The scammers' modus operandi is practically always the same: they call users by phone, present themselves as employees of the Microsoft support center, and try to trick them into believing that their computer has been infected.
"They will then offer (for free) to verify if this is the case. If the victim agrees on this, they will ask the victim to perform certain actions, and also type certain commands, which will trick a non-experienced user that the output is actually showing that the computer is infected," explains Kaspersky Lab expert David Jacoby, who has recently receiving many of these calls.
According to him, German, Swedish and British users have lately been targeted, and likely others, too.
In order to try and discover who is behind these scams and where they are located, he let one of the scammers walk him through the process of "discovery" of the malware on his virtual machine and through the steps that would lead to him buying antivirus software.
The scammers misuse a number of legitimate tools (Windows Task Manager, Event Manager, etc.) found on every Windows computers in order to create the illusion that the computer is, indeed, infected.
Then, by using a Remote Administration Software called AMMYY, the scammers dig up an old, expired certificate from the Certification Manager and use it to "prove" that the user's computer hasn't been updated for a long time.
Having convinced the user, the scammers urge him to install software that would protect the computer from "viruses, malware, Trojans, hackers and other things," and allow the operator to "fix" his computer - all for $250.
"The operator then installed a program called ‘G2AX_customer_downloader_win32_x86.exe’ from the website www.fastsupport.com," Jacoby narrates his experience. "When this was done a chat popup come up. It was a person with the name 'David Stone' who informed me that my computer was no longer at risk."
Now, the user is asked to pay up. The scammers open up a PayPal form and wait for the user to pay either via his PayPal account or credit card.
Jacoby, of course, used fake VISA and MasterCard information. Then he urged the scammers to visit a website of friend that has supposedly made public his credit card information. But the site - sporting a static text saying “Hi, please connect from a different IP since your behind a proxy” - actually belongs to him, and once the scammers visited them, he was able to see from which IP address they came.
He also managed to get some of their phone numbers, and to write down the different PayPal accounts they used to collect the money - all information he shared with Paypal and law enforcement agencies.
"I know that people have been warned about these scams, but my conclusion is that they are still calling people because they are still making money out of these scams," he says. "This is one of the main reasons for this article and others like it - we need to keep informing people about it until the cybercriminals are forced to stop."