WARNING TO ALL MICROSOFT WINDOWS USERS

Issued on the web for the first time on 20 September 2011. Verbal warnings have been issued to people before. New section on crusading against the scammers below.

There is an ongoing outbreak of unsolicited support calls, purporting to be from Microsoft, or some other company on their behalf, offering Windows support. They often claim that your computer has a virus or is running slowly.

These calls are not genuine, even if they are able to identify you by name and location. The whole purpose of these calls is more than likely to infect your system with various kinds of malware.

The most important thing is that you do not follow on your computer any of the instructions they try to give you.

How to respond to these calls at home

If you are called at home with one of these calls, it is best to ask for details of the problem so that you can ask your engineer to take a look at it. This will normally either totally baffle them or make them very angry. Alternatively you could simply tell them you are wise to this scam and that they should stop calling.

Of course, if you have a computer running something other than Microsoft Windows, you could always try to waste their time... if you have time to.

How to respond to these calls at work

If you get one of these calls at work, ask for the name of the person calling you. If your employer's IT section uses any kind of ticketing system, also ask for the ticket number. Then tell them that you will call back. Do not use a number they give, or one they try to offer. If the call even gets to this point, I would be surprised, but hang up, and call your local IT section on their usual number. If the call was genuine, they will be able to put you through to the right person. If the call was not genuine (the most likely scenario), your IT section will be pleased that you handled the matter correctly, and may also remind the rest of the staff that this is still ongoing.

Remember, these calls are not normally genuine, and you should never follow any instructions given to you in an unsolicited telephone call or instant message.

PHIL'S CRUSADE AGAINST THE SCAMMERS

I have started my own crusade against the scammers - I will be publishing any calls I receive from them here, together with notes on anything that comes up during the call that I consider merits further explanation. Part of my aim is to occupy their time - while they're talking to me they can't talk to anyone else!

Call 1

You can listen to a recording of the call here.

First, notice the burst of ringing tone at the beginning of the call, after I said hello. This is often a sign that something dodgy is going on. The voice is very clearly south Asian. Her name sounds like "Naj", calling from "Windows Technical Department", no mention of Microsoft. She does state she's calling about my computer, so I can't pull the double glazing joke, giving a "service checkup call". Note that she never mentions anything about errors or downloads. I challenge her, but obviously she does not accept that I believe she is a scammer and says she will prove to me that she is not. I ask her how she is going to prove it... she asks if I am in front of my computer, which I am - though I haven't let on to her at this point that my computer is not running Windows. She treats me like a novice to find the Windows key. I follow her instructions, which on my OS do nothing, so I truthfully tell her so. She transfers me to her senior, "Mike Williams", who sounds remarkably Indian for someone of that name. This time I am asked to switch on my computer. To humour them I begin to start up my Windows VM, while at the same time asking questions about what they are supposedly seeing. In response to my challenge as to how he knows my computer has problems, he says they've had error reports containing my "Computer License Security ID" - and that my computer has been downloading "junk stuff". He says each and every computer "has their own Computer License Security ID", and also calls it the "CLSID". He never quotes it, despite me requesting him to. I tell him I want to be sure we're talking about the right machine, and he just spiels again. Around 4:20 into the call, he implies it will be any one of them... remember he told me each had its own CLSID? Brace yourself, it's about to get hairy! I not surprisingly raise my voice - and he accuses me of being an idiot, which I throw right back at him. Now he does get rude and abusive. He used the first obscenity (I have bleeped them out) but then I used a few afterwards too - once they start, fair game! Can't hear me? OK, I'll repeat it more quietly. I even tell him I've been wasting his time to stop him bothering anybody else. It isn't actually clear to me what he says next, but I was prepared to give him one last chance to at least quote the CLSID to me. As call 2 shows, that wouldn't have identified anything. However, he hung up as I asked. I was actually hoping I would annoy him enough to hang up, which is why I didn't.

Caller ID on this call was 006624837993 - possibly meant to be USA, but with the country code (1) missing.

Call 2

You can listen to a recording of the call here.

First of all, there is no such organisation as "World Wide Web" who would be calling. Amazingly, "George" holds the line - I really did have something else to attend to. He refers to my "Computer License Security ID number" - 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. After he explains this, I try to defeat him by telling him I know better - but he carries on. He still goes on as if it is a unique identifier for my machine. Around 4 and a half minutes I start asking how he has traced this to me. I even tried to point out that he cannot tie the CLSID to my phone number. I have bleeped out where he states a plausible representation of my phone number. I explain to him what I know about CLSIDs - Class IDs to expand on the abbreviation. The CLSID in fact identifies the "Send to" menu's "Compressed (zip) folder" function, and all recent versions of Windows have this. I ask him how he has tied a non-unique CLSID to a unique phone number, and he seems to want me to ask again, but then he terminates the call just before 7 and a half minutes.

Caller ID presented on this call was 0016466123456 - if a genuine number, possibly a VoIP user somewhere in the world - not necessarily in the USA.

Call 3

The organisation making call 2 must be masochists, as I have received another call from the very same number. You can listen to it here.

The caller this time is called "Dominic" - once again claiming to be from "World Wide Web", which this time I challenge. I also challenge his assertion of this being a "server generated call". This time he states that my "Computer License Security ID has been deactivated by someone else" and that I have "some foreign IP address that has got connected" with mine. He gives me just the first half of the CLSID this time. I challenge the assertion that it identifies my computer. He also makes the claim that each computer has its own CLSID. He still tells me I can check it, and then goes on about the foreign IP again. I start asking him for more information on this. He continues to go on about error reports without telling me anything useful. He can't give me the address - the way he explains it, it's as though they don't have it - of course they don't, they're probably going to pull some stunt involving an address that can be found somewhere on every Windows box, given a chance. He claims he's not going to sell me anything, but I assert otherwise. I ask him to hold on a moment - I was about to start up my sacrificial VM, just for the hell of it, however, at this point the call terminated.

Call 4

You can listen to a recording of the call here.

After months of quiet, this call came in to an old number of my partner's that is diverted to our system. The silence at the beginning is a bit suspicious but once he gets going, he mentions my partner's name (bleeped out at 440Hz, as is all sensitive information on this recording). I challenge him twice, then ask how he proposes to prove he is calling about "my" computer - he quotes part of the same non-unique rubbish again. No, I don't actually write it down - it's on this web page! I challenge this and he says he'll show me - he won't accept that it's not unique. After that he starts swearing - 660Hz tones have been used over that on this call, to distinguish them from sensitive information. He seems to think that someone is laughing behind me - in fact, he asks me that twice. Just before 2:30 he makes a physical threat - well, two can play at that game, and he started it. He gets a significant part of the original address right - now his threats have escalated to using firearms! The second query about someone laughing behind me is answered by me just before 3 minutes - I say there's people behind him laughing. He says I'm acting smart - what a compliment - let's confirm it and throw this one out! Luckily for him I was actually too busy to have him burn himself out this time.

Caller ID on this call was 002645586873 - possibly meant to be Anguilla, but with the "1" missing from the country code. It probably isn't, nor is it Namibia.

Call 5

You can listen to a recording of the call here.

Actually the second call in as many days, but this time we got on far enough to hear how “Michael” believes he has identified my computer. It is, as you will notice, just the last 10 characters of the same old CLSID from above. When asked how this non-unique ID has been tied to my unique phone number, there is no answer and the call terminates.

Caller ID on this call was 02085000111 – purportedly but probably not London.

Note: if any party who can prove they are involved in the calls above would rather they are taken down, you may use my contact form. I cannot promise that we will be able to agree terms, though.