Aurich Lawson / ThinkstockIt’s Memorial Day, all Ars staff is off, and we’re grateful for it (running a site remains tough work). But on a normal Monday, inevitably we’d continue to monitor the security world. Our Jon Brodkin willingly embraced a firsthand experience with low-grade scammers in April 2013, and we’re resurfacing his piece for your holiday reading pleasure.
It all began with an annoying text message sent to an Ars reader. Accompanied by a Microsoft Office logo, the message came from a Yahoo e-mail address and read, “Hi, Do u want Microsoft Office 2010. I Can Remotely Install in a Computer.”
An offer I couldn’t refuse.
The recipient promptly answered “No!” and then got in touch with us. Saying the spam text reminded him of the “‘your computer has a virus’ scam,” the reader noted that “this seems to be something that promises the same capabilities, control of your computer and a request for your credit card info. Has anyone else seen this proposal?”
I hadn’t seen this particular scam, so there was only one thing to do: take the scammer up on his offer and let him go to town on a spare copy of Windows. Ultimately, I did get that copy of Microsoft Office, and there were no viruses sent my way. Even when I failed to pay the $30 fee we had agreed upon, the scammer didn’t bother attacking my computer in any way. He was just a nice guy, basically—making a dishonest living from the comfort of his own home.
An offer from Itman Koool
I e-mailed “Itman Koool” (short for “IT man,” apparently) last week from a spare Gmail account, saying, “i got youre message about a free microsoft office 2010 and was wondering how i get that.” The conversation proceeded like this:
Itman Koool: yes i charge only $30 to install. you can pay me after the installaton
Me: that sounds like a good price for microsoft. what do i do next?
Itman Koool: ok open ur computer go to google.com , search TeamViewer , download
Me: ok, I’ve downloaded teamviewer, what should I do now
Itman Koool: Ok tell me id and pass
TeamViewer is a remote access tool for providing PC support and conducting online meetings. The software’s intended purposes are legitimate, but it can be abused.
Before going through with this experiment, I got some safety tips from security expert Troy Hunt, who is well versed in the art of “scamming the scammers.”
On Hunt’s advice, I set up a fully updated and patched copy of Windows 7 in a virtual machine, with no read/write privileges to the host system, and installed antivirus software with the latest virus definitions. I didn’t think Itman’s intent was to load my system with viruses, but even if he did, the risk to my computer would be small—I could just wipe out the virtual machine and reinstall Windows. Borrowing a tactic from Hunt, I placed a file named “passwords” into my documents folder to see if Itman would access it.
“No, I don’t work for Microsoft”
So this past weekend, after giving my TeamViewer credentials to Mr. Koool, he took control of my Windows 7 virtual machine.
His mouse cursor started moving around—extremely slowly, as if he were distracted or wasn’t quite sure what he was doing—and I started asking questions using the TeamViewer chat window.
Me: so what are you doing now?
Itman Koool: Im going to install microsoft office 2010
Me: do you work for microsoft?
Itman Koool: No i dont i work indivisually
Itman Koool: How much r u gonna pay ?
Me: you said it was 30, right?
Itman Koool: yes
By this point, Itman had opened Chrome and logged into a Yahoo Mail account with a username containing the letters “Coolboyusa” and some numbers. His list of e-mails showed he’d been busy looking for customers and had made at least some money. There was one “Notification of payment received” from PayPal, as well as various annoyed replies to his spam messages. “Hi, how the expletive did you get this number?” went one. Two other replies simply said “Who is this?” and another said “Stop.”
The message Itman was looking for read “[username] has sent you a file.” Opening this e-mail led Itman to a file sharing site called WeTransfer, where he downloaded a 654MB file titled OFFICE2010.zip.
“ok its downloadin.. its gonna take sometime,” Itman told me. I asked Mr. Koool how he finds people to text about the Office offer, to which he answered that he sends the messages to numbers with certain prefixes and generates the last four digits himself. He then asked what number I had received his message on, and I let that question pass by without answering.
The file downloaded in just a few minutes, making me thankful for my 50Mbps home Internet service. How much time had Itman wasted waiting for the download to complete over slower Internet connections?
Itman went into a folder titled “office2010proplusfiles,” which contained two applications—office2010proplussetup and office2010proplusactivate—as well as a text document titled office2010propluskey.
Suddenly, Microsoft Security Essentials, the antivirus program I had installed, noticed something was amiss. “Security Essentials detected a potential threat that might compromise your privacy or damage your computer. Your access to this item might be suspended until you take action,” the antivirus program said. It labeled the flagged program as “HackTool:Win32/Keygen,” referring to a program meant to create a fake license key.
Itman wasn’t worried. “don’t worry, it’s nothing. it just acts like that,” he wrote. “I hate that thing,” I replied.
Very slowly, clicking the wrong links a few times and having to start over, Itman found his way into the Windows firewall settings and allowed his Office installer to proceed. While he looked through a list of installed programs, I wondered if Itman would notice “VMware Tools”—which might tip him off that this was a virtual machine and that perhaps I wasn’t really just looking for a copy of Microsoft Office.
Itman went forth, installing Microsoft Office Professional Plus 2010. He grabbed what I suppose was a temporary license key from the “office2010propluskey” text file in order to complete the installation. After installation, he opened “office2010proplusactivate,” which opened a key generation program to give the program a more permanent activation (or at least one that lasts six months).
Itman opened up Excel to demonstrate that Office had been installed. Now, he wanted money. He went into Chrome and opened a page where he set up a PayPal payment link and entered his e-mail address as the payment recipient and $30 in the amount field. All that was left was for me to pay up.
“What is PayPal? I’ll just mail you a check”
A small part of me felt guilty about not paying Itman for his hard work and generosity, but I didn’t want even a small risk of my financial accounts being compromised. Moreover, I was curious about what someone like Itman does when he doesn’t receive payment. Would he bombard my computer with viruses? Would he at least disable Microsoft Office, promising to re-enable it only after I pay?
Itman Koool: ok u can pay here
Me: what is that website
Itman Koool: this is paypal website.
Me: i don’t have an account
Itman Koool no u don’t have to have account u can pay by credit or debit
Me: i’ll just mail you a check
Itman Koool: just pay here
Me: what is your address?
Itman Koool: i don’t accept checks. u can pay here
It went on like that for a little while, with me offering to send cash to Koool and him turning that down as well. I could buy a prepaid PayPal card from 7-11, he said. “I Need the money right now. i can wait 1hr,” Itman said in the TeamViewer chat window. A few minutes later, I got an e-mail message saying only “u there”.
Enlarge / I never did find out Itman’s address.
I didn’t reply, but I left TeamViewer on for nearly two hours. Nothing else happened. I closed TeamViewer, ran a virus scan, which turned up the same KeyGen file Security Essentials previously detected during the Office installation.
Enlarge / Microsoft’s least favorite type of file.
I let Security Essentials wipe that file off my computer, but the activated version of Microsoft Office was still installed, functioning properly. Itman apparently never touched the “passwords” file I had created to tempt him.
I haven’t heard from Itman again. And in case you were wondering, I uninstalled Microsoft Office.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.