“Microsoft Technical Support” Scam

“Microsoft Technical Support” called me yesterday (on Independence Day!). They claimed to be receiving “errors and warnings” from my computer and were calling to “fix” it. Wow – can you imagine? They must have even better access to metadata than the NSA if they were able to somehow correlate my phone number with “my Windows computer,” since I’ve never used this number in relation to any of my Microsoft-related purchases in the past.

Gosh, could it be a scam?

Over the last couple years I’ve had several clients who fell for this scam, resulting in their computers being either inoperable, completely hijacked, or only seriously infected. A couple of them also ended up with a rather large credit-card bill. Hey, I love you guys, but I have to admit that I don’t understand how anyone could fall for this scam when the callers always have such thick accents. Maybe calling Dell & Gateway’s foreign tech support has left people with the impression that if someone has a foreign accent, they really do work in computer technical support? Or maybe it’s just that people expect to not understand their computer guy?

Anyway…they called, and I answered. This is, in fact, the third time within the last couple months that they’ve called my home number. I was really hoping they’d call back again “when I was ready” so I could collect some data about how they operate. The first time I tried trolling them but had actually just gotten home from a client’s house who had been backdoored by them, so I wasn’t exactly in a very good mood. It still took them over ten minutes to finally hang up on me. The second time I trolled them I immediately asked if they would mind if I recorded the conversation so I could share it with the police later. They didn’t even answer – just hang up. Hmm. I wonder why?

It’s a Tough Sell

This time the call came from “Name Not Found” at the number 1-000-000-0000. With a number like that I just knew it had to be a scam! I was just giddy with anticipation. In fact, I was so excited I was afraid that he would hear it in my voice as I tried so hard to sound like a complete computer novice.

Like most marketers, they use your ignorance against you as part of their sales pitch. Their first step is to convince you that you have a problem. They have you run msconfig (a Windows startup configuration tool) so they can tell you that all the “disabled” and “not running” Microsoft processes means that you’re seriously infected with a virus. This isn’t remotely true, but it does make for great theater.

Next they have you open eventvwr (Microsoft Event Viewer) so they can have you tell them the “number of events” under the Administrative Events view. They claim this number is how many “problems” exist on your computer (even though it’s likely only a handful of the same common non-serious errors repeated many times). They claim this number means it’s “seriously infected and broken,” of course.

He explained (did I mention the very thick accent) that all of this was “very bad,” but that since he “works for Microsoft” it’s not that big of a deal to fix it. And as a “free bonus” he would provide a 5 year license for a “real” antivirus program that would completely prevent this in the future. Dear reader, any time someone promises that something will completely prevent your security risks it’s a red flag that they’re lying to you.

Back to the story. So, now that they’ve convinced you that you’ve got a problem, it’s time for a “tune up.”

The Tune-Up

The first step of “fixing” the computer is to provide them with complete and total remote control access, of course. Again they have you open a ‘Run’ dialog and type in one of several websites that provide remote control software. Either ammyy.com, teamviewer.com or logmein123.com. Each of these is a legitimate service that’s being abused by the scammer, so while you shouldn’t hate on TeamViewer or LogMeIn – you should definitely be aware that the ability to login to your computer remotely not only exists, it’s common and only requires sharing a little bit of information with the attacker and can result in a very long-term hijack.

teamviewer-free-trial

In this instance the scammer chose to use TeamViewer, and as you can see in the screenshot above, the software even indicated that he (the  “technician”) was using a “free trial version.” I asked about that and, ready with the answers, the scammer told me that it was my computer that was using a trial version, not his. People fall for this? Sigh.

I’m familiar with TeamViewer so I loaded it up on a spare computer and immediately after the connection was established I toggled the ‘allow remote control’ option for the session. This ensured that he wasn’t actually able to do anything directly to my computer.

At this point, almost the same second as the connection went live, he said that the he was “having problems with the phone connection,” and would call me “right back.” Click. He hung up the phone. I was just positive he thought he already had all the control he needed so he didn’t need me for anything else. Tsk. I waited patiently anyway. A few minutes later he did call back again.

Escalation

This time it was from “Out of area” with no number. After Symond (did I mention his name showed up in the TeamViewer logs?), the original caller, reconnected via the new phone number he passed me off to “a more experienced technician,” who refused to identify himself.

As with most marketers, the first guy was just the “pitch guy” and the second guy is the “closer.” He tried for a few minutes to gain access to the computer through the session-limited account, clicking on window close buttons and the start button – without effect. I figure he would have figured out sooner that he didn’t actually have the ‘remote control’ privilege in TeamViewer. He was even dumber than I had originally thought. I tried to play stupid for a while and asked how long it was going to take to fix it. As a workaround to the rights he didn’t have, he made excuses about the performance of TeamViewer – saying the computer was probably “just too infected” for TeamViewer to work [A clean install of Windows XP MCE? Not likely.], and finally suggested we try another application (Ammyy). Darn.

I hedged a little, suggesting that maybe I could do the keyboarding stuff and he could just tell me what to type. He was pretty frustrated and when I said that I couldn’t figure out how to use Ammyy he finally cracked, screamed vulgarities at me and hung up. Sigh.

End Game

Needless to say, I didn’t get to experience the infection or harvest more than a bit of information from them before they wanted to stop playing. I was able to collect a couple TeamViewer ID codes: 845-085-890 (Symond..00775..) and 859-765-863 (Microsoft TechGroup=ms0125). They connected via 115.119.175.108, which is a broadband connection service provided by TATA in India. The StopForumSpam link identifies the IP address as having been used by “pcwebwork,” which could indeed be a business alias they’re actually operating under.

Even if it’s someone you do have a relationship with already, please consider calling them back at a “known good” number before allowing them access to your computer. After all, would you give someone your banking information just because they called “from Wal-Mart” and said that your recent transaction failed? This is no less severe.

Keep it clean out there,

Shawn

Leave a Reply

Your email address will not be published. Required fields are marked *