Binary Blogger and the ZFSendToTarget Scam
3 min read
It’s been a few months since I have received one of these calls but I always answer the phone when the crazy caller id numbers come up hoping I get another. This morning I saw a call come in from “Name Unavailable 1-123-456-7890”, looks legit… I knew it was going to be a scam, that credit help call or a charity asking for donation. Jackpot, it was my favorite tech support guys. I scrambled to keep him on the line, get batteries into my small HD recorder, and fire up my VirtualBox Windows instance on my Mac.
The recording picks up when I get everything set up.
Here’s how this scam goes. The caller assumes the target has no knowledge of computers and uses FEAR to scare the target into thinking there’s a problem by not understanding basic, normal Windows functions. I play along with it and proceed to go through the steps. Remember, I have been working with Windows servers for over 20 years and I knew exactly what he was doing. Looking up complete benign data but to the uneducated those strings of long numbers are scary and they can say whatever they want about them and you will believe it.
What the caller had me do was open the command prompt by doing the Windows Key+R, which opens the Run window. In the run window they have me enter cmd which then opens the command prompt. Basic.
Next they had me run a command called assoc. This command is basic maintenance and lists out the associations of file extensions to the programs that open it, basically it tells Windows that files with extensions of .txt are text files, .xls are Excel or if you install software with a custom extension like .dfc in the association list Windows will know that file belongs to X software.
Now, what the scammer does is focus on the one near the bottom called .zfsendtotarget. Big scary numbers next to it that they claim is your “license key” and proceed to read it back to you. If you have no idea what this is you assume that since they know that number and are reading it back 100% accurately then the “tech support” must know my computer and therefore gives credibility to their claims. That builds trust and the target falls for the scam and shells out money.
A quick explanation of what .zfsendtotarget is – When you right click on a file in Windows, XP on up, you see an option to Send To Compressed file. That’s what that is, that’s it. It’s the built in Windows compression option.
Because it the default Windows compression the value of .ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} IS THE SAME ON EVERY SINGLE WINDOWS COMPUTER!!! THEY KNOW THE NUMBER BECAUSE THAT’S THE VALUE EVERYWHERE!!! The scammers don’t know your computer, they are just reading back the default value. In the far remote chance you were uber-techie and removed the default, that value will be there.
Here’s the full recording, I was unable to keep it going longer. I may have piled on the sarcasm too deep and too early because he hung up on me, probably after the Loser comment. But 10 minutes with me messing around with him is 10 less minutes spent on a real victim.
Spread this around to the uneducated and get everyone familiar with these calls and train people to A) Not answer the phone, B) Hang up.
Here are the other scam calls I was able to get recorded
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com
