14 DAY TRIAL // Ivan Kwiatkowski, a security researcher living in France, has turned the tables on a tech support scammer and fooled him into installing a copy of the Locky ransomware on his own PC.
Kwiatkowski's encounter with a tech support crew came after his parents had navigated to a dodgy website that tried to trick them into thinking they were infected with the Zeus banking trojan.
"This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows' BSoD days, and yet somehow it displayed a random IP address instead of the visitor's one," wrote the researcher on his site.
Just give tech support scammers "test" credit card numbers
While it was easy to fix his parents' browser, the researcher went home and decided to have a little fun with the tech support crew. He fired up a virtual machine, accessed the site, and then called the phone number included on the tech support website.
The researcher had two different calls with two operators at a call center in India, which didn't go that well, mainly because the researcher spoke French while the operators not so much.
During his last call, after he agreed to the scammer's request to buy a tech support package, he started giving the crook fake but valid credit card numbers, just to have fun at his expense.
Or just give them files from your spam folder
While the crook was trying to carry out a banking transaction with credit card details assigned only for testing, Kwiatkowski had quite the bright idea (if we can say so ourselves).
He went to his email account's spam folder, opened one of the spam emails, and downloaded the file attachment. In that case, it was a ZIP file containing a JavaScript file, which when executed would download and install the Locky ransomware.
The researcher renamed this file to Photo(823).png.zip and told the tech support operator that he had problems with his eyes, and he might be reading the wrong numbers from his credit card.
He offered to take a picture of the credit card and send it to him via a chat application the tech support operator was using. Kwiatkowski gave the tech support scammer his Locky-infected ZIP file and waited for a reply.
"I tried opening your photo, nothing happens," the tech support operator told the researcher, not knowing that a hidden process was secretly encrypting all his files with the undecryptable Locky ransomware.
“ In conclusion, whenever one stumbles on an obvious scam, the civic thing to do is to act like you buy it. [...] So if you're a French speaker, you should definitely take 15 minutes of your time, call them at +339 75 18 77 63 and try to social engineer them into doing something funny. ”
