Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Windows "Support" calls InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Windows "Support" calls

Published: 2013-12-06
Last Updated: 2013-12-06 02:09:11 UTC
by Mark Hofman (Version: 1)
16 comment(s)
One of our readers  received a "Microsoft Support" call, finally.  It was to funny not to put up.  Happy Friday
 
"Finally(!), I got one of those unsolicited telephone calls from the "Windows Service Centre".
Caller-ID information showed 'unavailable'.
 
The first caller identified himself as 'Dadge Miller' (or something like that).
He said he was calling from Microsoft headquarters in California.
I said that I thought that their headquarters was in Redmond, Washington.
He said that Microsoft has offices worldwide.
OK, I'll buy that. :-)
 
He said that Microsoft has detected computer-viruses on my computer.
After helping me find the Windows key on my keyboard, he said "press Windows key and R key at the same time".
Then, enter 'eventvwr' and click OK.
When 'Event Viewer' opened, he had me click the 'Application' tab, and said that all the "errors" and "warnings" represented computer-viruses.
OK, I'll buy that. :-)
He had me minimize the window, and back to Windows-R.
Then, enter: www.support.me and click OK.
That launched Internet Explorer, redirecting to: https://secure.logmeinrescue.com/Customer/Code.aspx
He had me enter '702814' and click 'Start Download' and then 'Run'.
Instead, I clicked 'Save' for file: 'Support-LogMeInRescue.exe'.
At this point, I said that my anti-virus software had flagged the download as "unsafe" and that it had deleted the download.
He believed me.  :-)
He passed the telephone call to "Randy Roberts", his supervisor, with an Bangledeshi accent ?!
Then, enter: www.support.me and click OK.
That launched Internet Explorer, redirecting to: https://secure.logmeinrescue.com/Customer/Code.aspx
He had me enter '352632' and click 'Start Download' and then 'Run'.
Again, I said that my anti-virus software had flagged the download.
Then, after a pause, he asked me if there was a Walmart nearby.
 
He offered me two levels of "support" -- one year for 149 dollars (currency not specified) or lifetime for 249 dollars.
I chose the "lifetime" support.   :-)
He told me to go to Walmart, and say that I want to make a Moneygram Money Transfer, citing a "personal" reason.
Recipient name: Tapan Saha (over a dozen people by this name on LINKEDIN ! Lots on Facebook, too!)
Address: Nagaripur
City: Takerhat
Country: Bangladesh.
He said that Microsoft has contracted with this provider in Bangladesh.
He said that the fee will be $299 -- $249 plus $50 for a technician to come to my home to fix my computer, if they cannot fix it over the telephone.
Nice bit of "up-selling".  :-)
 
I said that it would take me some time to get to Walmart, purchase the MoneyGram, and return home.
So, he agreed with my request to call at 1 PM local (70 minutes from the time we talked).
I have an appointment downtown at 1 PM -- guaranteed not to be home at that time!
He said that Walmart will charge me $10 for the MoneyGram.
He confirmed my telephone-number, and gave me his: 727-498-0049,
and told me to ask for "Randy Roberts" if I called him.
 
They told me to turn my computer off before I went to Walmart.
 
While I was out, at my lunch-date, my voice-mail recorded 6 messages -- all "empty" -- two from "unavailable", two from a non-long-distance number, and two from Cincinatti (Ohio).
Obviously, they were spoofing the caller-ID information, repeatedly trying to contact me.
 
M
Keywords:
16 comment(s)
Diary Archives