Scammer Tactics  


Ari Laquidara
Active Member MGG Premium Member
Joined: 2 years ago
Posts: 17
December 8, 2018 11:20 EST AM  

Hi all,

A friend just sent along this story of a fellow tech from his consultant's list who gave a scammer a run for their money. The most devious part of this, and something I hadn't seen before, was that the scammers are now able to spoof the call coming from 800-MY-APPLE.

"I had three calls today from 1-800-MYAPPLE, two hang-ups and one that bore 
(ha ha) fruit.
Tl;dr - it's the same old 
PC/We-Are-The-Microsoft-There-Are-Viruses-On-Your-Computer phone scam with 
some new and exciting wrinkles. I'll do this with bullet points because it 
works well that way and because hey, bullet points are kinda fun.
• The caller - a very concerned-sounding Indian lady - had my name and knew 
that I owned at least one Apple device - which was kind of interesting as 
prior scams are more or less fishing expeditions and actually used to ask 
if you had a device rather than telling you that you had one. More to the 
point, they told me that I had a 2013 MacBook Pro, which was the case a 
couple of years ago until someone poured the better part of a decaf 
Americano into the wretched thing and sent it to the recycler in the sky.
• I hopped on my Mac Pro, killed the WiFi, made a new dummy (non-admin) 
user while filling time and pretending not to remember my password, then 
followed the link that they fed me to LogMeIn fastconnect, installed the 
plugin, and sat back to watch the proceedings with my free hand on the 
ethernet cable so I could yank the thing if something really intelligent or 
egregious occurred. Per her instructions I typed in my name, phone number 
and email address, and she was keen to let me know that I needed to put the 
most up-to-date and accurate information in there so that they could help 
me better. I agreed, and then wrote down a variety of fictions that bore no 
relation to reality whatsoever.
• This seemed to satisfy the nice lady, who immediately took control, fired 
up Safari and navigated to, hit the https green lock icon and 
asked me to observe the resulting pop-down sheet and agree with her that 
yes, the encrypted certificate contained within was ample proof that she 
really was calling from Apple. I agreed. It seemed only polite.
• Next, she fired up spotlight, searched for netstat, got confused, 
muttered something in Gujurati and then found the Terminal and typed in 
netstat and made a series of disapproving clucking noises. "Do you see the 
list called Local Devices on the left?" she asked me. "Yes," I told her. "I 
do. Is that bad?"
• More disapproving noises. "Those are all the IP addresses on your router. 
Those items on there are there because they are already compromised." That 
sounded bad, I fretted, and she agreed. "The list of Foreign Addresses are 
all the people on the internet that are in your router," she continued, 
"and where it says 'Established' that means that they are downloading 
private informations from all your devices right now."
• She scrolled up and down for a few seconds, and did a lot of 
sudden-inhalations-of-breath over everything else that netstat churns out 
before scrolling down to the bottom of the window, which read thus:
-bash: AMAZON: command not found
-bash: PAYPAL: command not found
-bash: APPLE: command not found
....and so on with a few other things that I don't remember. I'm pretty 
sure that Ebay was in there, too. When I asked her what "-bash: AMAZON: 
command not found" meant she got a little flustered, said that it wasn't 
something on the screen, and then that it was, and then that it meant that 
hackers were in my Amazon account RIGHT NOW, which - to be fair - was a 
pretty solid attempt at a recovery on her part.
• At this point I may have become a little hysterical. I mean, hackers were 
in my Amazon account! In my router! Was nothing safe? I babbled for a 
while, having a lot of fun putting together semi-coherent concerns and 
questions while I played a little Sudoku on my phone. It never hurts to 
play up the human angle with these people. They expect it, and they hate it 
so very, very much when you rapid-fire through all the stages of grief a 
couple of times, and when I finally suggested that I just turn the computer 
off she became terribly agitated and passed me to a Senior Technician.
• The senior technician fired up top in the terminal and pointed to all the 
running processes and told me that they were how many attacks were on my 
computer right now. The sleeping processes were attacks that were waiting 
until I wasn't at my computer so they could run without being detected. He 
fired up System Preferences and the Security pane and showed that my 
firewall was on, but that didn't mean anything because hackers can get 
through firewalls without any trouble at all.
• Finally, he jumped back into Safari, navigated to, and asked me 
to log in to my Apple ID. It was at this point that I demurred, pointed out 
that I'd been taking lots of notes, and asked for his name. Oddly, he 
wasn't keen to provide that information, called me an asshole, and hung up 
on me, which was rather rude.
I've had a few of the PC scam calls before, but this was the first one I've 
received that catered specifically toward macOS and had scammers who had a 
Mac-centric script. Hopefully it won't catch on, but I suspect that we'll 
be hearing more about these things going forward...."

Graham McKay
Joined: 3 years ago
Posts: 150
December 8, 2018 7:32 EST PM  

Thanks - it’s useful to know what sort of script the scammers are following so that if I get a client who has been duped I have a “quick start” idea of what things to check first.

Interesting that the scammer had both a name and a computer model in their database. I’m not aware of browsers “leaking” model or device serial number?