There are few things I hate more in life than a scammer, liar, and a cheat.
Long ago, as a very young kid, I remember going to the video arcade at the mall with a $5 bill in hand. As I walked up to the exchange machine to get some tokens, an "old person" (he was probably in his 20s) approached me and said, "I have a whole bunch of tokens I can't use but I need to leave. There's probably close to $20 worth in here," as he shook a small paper bag full of jingling tokens, "and if you want to just give me that $5, we'll call it even. I mean, you're really doing me a favor here."
My eyes must have lit up. I had planned on playing just $5 worth of games, but now I had possibly $20 or more of game play coming my way! And I was doing this guy a favor?!? What a deal! I excitedly answered, "Sure, thanks! Here's my $5!"
I distinctly remember having a fleeting moment of panic that I would hand him my bill before he handed over the tokens, and then run from the arcade. But this fear was waylaid when he unfurled his clenched fist holding the bag and dropped it into my eager hands before I even handed over my precious dough.
He thanked me for the help and headed out the arcade door as I practically skipped to the nearby driving game I'd now be spending four times longer enjoying.
However, my joy turned to dread as I reached into the bag only to realize it was full of pennies and circular metal blanks from the hardware store. To say I was crushed is an understatement. I was broken, completely unaware of how someone could be so cruel. For what? $4 and change?
As I've gotten older my general disdain for people like this has only grown. The Internet age and global means of communication have unfortunately given rise to far more scamming cheats and their access to the unsuspecting population of naive marks.
Recently, I had an opportunity to turn the tables on an anonymous scammer. And I'd like to share that story with you today, even though it has nothing to do with DIY home improvement, our bathroom, or Old Town.
Last week, while home on one of my sacred telework days, my nose was buried in my laptop. I was elbow deep in a programming problem that I had been trying to solve for the better part of the morning when our home phone began to ring.
Since our land line is more of a artifact in our house than a functional element, it quickly broke my train of thought and piqued my curiosity about who might be calling.
The caller ID flashed 1-706-805-2057. Definitely not a number I recognized, and there was no name associated.
My two options quickly raced trough my head, which was already busy processing a possible solution to my work problem.
1. I could ignore the call, keep working, and if they really need me, they'll leave a message. If it's a work call they'd be calling my cell, and if it was Wendy or family, I'd know the number. Probably an automated mortgage or interest rate call anyhow, or worse, a political ad. Hrm...
2. I could just answer it. It might give my brain a break long enough to allow me to solve my issue with fresh perspective. Besides, what if it's something that's important? Maybe I've won a cash prize or some major award and I had to answer the phone to redeem? Yes, that sounds very likely.
Yep, you guessed it, I decided to answer.
When I clicked the phone on I answered with a polite but abrupt "Hello?" Half expecting the obligatory delay before the telemarketer picks up on on the other end, their activation of the call triggered by my curt response.
But unlike the dozens upon dozens of calls we receive there was an actual person ready with a greeting.
A male voice with a thick Indian accept chimed from the other end of the phone line, "Hello, my name is Ryan from Microsoft Windows, and I'm calling today because we have been receiving an alarming number of errors from your Windows computer over the last several hours. We checked the log files and this has actually been going on with the computer associated with your registered Windows Live ID for a few days, but it's gotten much worse lately! It is possible that hackers are trying to access your network right now and we would like to assist you in resolving these issues today, free of charge. It takes only 10 minutes and it is all done using Microsoft certified technology."
My heart leapt and my pulse began to quicken, but not because I had any concern that my data was in any way vulnerable to hackers. Quite the contrary, actually. I was excited because I had been waiting for a call just like this one for some time.
I've heard about these social engineering schemes for some time. The caller typically preys on the vulnerable elderly and/or stereotypically computer illiterate types that are often home in the middle of the day. They expect the person who answers to be dependent on their computer, but unaware of exactly how it does all of the things they so desperately need it to do. Worst of all, they rely on the fact that these people will willingly trust a random caller that sounds official and expresses an interest in helping to head off some very evil people at the pass.
The sad thing is too many people tend to fall for these tricks, resulting in compromised computers, viruses, lost data, stolen identities, stolen money, unbelievable hassle, and a general sense of mistrust.
However, I'm none of these things. I'm a software developer by trade, and an all around nerd by hobby. I've been building computers, writing applications, configuring networks, and practicing IT security related items for over 20 years since I was a pimply faced teenager. I'm this asshat's worst nightmare when it comes to his scheme and his attempts to exploit me, and I wasn't about to just hang up the phone and let him move onto his next call unimpeded.
So I responded as anyone in my situation might and said, "Oh my, are you serious?!? Hackers are on my computer right now? What should I do? Should I turn my computer off? What should I do?"
What, that's not how you expected me to respond? Well, just you wait, this gets good.
Thinking he might have a mark, the scammer started to really set his trap. "No no, do turn off you computer, that may allow them to take full control of all of your data. But I'm calling from Microsoft, and we have the ability to help walk you through several system diagnostics that will identify your problems and shut them down. Does this sound okay to you?"
Very well played, scammer. You've reeled me in and have me feeling comfortable. You've got my best interests in mind and have already possibly saved me by telling me to keep computer turned on, lest I lose everything.
I said, "Yes, yes, this is perfectly okay. Just tell me what I need to do to fix this. If my boss finds out my computer has hackers on it and they get access to my company's financial data I'll probably get fired. Thank you so much for calling me about this!"
Two can play at this game! My response was meant to both let the scammer know that he might have access to a treasure trove of possibly valuable data, and also to humanize me to the scammer, giving him a sense that I'm an actual person too, with a job, and one who's not perfect. I was giving him an out in a way, one where he could back out and hang up if we felt at all bad about what he was trying to do. As you can likely guess, he continued with his game.
"Okay, I need you to open up your Internet Explorer web browser," he said.
I responded in a bit of a lost tone, "Is that the big blue 'e' button?"
He quickly responded with, "Yes, the 'e' button, just click twice on the 'e' button."
Wow, did he think he had a moron or what? The big blue 'e'. This guy must hear it all if he is going to remain on the phone with a response like that.
This whole thing is even funnier because I was sitting there working on a macbook.
He followed up his instruction with, "Now put this in the address bar. Www dot... Remote... 1 2 3...dot... U S. Do you have that?"
"Yes...I think so." I chirped back.
"Okay, now press only the enter key and then wait," the scammer responded.
It was all pretty innocent to this point, but here's where I started to lay it on thick.
"What's the enter?" I said.
"It's the big key on the right of your keyboard." He was annoyed at my seeming stupidity, but still patient enough.
As I feigned searching for the enter key, I could hear the background noise from his location. It sounded like a busy call center, all the more reason someone with less knowledge might believe the ploy. I could picture him at the Microsoft tech support HQ, trying his best to work through all of the millions of Windows users with issues just like mine. Except none of it was true. It's just as likely the location is a one person room with a background soundtrack to make it sound legitimate, or perhaps a sea of scammers all actively calling people at random in the hopes they'd get someone to fall for their tricks.
After a sufficient amount of time had passed I responded, "I don't have the enter button, only shift, return, and delete are on my keyboard. Do any of these work?"
"Yes, yes, the 'return' key, press that key. Then tell me what you see." He was back on track, ready to take control of my system.
"It's loading," I said. While I pretended to let the page load I ran through the scenario in my head. Remote123.us is a web based remote control solution like LogMeIn. It allows someone from somewhere to take control of your computer and operate it remotely. It's wonderful when you need actual remote troubleshooting, but not in this case. In this case a malicious user would take control of your computer and then would have access to everything. They could look at your email, install software, change your passwords, and access all of your personal information. It could be disastrous. It's similar to inviting a robber into your house and letting them walk around and take what they please.
The scammer began to grow more impatient with my moronic action. "Well, what do you see on your screen?"
When I was good and ready to tell the scammer what I "saw" I responded bluntly, "Google.com."
The scammer, obviously annoyed by my ineptitude, but also encouraged by my continued apparent lack of knowledge and awareness, said, "Okay, let's try this again. Can you type remote...123...dot...u...s...into your browser address and tell me what you see?"
My heart continued to pitter patter and I could barely keep a straight face when I said, "Okay, it says 'Google search results for remote123.us. Did you mean: remote123.org?' Then a bunch of searches for the remote123.us. What should I do?"
Our conversation had reached the 10 minute mark, and I was barely starting out with him. My starting and stopping was working wonders to help him believe I was helpless. All the while I was reeling him in.
"No, no, no. You need to put it in the address bar at the top of the screen, where the URL is!" He was beginning to raise his voice, which told me I was beginning to get the advantage that comes with impatience.
Over the next several minutes I managed to start other programs and report back that "Spotify was now running and should I do something there?" And, "Ugh, okay now Microsoft Word is open, should I do something there?" I was really all over the place, I must have sounded like a complete jackass to this guy. He just wanted to steal my stuff. Why was I making it so damn hard for him?
After a few more tries and my continued torturing of the scammer, I could tell he was getting to the end of his rope, so I "finally" got the URL into the address bar of my browser and hypothetically loaded the page. I reported my miraculous breakthrough and he asked one more time, "Okay, tell me what you see?"
I quickly responded back, "Okay, I got something different this time. It's a weird message. I get it sometimes on the computer and when I do I call the IT guy and he fixes it."
"Oh, what is it?" The scammer asked inquisitively.
I reported back, "It says 'Your firewall is restricting access to this resource and you must receive external authorization to proceed. An external source must authorize this request from your MAC address using the following link.' Does that make any sense to you?"
In case you aren't following, nothing on my screen said that at all. I made that up on the spot. It was my goal to ruin this guy's day by taking up a lot of his time and possibly turning the tables on him. To add a little validity to the whole thing I wrote out the little error message above so I could read it back to him the same each time I had to recite it.
Thinking this was just another error the scammer asked me to enter the URL into the browser's address bar one more time, and one more time I recited the error, verbatim.
The scammer said, "I've never heard this before. You say you call the IT person and they fix it?"
I tell him, "Yes, and it only takes them a second. I just call, give them the link, then he tells me I'm good to go and I get can to the web page...Do you want me to call the IT guy and have him do what he does, then I can call you back? I just need your number."
"No no no," said the scammer in a quick and firm voice, "I think we can handle this without bothering him. Let's give it a try."
Boom! He just fell into my trap, hook, line, and sinker. The risk of losing a mark he's been working on for nearly 20 minutes, one with financial data available, and one who can apparently barely tell a computer from his ass was just too big for him to walk away. He had been ignoring the warning signs with his eyes too focused on the prize.
"Okay, what do you want me to do?" I said.
The scammer pondered for a second then responded, "What is the URL it's giving you in the link? Read that back to me."
The key with social engineering is to get your mark to believe they're acting in good conscience. They need to believe what they are doing is what they need to do to accomplish their goal. This is how people willingly hand over their passwords, bank info, social security info, etc. And in this moment I've just fooled the scammer into believing he was so close to a major score that he started to throw his own cautions out the window. I had begun scamming the scammer.
I slowly rattled off the URL in a deliberate manner that made it appear even further that I'm simply not computer literate (as if I hadn't established this already). "H...t...t...p... colon..." I continued. "Do you have that?"
"Yes, yes, what else?"
The link I gave him was a simple bit.ly URL I had just created a few seconds earlier. The fact I was giving him a shortened URL, especially when I'm so apparently computer stunted, made it all the more legitimate.
Among the background noise of his purported Microsoft call center I could hear the scammer typing, hitting enter (he must have had the enter key), then waiting for the screen to load.
During our conversation I had been searching for just the right thing to do to finally show him I had been playing with him the whole time. I wanted to possibly put up a web page somewhere which gave him a message of some sort that I could get him to go to, but I didn't want to put it somewhere that he might be able to identify who I was. So I couldn't put it on our blog or anything like that.
As I thought about it, an idea struck me. I could use "Let Me Google That For You," or LMGTFY.com for short.
If you're not familiar, the whole purpose of the LMGTFY website is to send links to people who ask simple questions but are too lazy to Google it for themselves before asking. When the recipient of the URL clicks on the link the screen walks them through each step of Googling, like the viewer is a child. It simulates entering a search term into the box, then clicking on the search button, and finally asks "Was that so hard?" Before sending the user to actual Google search results. It's a condescending yet useful website at its best.
We use it often at work when a co-worker asks a dumb technical question over instant messenger, like "Do you know what Redis is?" Rather than taking the time to respond by Googling and then pasting back the first search results, we just send the link, http://bit.ly/1AUqfdu.
This is equal parts effective in providing a relevant answer, but also in saying "You're lazy, you've wasted my time, and you should have just Googled this yourself to save yourself the wretched embarrassment of this moment."
Remember, nerds are smug jerks who've often been picked on their entire life. A minor victory, such as sending a LMGTFY link to a friend or colleague is a major victory in the existence of a nerd. I know, I speak from much experience.
So back to my story.
I waited for our friendly scammer, "Ryan," and for the link I had just dictated to him to load.
To get the full effect of what was transpiring, you need to follow the link. Don't worry, beyond a little PG-13 language it's totally safe for work.
The scammer paused and began reading what was being typed on his screen. I could barely contain myself. My inner child was bursting with excitement at what was unfolding. I was sticking it to this scammer in the best way I could think of on the spot.
The silence from the other end of the phone was golden. The scammer cleared his throat, and in a somewhat shocked and calm tone he responded by simply saying, "Good one..." before hanging up on his end of the call.
That's it, that's all. I had just won my portion of the Internet that day. I was victorious over the scammer and I both wasted his time and enforced my smug nerd supremacy over his lame attempts at social engineering.
Have any similar stories you'd like to share? I'd love to hear your experiences.
