Phone Scam - Windows Customer Support and CLSID
For many years now, we've been receiving phone call from a company that name itself Online Windows For Support. For the past few weeks, we've actually received one phone call a week from them and today, was one of those day. Since I'm at home and recovering from a surgery, I actually had time to ask them some questions and investigate further their claims.
I talked to Jim and he said he was from California. His accent did not sound like an American, more like an Indian, so this was hard to believe. He said they've been receiving error messages from my computer for a long time now. Since they've been calling many time, I wanted to try something different. Thus I asked Jim to speak to his manager, who identified himself as Edward and said he worked for Microsoft. Again, this guy did not sound like an american, more like an Indian (from India). I wanted to know more about the company so I asked for a website address, which he provided, after many spelling issues (me being french and him obviously not being an english speaker) he finally give me this: http://onlinewindowsforsupport.yolasite.com/ It was really strange that an support company did not have its own domain name, but a subdomain to an internet provider (yolasite.com). But I kept this question to myself. I then asked him for an email address and he provided me with this one: email@example.com. It made me even more suspicious, because this email address doesn't look legitimate to me... Anyway, I did not try it and pushed further my investigation about my specific computer.
I asked Edward when was the last time they received an error message from my computer, and he said yesterday... My Windows computer was turn off that day and has been for many weeks and was not even connected to the internet anyway (no cable connection), so this was obviously not true. Edward told me that even if my computer was not connected, what mattered was that the hackers were using my IP address to hack and do bad stuff under my name.... I actually don't believe this is possible. My IP address is of public domain, any web site that I visit will have my IP address (it's part of http protocol). A hacker, to do something bad under my name need somekind of username/password of mine or access to my one of my computers. So again, this was obviously not true (After the call, I ran Microsoft Safety Scanner and it found no trace of viruses or spyware). But Edward keep being insistant and I still complied because I wanted to know more about these guys. So they said he could prove me that he had information from my computer. I said OK, prove it! So he spelled a CLSID that I should find on my computer and this was supposetly an information I only had on my computer. This CLSID was
or something close to that... It took a long time to spell it since he did not prononced the letter easily (english was not his first language, that was for sure). Once my computer was turn on, he told me to open the command window (cmd.exe) and type "assoc", which I did... Then once the app had done its job of listing information, he told me to look for the actual CLSID that he spelled for me. Of course it was there. Look at the picture below (4th before the last):
I then started to be a little worry... How could he possibly know something about my computer like this? But more he was talking, the less he was convincing to me. He kept talking about my ip address being used, and blablabla... So at one point, I said they were full of s???, and then they hand up on me.
After that I made some research about what he told me. First of all, the application "assoc" displays or modifies file name extension associations. So basically, this CLSID is about somekind of file on a windows computer. Then I search on Google for Scam and CLSID, and I found this answer:
assoc command lists the file associations. zfsendtotarget happens to be the last one. The Class ID identifies a COM object to run.
zfsendtotarget is a part of the implementation of the 'Send to compressed (zipped) folder' option on the Explorer right-click context menu.
So what is this telling me is that this CLSID is not unique to my computer. It is found on most if not all windows computer of the world, regardless of the version. So this company is making us believe that they know something from our computer while they actually use information availaible on all computer....
This is a real scam! Be really careful about these call! Do not hesitate to follow the links provided above for more information.
I hope this help someone!