'Hello, I'm from Windows and I'm here to help you'


Craig Johnston

Cybercrime researcher, Australia
Editor: Helen Martin


Craig Johnston relates a tale of unsolicited phone calls, interesting conversations and a worrying (anti-)malware-related scam.

A few weeks ago I received a number of queries from friends who had received phone calls from a man telling them that they had viruses on their computers. I told them that this was a scam and advised them not to have anything to do with anyone who calls and makes such claims.

Round one

However, one evening recently I received an unsolicited phone call at home from a man with a heavy Indian accent. He informed me he was 'from Windows in Sydney' (when I questioned him further he said he was from Microsoft and gave me the company's correct Sydney address). He told me that my computer had been flagged as being infected with viruses and that he was calling to help me out.

Of course I realized this was a scam, but I was very interested to learn how the scammers operated, so I played along.

The caller took me step by step through the process of opening up the Event Viewer on my home PC and told me where to look once there. He asked if I could see any error, alert or warning messages displayed - which of course I could. He told me that this confirmed that my computer was infected with viruses and that he would help me fix the problem. When I asked him why he was doing this, he said he was from Microsoft and that its staff had a duty to help people when they could see a computer was infected.

Next, he asked if my computer was running a little slower than it used to, and of course I said it was. He presented this as more evidence of the virus infection on the computer. He then tried to get me to log onto a website that would give him remote access to my computer to enable him to help me.

Of course, I wasn't too keen on giving him control of my system, so I hung up the phone. Two minutes later, he called back and continued to try to persuade me to allow him to take control of my system.

After about five minutes of me trying to get the caller to prove that he was actually in Sydney (by asking what the weather had been like here that morning - it's easy to look up a weather forecast for anywhere in the world, but harder to find very recent weather history) he eventually gave up and said he couldn't help me. The incident was interesting, but somewhat predictable.

Round two

Four days later, I received another call from another man with an Indian accent, who spouted the exact same lines. I strung him along for a few minutes before I got fed up of the whole exercise and told him that it was all a scam and accused him of preying on people's naïvety and abusing their trust. He asked 'So you think this is a scam?', to which I replied 'I know it's a scam!', and he simply admitted, 'Yes, it is a scam'.

For the next 15 minutes we had a very interesting conversation. The caller was more than happy to answer my questions about the group's modus operandi and admitted that his job was to cause confusion and fear in the victim, while posing as a trusted advisor, so that he could sell the victim a product. The product he said the group were selling was Registry Mechanic - which is a Windows registry optimization tool from PC Tools (owned by Symantec). While the caller admitted that the methods used to convince the 'customer' were dodgy, he was keen to assure me that the product being sold was legitimate and that it would benefit the customer.

I think that this man genuinely believed that he and his colleagues were helping people out. When I asked him if Registry Mechanic was an anti-virus product, he replied that it was, and told me that it would protect users from malware.

I found the conversation very interesting. The guy was more than happy to answer my questions, even though at one point I told him that I worked in the field of cybercrime research. He told me that he was based in Calcutta and that he and his colleagues had made a lot of money by targeting people in Australia recently. As we said our goodbyes, he even told me that he'd enjoyed our chat.


These two related events raised some concerns in my mind. They are, in no particular order:

  • Given the queries I'd had from friends, and the fact that I received two similar calls in the space of a few days, it seems that these guys were hitting the Sydney area very hard.

  • I'm certain that the bogus callers would be very successful with the method they were using. There are plenty of people who are naïve and/or ignorant when it comes to computers. If a nice gentleman (apparently) from Microsoft calls them to help them find evidence of a virus on their computer, then offers to take over their computer and clean it up, then sell them a product to protect them in the future - and install it on their system for them - many people would be grateful and even happy to pay a small fee for the assistance.

  • The claim that Registry Mechanic is an anti-virus product that will protect users against malware is simply wrong. The product is a legitimate one, and it does its job very well, but it is not designed to provide full protection against malware.

  • How immoral (and illegal) is it to use fear, uncertainty and doubt (FUD) and scammer-type techniques to sell what is essentially a legitimate product (even if it is not a good solution to the supposed threat)?

  • Is there a reseller of Registry Mechanic in India who is doing a lot of business selling to customers in Australia, and if so, should someone be pulling the plug on them and their questionable operations? I understand that Symantec is looking into it. (Having said that, the product that was being sold may well have been a copied, hacked or outdated version of the genuine product, and it is most likely that the callers were not, in fact, genuine resellers of the product.)


It would be relatively easy to tell people simply to ignore any and all unsolicited contact from people informing them that they have spotted a malware infection on their computer. However, on 1 December this year all the big ISPs in Australia signed up to become 'icode compliant'. The icode [1] is a national voluntary code of practice which involves ISPs contacting customers that have been identified as being infected with malware to inform them that they may be quarantined or disconnected from the Internet until they clean their computer up. The ISPs will direct the infected users to a website (http://www.icode.net.au) which tells them how to avoid malware infections, how to detect and remove malware, and how to get professional help in cleaning up their computer.

So the ISPs will soon be contacting people out of the blue and telling them that their computer has been identified as having a malware infection, then offering help to clean up their computer. It goes a little like this: 'Hello, I'm from [Big ISP], and I'm here to help you!'

Hmm, sound familiar...?

(Fortunately, when the ISPs make their calls they will encourage the customer to verify the ISP's identity by calling them back on a previously published and publicly available phone number.)



Latest articles:

VB2017 paper: Walking in your enemy’s shadow: when fourth‑party collection becomes attribution hell

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt manipulation have proven enough for many researchers to shy away from the attribution space. And yet, we haven’t even discussed the…

Throwback Thursday: CARO: a personal view

As a founding member of CARO (Computer Antivirus Research Organization), Fridrik Skulason was well placed, in August 1994, to shed some light on what might have seemed something of an elitist organisation, and to explain CARO's activities and…

VB2016 paper: Uncovering the secrets of malvertising

Malicious advertising, a.k.a. malvertising, has evolved tremendously over the past few years to take a central place in some of today’s largest web-based attacks. It is by far the tool of choice for attackers to reach the masses but also to target…

VB2016 paper: Building a local passive DNS capability for malware incident response

Many security operations teams struggle with obtaining useful passive DNS data post security breach, and existing well-known external passive DNS collections lack complete visibility to aid analysts in conducting incident response and malware…

Throwback Thursday: Tools of the DDoS Trade

In September 2000, Aleksander Czarnowski took a look at the DDoS tools of the day.

Bulletin Archive