3

An elderly friend received a telephone call similar to this Information Security SE post and this one.

The caller claimed that my friend's computer had a problem that needed to be fixed. My friend was savvy enough to quickly identify this as a scam, and refused to provide any information.

What set the call apart from those other SE posts was that the caller claimed to know my friend's "Windows unique identifier" (or something close to that). Guessing that my friend has a Windows device is not hard: about 90% of computers use some variety of Windows. I'm not sure what the caller meant by "Windows unique identifier", but I'm guessing they were referring to the Windows Product ID.

My friend wasn't interested in spending any time on the call or verifying any information, but it sounded like the caller was prepared to provide a unique ID that my friend could verify on her computer.

There are many pieces of data that can easily be gleaned about a computer just by visiting a website. To my knowledge, the Windows Product ID is not one of those pieces of information.

The insistence by the caller that she could provide my friend's "Windows unique identifier" is concerning.

To keep this question narrow, let's assume that my friend has no malware installed on her system. (I had her perform several thorough scans with different products, and it tested clean on all of them. I also had her use a Linux CD-ROM with several scanners on it, so she could boot from it and perform more scans... everything showed clean. I reviewed her system and firewall logs, and did not find anything abnormal.)

Let's also assume the caller was not bluffing, and really did have a verifiable "Windows unique identifier" or Windows Product ID.

Questions:

  1. Is there some sort of "Windows unique identifier", perhaps the Windows Product ID, that is transmitted by any common browsers or browser addons/extensions?

  2. Is the Windows Product ID relatively unique, or does every computer manufacturer just use a small number of Windows Product ID's when they pre-install Windows on their systems, thus making it fairly easy to guess?

  3. If the answer to #1 is "no", and the answer to #2 is that they are relatively unique, and assuming that she has no malware, how could a scammer get a hold of that information?

Note that, despite my recommendations, she has a subscription to one of Symantec's Norton Antivirus/Security products. Has Symantec had any breaches in which such data could have been stolen? I do insist that she perform frequent scans with other products as well.

  • @Anonymous's answer is absolutely correct. This is a fairly standard tactic and they do not, in fact know any sort of "unique identifier" but will point the victim to a location with a well-known GUID that will appear to be somewhat random and perhaps unique to an unsophisticated user. It's as simple as that. – Xander Feb 16 '16 at 21:31
  • @Xander So the scam would be quickly "busted" if the receiver of the call simply checks their Windows Product ID and see that it does not match? – RockPaperLz- Mask it or Casket Feb 16 '16 at 21:35
  • Yes, but your average victim of this scam has no idea what that is or where to check it, or that it might be something other than what the scammer suggests. – Xander Feb 16 '16 at 21:39

1 Answers1

5

These scammers often scare people by disguising harmless elements (such as event log entries, firewall rules, etc) into evidence of compromise and malware. For example they could tell you to execute some commands or find in advanced system properties what looks like a random number but is actually an reference to some system component common on all systems, like a CLSID. While searching for a Wikipedia page for "clsid" I stumbled upon this blog entry which describes exactly what I just said.

To the average non tech-savvy user, seeing what looks like a cryptic and random number and have the person on the phone tell you that exact number would be pretty convincing, but really, anyone (even if still a scammer) who could really get ahold of genuine confidential information from a data breach or similar would at the very least be more experienced in social engineering and talk about something that actually exists like a product key, product ID or even MAC address rather than the "Windows UUID" nonsense they put up.

If you have their number I suggest you call them back and let them remote into a virtual machine, you'll be able to see exactly what they would've done to your friend if he believed, but usually their tactics are the same, they claim they're Microsoft or "Windows technical center", that your computer sent them some kind of distress signal and you should let them remote in (via TeamViewer or alternatives), then they scare you by showing you errors in the event viewer or by copy/pasting the tree command followed by a scary message like computer infected (which will display only after the tree command has ended, so they can pretend the tree command was actually an antivirus scan and it detected malware), and finally making you pay (either on a genuine payment provider or just their own scam page which steals your card number) for a rogue (fake) antivirus.

Anonymous
  • 51
  • 1
  • 1
    +1, the fashionable thing to to today is also to encrypt your computer and give you the decryption key (or not) after some payment has been done. This is usually quicker than to talk someone into paying for a "fix" or "antivirus". – WoJ Jul 31 '15 at 09:56