"I was really tired [of the calls], and I really hate computer scammers," said Seth, whose last name Computerworld withheld for privacy reasons. "I got fed up."
Like millions of others, Seth had been on the receiving end of scammers' phone calls, who rang up and told him that they were with "Microsoft support" or "Windows support," then proceeded to claim that they had detected malware on his machine.
"I would get these calls three or four times a year," said Seth in an interview, adding that the calls would continue for a week or more, then end, only to resume months later. He would hang up on the callers or tell them he had no computer or was running a Mac.
But that wasn't enough to stop the pestering; the calls continued.
Those calls have become all too familiar to Americans: In a hearing before Congress last year, David Finn, the executive director of Microsoft's Digital Crime Unit, said that the calls victimize an estimated 3.3 million people and rake in $1.5 billion annually.
The classic tactic involves cold calls -- unsolicited telephone calls -- where callers pose as computer support technicians, frequently from Microsoft itself, and try to convince victims that their computers are infected, often by having them look at Windows' Event Viewer, a log that shows scores of harmless errors. At that point, the hard-sell pitch starts, with the caller urging the consumer to download software or let the "technician" remotely access the PC.
The con artists charge for their bogus "help" and often get people to pay hundreds for worthless support plans or software. Frequently, the scammers use their access to plant malware on the PC, which later surreptitiously harvests online account information and passwords, or they steal files from the system during the call, when they have control of it.
Seth knew that ... he had done research. So he decided to turn the tables.
After a spate of calls late last year, he dusted off an old, unused PC, scrubbed the hard drive and installed a fresh copy of Windows Vista. He installed a handful of programs, like Mozilla's Firefox browser. But the key was Windows' "My Documents" folder.
In that folder he placed several files, folders and compressed archives, with names like "Passwords," "Credit info" and "Bank Info." A "Pictures" folder contained what appeared to be a handful of .jpg-format images. "Everything in this folder was fake," Seth said.
Well, the files' names, anyway.
The files in "My Documents" were actually two dozen pieces of malware of various stripes, collected from several sources, including file-sharing services and those that offer samples for research purposes. "I took a page out of the hacker's book of tricks and simply renamed documents to make them tastier," Seth said in a follow-up email. "Some were cleverly disguised as PDFs so I just renamed them and some were bogus .jpg [images] that I renamed."
With that, Seth set aside the PC and waited for the next round of calls. Which came late last month.
"I almost forgot about [the PC], but then I got a call," Seth said. "I told him to call me back, that I was busy but that my computer had been acting weird lately. I dug up the PC and set it up. Three days later they called and said they were following up."
He delayed the caller -- saying it was "an old box, and it takes time to boot up" -- so that he could double-check everything, including his connection through Tor, the network of relays that anonymize traffic to and from a device.
The call went like clockwork, with the usual claims, the usual instructions to do this or look there. Seth was passed from one fake technician to another, a common tactic to make it seem as if the problem is more serious and must be escalated to higher-level support with more expertise. Eventually, the third man asked Seth to let him connect to the PC using Ammyy Admin, a free remote control program, so he could rid the system of its aggressive infection.
Seth let him in.
"After about 15 minutes of the third 'expert' rooting through my event logs and documents, I decided to spring the trap, so I called bullshit on the guy and immediately the [My Documents] folder was copied, then quick and systematic deletion of various driver and system files began to occur. I could see him zipping around the screen," Seth related.
"When I pissed him off, I had no control [of the PC]," said Seth, "so I disconnected it from the Internet and did a hard shut-down." A reboot restarted the computer, but Seth saw several warnings of missing drivers. (Yesterday, after the interview with Computerworld, Seth again fired up the system, only to find it wouldn't boot and that he could not access its BIOS. He pulled the hard disk drive from the machine and connected it to another computer in order to take a screenshot of the malware-loaded My Documents folder.)
Seth was certain that the files in My Documents had been copied during the final, frantic moments after he'd called out the fake support technician: The folders and files had been highlighted several times, a signal that the scammer had selected them for copying.
There's no way to know, of course, if the support technician actually "opened" the fake documents Seth used as bait, a process that would have launched and installed the malware on the scammer's system.
But Seth hopes so.
"Maybe after he opens the 'My Documents,' one of us could call him and offer to fix his machine!" Seth said.