Thursday, November 13, 2014

What Happens When a Tech Support Scammer Cold Calls Emsisoft?

It’s called the Microsoft Tech Support scam, and it’s been around for years. Last week, Emsisoft and Bleeping Computer intercepted one of these scammers, and in addition to messing with him for a good three hours, we took detailed notes on how the Microsoft Tech Support scam works.


 


Someone calls you up, claiming to be from Microsoft, and scares you into thinking that your otherwise normally functioning PC is infected. If they scare you well enough, they’ll then connect you to a remote administration software that lets “their experts take a look at your PC.” From there, a number of bad things can happen, including malware installation, data theft, or simply more scare tactics, all in an attempt to sell you some expensive program that doesn’t work – or doesn’t even exist.


People all across the world get contacted by Microsoft scammers every single day, and all too often they become victims.


 


The Set Up


Step 1: Cold call victim, then lie, using fancy tech buzzwords


Like many a con job, the Microsoft Tech Support scam starts out with a cold call. In this case, it was to one of our friends over at Bleeping Computer – probably one of the worst people in the world a tech support scammer could connect to.


The scammer, who we’ll call Mr. Z., started his ruse by introducing himself as a Microsoft support tech. Mr. Z told our friend that he was calling about an urgent issue. The issue was that our friend’s computer was sending errors to the Window’s server, and that this was a critical problem that needed to be fixed. Being a volunteer support tech himself, our friend immediately knew what he was dealing with. There is no “Windows server” to which all Microsoft computers magically connect, and Microsoft technicians do not cold call their users about critical errors that need to be fixed.


This was a straight up scam.


Step 2: Use the Windows Event Viewer to scare them with things they’ve never seen


Nevertheless, our friend decided to play along. Feigning naivety, he took the bait. He told Mr. Z that his computer had been acting funny, and he asked Mr. Z how he knew there was a problem. All too ready to supply the evidence, Mr. Z began to give instructions.


You will need to open your command prompt. You will then need to type eventvwr and hit Enter.


cmd eventvwr


In scammer-textbook fashion, Mr. Z was making use of one of the oldest tricks in the book. The Windows Event Viewer is simply an administrative tool that displays information about significant events that occur on your computer. Scammers make use of it because “significant events” are often just little glitches, such as a program failing to launch or update. Over the lifetime of a typical computer, many of these glitches will be logged as an event, and displayed as a warning or an error, even though they are not necessarily critical– or even noticed by the typical user.


event_viewer_warnings


As someone who works with computers on a daily basis, our friend knew the Event Viewer trick all too well, but, still, he played along. Feigning concern, he asked Mr. Z if all those warnings and errors in his Event Viewer were a problem.


With the utmost seriousness, Mr. Z confirmed that they were.


Step 3: Have them download TeamViewer and Establish Remote Control


It was about at this point that our friend decided to share the fun. Having read about this type of thing before, he knew that the next part of the scam would be to connect to his computer with a remote administration software. This type of connection can be dangerous if given to a stranger because it allows them to control your computer.


Fortunately, malware researchers have useful tools called virtual machines. A virtual machine is essentially an operating system emulator, which allows the researcher to study malware in its natural environment, without having to infect their own computer. Our friend knew that Emsisoft’s researchers used virtual machines on a daily basis, and since he didn’t have one of his own he decided to pass the scammer on to us.


As expected, Mr. Z told our friend that the only way to fix the warnings and errors that appeared on his Event Viewer would be to download TeamViewer and grant Mr. Z remote control. Here, our friend once again complied; however, instead of supplying the access code to connect Mr. Z to his computer, he gave Mr. Z the access code to connect to ours.


The Scare Tactics


Here is where things get really interesting.


Mr. Z is connected to one of our virtual machines in Europe. He’s been told by our friend, who lives in North America, that he’s going to let his daughter take over the computer because this whole TeamViewer thing is way too complicated for him. Mr. Z is no longer on the phone with our friend from Bleeping Computer. He’s in a TeamViewer session. With us.


In a typical Microsoft Tech Support scam, this is usually the point where all hell breaks loose. Malware infection, sensitive file rifling, installation of a covert backdoor for future access – you name it. Mr. Z could do anything, and we were ready for it. To test Mr. Z’s legitimacy, we even infected our virtual machine with malware, to see if he would notice – but notice he did not.


Through it all, Mr. Z had one primary objective: scare us into thinking something was wrong, and then sell us his “support program,” which would magically fix it all.


Step 4: Reiterate the Event Viewer Problem


The first scare tactic Mr. Z employed was a rehash of his Event Viewer shtick. We were, after all, the original contact’s “daughter,” and we needed to know what the problem was.


The Lies:


MRZ-PC (8:04 PM):


i m showng u tis again becoz befor line ws dissconnctd


EMSISOFT-WIN764 (8:05 PM):


ok


MRZ-PC (8:06 PM):


these r the error n warning which z harming ur computer


ok?


EMSISOFT-WIN764 (8:06 PM):


where?


I don’t see errors


can you show it with the mouse pointer?


MRZ-PC (8:06 PM):


u knw wat , ur computr z very slow


these r the errors ok


event_viewer_warnings_boxed


EMSISOFT-WIN764 (8:07 PM):


yes, I see it now


that looks quite bad


can you fix that?



The Truth:


Event Viewer is a normal part of your Windows PC, and logged warnings and errors are just minor glitches. To access Event Viewer on your own, open the Control Panel, then click System and Security > Administrative Tools > Event Viewer.


Step 5: Tell them about “good files” and “bad files”


Before he would “fix anything,” though, Mr. Z had an educational agenda. Showing us a few little event errors was not enough to achieve his ultimate goal. Like all scammers, Mr. Z needed to misinform us and instill fear. Mr. Z, in a nutshell, needed to show us which computer files were good, and which computer files were bad.


According Mr. Z, good files could be deleted and bad files could not.


The Lies:


MRZ-PC (8:07 PM):


ok , jst go ahead n try to delet them ok


yes m here to help u , first f ol u hav to try to delet hthem if u nt able to delet them, i will help u ok /


EMSISOFT-WIN764 (8:08 PM):


erm, okay


event_viewer_no_delete


MRZ-PC (8:09 PM):


do u see ther z no delet option


it means u can not delet them by your own


ok


MRZ-PC (8:10 PM):


yes u can not delet them by your own , becoz some f the errors n warnings truns in to virus tats the reason u can nt able to delet them by your own


EMSISOFT-WIN764 (8:11 PM):


ah, I see


MRZ-PC (8:12 PM):


can u see i click on team veiwer and they giving nme the delet option becoz teamveiwer z a good file and good file always gives u the delet option n bad file never giv u the delet option , remember tat in future like u will know which z th good file n which z bad file


shortcut


EMSISOFT-WIN764 (8:13 PM):


oooh, so for good files you have a delete option and for bad files not gotcha!


MRZ-PC (8:14 PM):


these errors and warnings they harm your computer services , services means which runs your computer , which z very impotant to your computer


now let me go ahead n show u th services



The Truth:


The “files” Mr. Z was trying to have us delete were really just logged events in the Event Viewer. Furthermore, whether or not a file can be deleted has nothing do with its maliciousness.


Step 6: Tell them about the “dangers” of stopped services


Now that we were good and concerned about our evil files which we could not delete, Mr. Z needed to make it clear why these files were such a problem. According to Mr. Z, the bad, undeleteable files were disabling our services – and if it got to the point where all of our services were disabled, our computer would die.


The Lies:


MRZ-PC (8:16 PM):


so these r the services which z very important to your computer , n now u can see ther xz so mny services hav stopped working ?


 


stopped_services


 


EMSISOFT-WIN764 (8:17 PM):


I see


MRZ-PC (8:17 PM):


ok


EMSISOFT-WIN764 (8:17 PM):


I guess in the middle pane it says stopped, not stopp


MRZ-PC (8:18 PM):


its a same thing


ok


EMSISOFT-WIN764 (8:19 PM):


yes


MRZ-PC (8:21 PM):


ok


can u see , 70% services has stopped runing inside your compuyter , n only 30% serivices z running inside your computer , which z not good


EMSISOFT-WIN764 (8:24 PM):


can’t I just start them or so?


MRZ-PC (8:24 PM):


onec these all sevices will stopped running , your computr will completely stopped and u can be able to use your computer any more


yaa u hav to reinstall the services


ok


EMSISOFT-WIN764 (8:25 PM):


omg, would that mean we’d need a new computer?


MRZ-PC (8:25 PM):


no , i mm here to help u out , we will repair the services


ok


now let me go ahead and check youir antivirus


EMSISOFT-WIN764 (8:26 PM):


phew, okay, I was scared there for a sec



The Truth:


Services are simply background processes that perform many tasks on your computer. They do not appear in your point-and-click graphical user interface, and instead operate behind the scenes. To take a look at which services are running on your PC, simply press CRTL ALT DELETE, open the Task Manager, and then click on the Services tab. Here you will see that some services are running and some are not. This is not a problem. Services are designed to automatically start and stop when they are needed and when they are not; and, as Elise points out at 8:24, a stopped service can be started manually. Just right click.


Step 7: Tell them about their “useless” antivirus


After showing us what was wrong with our computer, Mr. Z needed a scapegoat. Computers don’t just stop working on their own, mind you. To explain why we had undeleteable files that were disabling our services, Mr. Z pointed the blame at our “incompatible” and “useless antivirus”…Emsisoft Anti-Malware!


The Lies:


MRZ-PC (8:29 PM):


ok let me go ahead and sjow u , your antivirus status


ok


ok i click on compatability


MRZ-PC (8:29 PM):


now can u see thr z a written \


MRZ-PC (8:30 PM):


run tis program and compatabilty mode for windows XP service pack 3


scammer


EMSISOFT-WIN764 (8:30 PM):


but isn’t that unchecked?


MRZ-PC (8:30 PM):


so it means , your anti virus z nt working ion your computer


ok



The Truth:


Right click on your Emsisoft Anti-Malware shortcut, choose Properties, and then click on the Compatibility tab. You’ll see a drop down Compatibility mode menu which allows you to manually set the operating system for Emsisoft to run on. This menu was Mr. Z’s proof that Emsisoft Anti-Malware was incompatible with our computer!!!


Now, we were willing to play dumb…but not that dumb, so we pressed this whole incompatibility issue by running a scan.


More Lies:


EMSISOFT-WIN764 (8:31 PM):


but it runs, I mean, I can’t trust what it says?


I have another antivirus I think


MRZ-PC (8:31 PM):


if u hav a very good antivirus in your compter , those errors & warnings will never enter in to your computer


EMSISOFT-WIN764 (8:32 PM):


okay, I’m running that too now


look, it found stuff!!!!


MRZ-PC (8:33 PM):


its just showing u yay z running , but actually it z nt running , tats why there r somany error n wrnings in your computer


EMSISOFT-WIN764 (8:33 PM):


damn


MRZ-PC (8:33 PM):


u paid for tis antivirus or its free ?


EMSISOFT-WIN764 (8:33 PM):


okay, I won’t click on that message then


my father did, yes


or he got a free year license or so


MRZ-PC (8:34 PM):


how much un paid ? or u paid yearly or monthly or something like tat ?


EMSISOFT-WIN764 (8:34 PM):


let me ask him


MRZ-PC (8:34 PM):


ok


EMSISOFT-WIN764 (8:34 PM):


he says he paid 30 dollar yearly


but he got a free license from a friend


MRZ-PC (8:35 PM):


ohhhh really , u r payng t30 dollr yearly for tis useless anti virus


omg


EMSISOFT-WIN764 (8:36 PM):


well, idk, but it is detecting stuff right now, although it doesn’t seem to help much


MRZ-PC (8:37 PM):


see , these r use less , if it really works then u will not get these errors in your computer


ok


EMSISOFT-WIN764 (8:37 PM):


thats true


do you know what I could use best?



More Truth:


Emsisoft Anti-Malware was indeed working. It was detecting the malware we had pre-loaded onto the virtual machine before the TeamViewer session even began!


Step 8: Scan the computer’s brain


Now that Mr. Z had shown us the error of our ways, it was time to start problem solving. As he had so clearly shown us, we were running a useless antivirus that was allowing undeleteable files to disable our services! To provide a more accurate diagnosis of the situation, Mr. Z began by scanning our computer’s brain.


The Lies:


MRZ-PC (8:38 PM):


now let me go ahead n scan the brain f brain f your computer n let seee wat it says , if u hav any iother any problm tis scan will tell us


ok


i will tell u


EMSISOFT-WIN764 (8:38 PM):


ok


MRZ-PC (8:38 PM):


about th best antivirus fr ypur computer


MRZ-PC (8:45 PM):


jst wait it will tak same time


ok


EMSISOFT-WIN764 (8:45 PM):


yes


MRZ-PC (8:46 PM):


just look at the first window


what z wrtten over there ?


brain_scan


EMSISOFT-WIN764 (8:47 PM):


hmm


it says something about a trozen


whats that?


the second says warning


and the other something about the license


MRZ-PC (8:47 PM):


yes, do you knw wat z trojen virus ?


EMSISOFT-WIN764 (8:48 PM):


I know its bad yes



The Truth:


Mr. Z did not scan our computer’s brain. Instead, he just typed tree c:\ /f into the command prompt. This is a harmless command that simply creates a “tree-styled” graphic display of the specified directory in the command prompt. In this case, that display was quite large, and as it was created it simply looked like a scan. To see this in action yourself, open your command line prompt (find it using Windows Search), type tree c:\ /f, hit Enter, and voila – you too have “scanned your computer’s brain.”


If you take a closer look at Mr. Z’s brain scan, you’ll also see 3 messages at the end:


warning!!!


trozen virus found -250


computer liscebse will expire will expire in two week


First of all, these messages have nothing to do with running tree c:\ /f. If you type the command yourself, you can see that none of them appear after the command has run. So how did Mr. Z make it look like his brain scan had produced these results?


He typed them into the command prompt. And by the looks of it he used a broken keyboard.


Just as you can tell your computer’s command prompt to run tree c:\ /f (or any other command for that matter), you can also tell it to run warning!!! This isn’t a command the command prompt recognizes, though. In fact, if you take a closer look you’ll see that this lack of recognition is indeed the prompt’s response.


Step 9: Reference the Almighty Google and Wikipedia


Mr. Z was now moving in for the kill. Having used his extensive technical knowledge and highly effective brain scan, he had shown us that our computer was infected with “trozens.” Mr. Z. wanted to be absolutely sure that we were aware of the dangerous, though. Mr. Z needed us to understand what these “trozens” were… and to Mr. Z, there was no finer way to do so than through Wikipedia and Google.


MRZ-PC (8:48 PM):


ok let me show u wat z exactly trojen


ok


EMSISOFT-WIN764 (8:49 PM):


yes


MRZ-PC (8:51 PM):


yes m showing u , wat trojen vius


ok m gonna type trojen in the google n let see wat it says …..


ok


EMSISOFT-WIN764 (8:53 PM):


yes


MRZ-PC (8:53 PM):


wait


EMSISOFT-WIN764 (8:53 PM):


sorry, some text appeared


MRZ-PC (8:53 PM):


just wait … m doing somthng so do not touch your computer


opk , now go ahead n read the highlightd line


tis z about trojan viruses


wikipedia_trojan_highlight


EMSISOFT-WIN764 (8:55 PM):


ok


I understand


that sounds quite bad


MRZ-PC (8:55 PM):


hmmmm


below tat u can see ther z a written purpose and uses


EMSISOFT-WIN764 (8:56 PM):


yes


MRZ-PC (8:57 PM):


thr z writtn , TROJAN MAY GIVE HACKER TO GIVE REMOTE ACCESSES


TO TARGET COMPUTER SYSTEM


and below that


EMSISOFT-WIN764 (8:57 PM):


yes


MRZ-PC (8:58 PM):


thr z a written crashing the computer wit blue scree up death


let me show u


the blue screen


bsod


EMSISOFT-WIN764 (8:58 PM):


oh, I’ve never seen that


but it looks baad really :(


MRZ-PC (8:58 PM):


can u see the blue screen ?


yes


EMSISOFT-WIN764 (8:59 PM):


yes, I see it


MRZ-PC (8:59 PM):


if trojen will crtash your computer then u can see the blue screen


EMSISOFT-WIN764 (8:59 PM):


oh, and I definitely don’t want that


MRZ-PC (8:59 PM):


and when ever u turn on your computer


u can see the same screen


n they will ask u to restart your PC again


and no matter


haow many time u go ansd open your computer , u will get the same screen


EMSISOFT-WIN764 (9:00 PM):


I see


MRZ-PC (9:00 PM):


and just below that can u see ther z written , ELECTRIC MONEY THEFT


it mean they can steal your money from your BANK ACCOUNT


EMSISOFT-WIN764 (9:02 PM):


wow


MRZ-PC (9:02 PM):


jst below tat thr z a writtn , DATA THEFT


EMSISOFT-WIN764 (9:02 PM):


yes, I see


MRZ-PC (9:02 PM):


DATA THEFT means they can steal your personal infirmation from ur computer


like YOUR USER ACCIOUNT , PASSWRD


PHOTOS , YOOUR PERSONAL INFORMATION


EMSISOFT-WIN764 (9:03 PM):


omg


MRZ-PC (9:03 PM):


they can steal YOUR CREDIT CARD DETAILS


EMSISOFT-WIN764 (9:03 PM):


shoot


MRZ-PC (9:03 PM):


can u see , ther z writtn PAYMNT CARD INFORMATION


now i will like to see u


EMSISOFT-WIN764 (9:04 PM):


yes


MRZ-PC (9:04 PM):


do u do INTERNET BANKING ?


ONLINE SHOPPNG


?


 


PAYNING BILLS?


OR SOMETHING LIKE TAT ?


R U THR ?


??


EMSISOFT-WIN764 (9:05 PM):


sorry


yes


I sometimes shop online


and I think my father does banking


MRZ-PC (9:06 PM):


hav u read tat thing ? m asking u something?


EMSISOFT-WIN764 (9:06 PM):


yes


MRZ-PC (9:06 PM):


i think u hav to stop doing tat things


EMSISOFT-WIN764 (9:06 PM):


yeah, I’ll definitely stop that


MRZ-PC (9:07 PM):


you shuld nt do tat things UNTILL N UNLEWSS u do nt remove th TROJAN VIRUS from your COMPUTER .


ok


EMSISOFT-WIN764 (9:07 PM):


yes


MRZ-PC (9:07 PM):


ok


now do u undrstand , wat z TROJAN ?


EMSISOFT-WIN764 (9:08 PM):


yes



The Truth:


There is a Wikipedia article about Trojans.


The Big Sell


Step 10: Give them a .txt file they can’t refuse


It had now been over an hour on TeamViewer. In all that time, we had learned about warnings and errors, undeletable files, stopped services, ineffective antivirus programs, brain scans, and the dangers of “trozens” by way of Wikipedia and Google. Thanks to Mr. Z, we were now completely misinformed and “desperate” for an answer. Lucky for us, Mr. Z had a solution.


MRZ-PC (9:11 PM):


now let me discuss to MY SENIOR TECHNICIAN about your computer


EMSISOFT-WIN764 (9:16 PM):


ok


MRZ-PC (9:17 PM):


ok


wait


m talking to my senoir superwiser about your computer problem


what should be the best solution


EMSISOFT-WIN764 (9:18 PM):


ok thanks


MRZ-PC (9:18 PM):


pk


now m going to write down on the NOTEPAD SOLUTION FOR YOUR COMPUTER


OK


scammer_deal

How a Microsoft Tech Support scammer fixes your PC.




A Heartfelt Thank You on Behalf of Bleeping Computer and Emsisoft


Final Step: When they realize it’s a scam, deny everything


By now of course we weren’t even sure if we could still play along. Mr. Z had provided over 2 hours of tech support… and now he was trying to get us to pay for extended service, with poorly written ads pasted into Notepad. In all honesty, this final tactic put us at somewhat of a loss for words, but after some careful consultation with a few of our friends from Bleeping Computer, we eventually developed an adequate response (continuing the conversation in Notepad).


thank_you_note_4


Not to anyone’s surprise, Mr. Z denied all allegations of being a scammer until the very end.


scammer_finale_1


Moral of the story? Some people will do anything to scam strangers on the Internet, even if it’s more work and less pay than getting an actual job. Don’t let them scam you.


Have a great (Mr-Z-free) day!


Your Emsisoft Team.


 


* Note: All of “Mr. Z’s” spelling and grammar has been left in its original form. If you can’t understand about half of what he’s saying, don’t worry – neither could we! In general, grammar like this – regardless of language – is a telltale sign that you’re dealing with a fraud.



Related Posts:


  • Emsisoft Alert: Netflix Tech Support Scam

  • Linux Rescue CD: a help or a hinderance?

  • Naked Videos of Your Facebook Friends – Translation:…

  • Malware Analysis: Ransomware “Linkup” Blocks DNS and…

  • Phone fraud: Scammer uses Microsoft’s name to install…



What Happens When a Tech Support Scammer Cold Calls Emsisoft?

No comments:

Post a Comment