Security researcher turns the tables on cyber-scammers

Researcher describes how he toys with tech support scammers before tricking one into installing ransomware.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
3 min read
Enlarge Image

The message Ivan Kwiatkowski's parents received warning them of the (fake) infection.

Ivan Kwiatkowski

Have you ever gotten a phone call, email or pop-up from someone trying to scam you with an obviously non-existent problem with your computer that will be expensive to solve?

French security researcher Ivan Kwiatkowski knows how you feel, but he wasn't content with hanging up or uttering a few choice words of reprimand. He decided to give them a taste of their own medicine, as he described in a blog earlier this month.

The tech support scam has been around for the better part of a decade, bilking an estimated 3.3 million people in the US out of more than $1.5 billion in 2015, according to Microsoft. Your typical scam, as described by security software maker Malwarebytes, is pretty simple: Pretend to be from a reputable company such as Microsoft, trick the victim with phony error messages and then collect money with the promise of resolving the issue.

But when his parents received a warning that their computer was infected with the Zeus virus, Kwiatkowski decided to have some fun, booting up a virtual machine and calling the tech support number listed. Following the support rep's instructions, Kwiatkowski downloaded a remote-assistance client that gave Patricia -- his support rep -- access to the files on the virtual machine.

She begins berating him about his poor computer hygiene. Staying in character, he innocently spars with Patricia about an alleged hacker she has identified as attached to his computer, her location, and even basic computer definitions. But he throws her for a loop when asks where in Paris he can purchase the $190 software necessary to repair his system. She informs him that it's an exclusive program "distributed only through Microsoft's premium partners and Microsoft's secure channels."

"Oh, so I just have to get it from microsoft.com then?" he asks. She pauses but answers "yes," and the call ends soon after when it becomes apparent that she has nothing to sell him.

But Kwiatkowski wasn't quite done toying with his scammers. He called back, getting a different assistant who tried to sell him on the software again. Still in character, Kwiatkowski offered a series of fake credit card numbers that baffle a team of operators he can hear in the background attempting to charge the accounts.

"That's when I'm hit by a stroke of genius," he says in his blog post. He retrieves a sample of the latest Lochy ransomware and emails it to his new tech support rep under the guise that it's a picture of his credit card. As the ransomware quietly encrypts the rep's files, Kwiatkowski offers more fake credit card numbers before the rep gives up.

While the ransomware could be considered a nice salvo against scammers, Kwiatkowski says his real goal is to waste their time, making the scamming operation less profitable.

"Scammers don't have the time to separate legitimate [victims] from the ones who just pretend," he says. "Their business model relies on the fact that only gullible people will reply."

Whether he made a dent in their operation is up for debate, but you can follow Kwiatkowski's adventure in crime and punishment on his blog.