Well, the files' names, anyway.
The files in "My Documents" were actually two dozen pieces of malware of various stripes, collected from several sources, including file-sharing services and those that offer samples for research purposes. "I took a page out of the hacker's book of tricks and simply renamed documents to make them tastier," Seth said in a follow-up email. "Some were cleverly disguised as PDFs so I just renamed them and some were bogus .jpg [images] that I renamed."
With that, Seth set aside the PC and waited for the next round of calls. Which came late last month.
"I almost forgot about [the PC], but then I got a call," Seth said. "I told him to call me back, that I was busy but that my computer had been acting weird lately. I dug up the PC and set it up. Three days later they called and said they were following up."
He delayed the caller -- saying it was "an old box, and it takes time to boot up" -- so that he could double-check everything, including his connection through Tor, the network of relays that anonymize traffic to and from a device.
The call went like clockwork, with the usual claims, the usual instructions to do this or look there. Seth was passed from one fake technician to another, a common tactic to make it seem as if the problem is more serious and must be escalated to higher-level support with more expertise. Eventually, the third man asked Seth to let him connect to the PC using Ammyy Admin, a free remote control program, so he could rid the system of its aggressive infection.
Seth let him in.
"After about 15 minutes of the third 'expert' rooting through my event logs and documents, I decided to spring the trap, so I called bullshit on the guy and immediately the [My Documents] folder was copied, then quick and systematic deletion of various driver and system files began to occur. I could see him zipping around the screen," Seth related.
"When I pissed him off, I had no control [of the PC]," said Seth, "so I disconnected it from the Internet and did a hard shut-down." A reboot restarted the computer, but Seth saw several warnings of missing drivers. (on Thursday, after the interview with Computerworld, Seth again fired up the system, only to find it wouldn't boot and that he could not access its BIOS. He pulled the hard disk drive from the machine and connected it to another computer in order to take a screenshot of the malware-loaded My Documents folder.)
Seth was certain that the files in My Documents had been copied during the final, frantic moments after he'd called out the fake support technician: The folders and files had been highlighted several times, a signal that the scammer had selected them for copying.
Sign up for CIO Asia eNewsletters.