I see clever trojans and other malware all the time — a considerable part of my work involves removing them from people’s PCs. The “FakeAlert” trojan is especially common: it warns you in various convincing and intrusive ways that “your PC is infected” and offers you a link to download and install a “removal program”. If you install this software it will “find” all sorts of terrifying things which it says are downloading pornography and stealing all your passwords, credit card details, and so on, and offers to remove it … once you have register the removal program for about 50 dollars via your credit card. And it doesn’t find malware which actually is there. The PC becomes increasingly unusable until the fake software is removed, which can be quite tricky (which is why people pay me to do it, of course).
Three customers whose PCs I’ve removed this malware from have subsequently had phone calls from someone who says he’s from something like the “Windows Support Group”, telling them their PC is infected and offering to remotely connect to the PC to remove the infection. All these people were called at home, on numbers they don’t reveal to people. They report that they had assumed the call was from Microsoft, but how did Microsoft know their PC was infected, and how did Microsoft get their phone number?
Presumably the trojan searched the PC for phone numbers in documents and reports it back the the bad guys, who are now calling the numbers. Brazen or what? (With permission, I searched one customer’s PC for their secret phone number and found it in an old CV.) One of the customers had the presence of mind to ask for a number so they could call back — and reported the number to me. So I called it …
“Adam” told me they had offices all round the country, and were one of the largest PC support organisations and had been going for well over ten years. He gave me a website address which I later checked — it had been set up three weeks previously. I asking him if I could drop my PC off, but he said their insurance didn’t allow it, and it wasn’t necessary because they could connect remotely if I co-operated by downloading a program. I asked him how much this service would cost, and he said he couldn’t say, even roughly, until he’s had a look at the infection. I said someone had told me that he’d called them to offer to do this, but how did he know they had an infection? He said it “was reported to us”, but couldn’t or wouldn’t explain further. I asked him where he was, he said he was in London, I asked for the address. It took him a long time to find this, and when I asked him for the nearest (or any) tube station, he didn’t know. He didn’t know what the weather was like in London, either.
The whole thing seemed highly suspicious to me, so if you get a call like this, ask questions!