saying I could find Microsoft's number and call them, but he wouldn't give me anything on his company. Of course, I knew that he would give up on me if it reached the point where I checked on him with Microsoft.
Hopefully, he was young and not in danger of having a stroke, because during our two conversations, he seemed always teetering on the brink of rage, sometimes already over the edge and unable to hold it down. I was tempted to tell him that a good scammer had to know how to keep his cool, but I didn't. Why help him to develop his skill to scam someone else?
3rd May 2017
They say they're getting all this information about problems with your machine, but they refuse to tell you anything about your machine. No IP address, never telling you anything about which version of Windows you might be using, not even half-way plausible info. And if their instructions don't work, all they can say is do the same thing again.
Odd how I never mentioned that I am running Linux. How careless of me.