Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Windows "Support" calls - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows "Support" calls
One of our readers  received a "Microsoft Support" call, finally.  It was to funny not to put up.  Happy Friday
 
"Finally(!), I got one of those unsolicited telephone calls from the "Windows Service Centre".
Caller-ID information showed 'unavailable'.
 
The first caller identified himself as 'Dadge Miller' (or something like that).
He said he was calling from Microsoft headquarters in California.
I said that I thought that their headquarters was in Redmond, Washington.
He said that Microsoft has offices worldwide.
OK, I'll buy that. :-)
 
He said that Microsoft has detected computer-viruses on my computer.
After helping me find the Windows key on my keyboard, he said "press Windows key and R key at the same time".
Then, enter 'eventvwr' and click OK.
When 'Event Viewer' opened, he had me click the 'Application' tab, and said that all the "errors" and "warnings" represented computer-viruses.
OK, I'll buy that. :-)
He had me minimize the window, and back to Windows-R.
Then, enter: www.support.me and click OK.
That launched Internet Explorer, redirecting to: https://secure.logmeinrescue.com/Customer/Code.aspx
He had me enter '702814' and click 'Start Download' and then 'Run'.
Instead, I clicked 'Save' for file: 'Support-LogMeInRescue.exe'.
At this point, I said that my anti-virus software had flagged the download as "unsafe" and that it had deleted the download.
He believed me.  :-)
He passed the telephone call to "Randy Roberts", his supervisor, with an Bangledeshi accent ?!
Then, enter: www.support.me and click OK.
That launched Internet Explorer, redirecting to: https://secure.logmeinrescue.com/Customer/Code.aspx
He had me enter '352632' and click 'Start Download' and then 'Run'.
Again, I said that my anti-virus software had flagged the download.
Then, after a pause, he asked me if there was a Walmart nearby.
 
He offered me two levels of "support" -- one year for 149 dollars (currency not specified) or lifetime for 249 dollars.
I chose the "lifetime" support.   :-)
He told me to go to Walmart, and say that I want to make a Moneygram Money Transfer, citing a "personal" reason.
Recipient name: Tapan Saha (over a dozen people by this name on LINKEDIN ! Lots on Facebook, too!)
Address: Nagaripur
City: Takerhat
Country: Bangladesh.
He said that Microsoft has contracted with this provider in Bangladesh.
He said that the fee will be $299 -- $249 plus $50 for a technician to come to my home to fix my computer, if they cannot fix it over the telephone.
Nice bit of "up-selling".  :-)
 
I said that it would take me some time to get to Walmart, purchase the MoneyGram, and return home.
So, he agreed with my request to call at 1 PM local (70 minutes from the time we talked).
I have an appointment downtown at 1 PM -- guaranteed not to be home at that time!
He said that Walmart will charge me $10 for the MoneyGram.
He confirmed my telephone-number, and gave me his: 727-498-0049,
and told me to ask for "Randy Roberts" if I called him.
 
They told me to turn my computer off before I went to Walmart.
 
While I was out, at my lunch-date, my voice-mail recorded 6 messages -- all "empty" -- two from "unavailable", two from a non-long-distance number, and two from Cincinatti (Ohio).
Obviously, they were spoofing the caller-ID information, repeatedly trying to contact me.
 
M
Mark

391 Posts
ISC Handler
These folks try to pull that scam on us recently,after multiple cold calls during the mid-day my wife took down their number (Spoofed) and instructed them to call back when I was home.

They eventually did, part of their introduction scheme was to make it sound as if they were calling from my ISP or present security service.

I only went as far as the event viewer stage, then called him on typing a URL in the run command box as potentially risky! Let him know he was not dealing with a novice computer operator and that my wife (who is novice but careful) was instructed to -NEVER- follow anyone's technical service advice unsolicited without me being present.
Taxmanhog

6 Posts
Luck you! I had two of them in the last week.
Taxmanhog
1 Posts
I've had a half a dz. of these,Depending how much time I have at that moment,I play with them for a while,or I tell them "Sorry,I don't have any computers running windows", and they are aghast..."Well,what do you have?" ...I say "Ubuntu"....
The line usually goes dead right then...... :-)
Steven

2 Posts
If you can spare the time, be a "tarpit". The longer you're stringing them along the less time they have to work their evil ways with anyone more vulnerable. And when you've finished playing dumb and docile with them you might want to let rip with what you really feel about their despicable choice of career.
Anonymous
Is there any legal recourse against this type of activity?
RiverMan

1 Posts
I do exactly that every time!! :0) when I get board I love telling them that I am happy to have wasted their time and opportunity to scam someone else. ;)
Scott3Boy

3 Posts
I recorded a little audio from my interaction with one of these support calls. Only about 45sec.. but I had fun! http://www.youtube.com/watch?v=7y_CXFUT2cs

I try to always have a VM up and running that I can "allow" them to remote control and watch what they do. :)
Scott3Boy

3 Posts
And since WebSense lists both sites as "web collaboration", they must be safe....
Safe to blacklist anyway.

When I get these calls I usually harass them over the quality of their scam or script. "this windows support. we have detected you virus".

Then again, I hang up on the vendors who cold call too.
CBob

22 Posts
I had 7 of these in 2 days but I only let them get as far as "I'm from Microsoft and there is a problem with your computer". Then I tell them that Microsoft has said this is a scam and I'm from the Texas State Attorney General's office, Fraud Division. The line goes strangely dead at that point!
CBob
1 Posts
Quoting RiverMan:Is there any legal recourse against this type of activity?


Legal course.. no,, caveat emptor... but there is a logical way to stop this and though I do not typically promote products, this one I will.. called Digitone, it can not be spoofed via VOIP, Magic Jack, cell phone, POTS, wrong numbers, UNavailable on your caller ID ect. Blocks them cold. 3 friends of mine were getting calls from scumbags like this, one even got suckered for 400.00!!! I said, get one of these, oh look... blockie.

I am amazed to see people posting and giving someone on the other side access to their PC... never going to happen on my end. You might be surprised how smart one of these "flunkies" turn out to be so why give them the chance?
ICI2I

63 Posts
Quoting RiverMan:Is there any legal recourse against this type of activity?

Microsoft might have recourse against them; depending on what jurisdiction the scammers are based in.

If you actually fall for the scam, and suffer damage as a result of their fraud, perhaps there is recourse: if the caller is subject to US law.
You need to be able to be able to identify the scammer to successfully pursue any recourse; their identity may be obscured, and they may be calling from overseas.

Just because possible recourse exists, doesn't necessarily mean the victim has the means to avail themselves of it.
Mysid

146 Posts
I just got called (17:30 PST) by the "Global Computer Maintenance Department of Windows", claiming to be calling from California. His name was "Kevin Watson" (209-730-6463).
The caller-ID showed "unavailable".

This time, the "twist" was that he was offering me a refund, because he said that I had paid money to subscribe to an online technical-support service that now cannot be provided.

Sure, I believe it. Show me the money!

He said that he had to "verify" my computer, before the "Accounting Department" could send a Refund Form to me.

So, after "Windows-Key-and-R-key", I was told to enter: 'www.teamviewer.com' and click OK.
I did, but clicked 'save' instead of clicking 'run'.
Then, I told him that my anti-virus software had deleted the download.

So, I then was told to enter 'www.ShowMyPC.com' and do another download.
Then, I told him that my anti-virus software had deleted the download.

So, I then was told to enter 'www.ammyy.com' and do another download.
This web-site has a clickable red-coloured link to a text-page advising me that AMMYY's software can be exploited by scammers. I read some of that text back to him.
I asked for his name/number (above), and expressed concern about this process and about that warning of misuse of their software.

I said that I would contact him, via the above number.
When I did not call within a few minutes, Kevin called me back, asking me if I had called the number.
I begged-off, saying that I had dinner on the stove, and needed to attend to feeding my family.

Ten minutes later, while typing this, Kevin called me again. I asked for 30 minutes to finish eating my dinner. (I have to be elsewhere within 30 minutes, and won't be able to answer his call. Too bad.)

Persistent fellow, using a few different Remote Administration Tools.

No soup (and no refund) for me, today!
Anonymous
You can report them to LogMeIn and/or TeamViewer (the most common ones they use) and they will disconnect their accounts. Just give them the code that they give you to put in the box, at least with LogMeIn Rescue there is a "report abuse" link at the bottom of the page.
BigBadSubaru

1 Posts
My mother got caught by this. She didn't send the guy any money or anything, but by time she called me about it while she was on the house phone with the guy, it was too late. He asked for $400 to clean the computer, was denied and at some point had put a syskey on the system. I had no clue but once I realized she someone how let him into the computer I panicked and shut it down. I should've just unplugged the Ethernet cable. No matter what I probably wouldn't have found out about the syskey. I had to take out the hard drive and get all the pictures off of it then reformat it and reinstall Windows. So if this ever happens to anyone else, don't shut it down, and remove that syskey. I think you can disable it without having a password if you're still in Windows, once you shut it down, it's all over.
BigBadSubaru
1 Posts
Quoting Anonymous:My mother got caught by this. She didn't send the guy any money or anything, but by time she called me about it while she was on the house phone with the guy, it was too late. He asked for $400 to clean the computer, was denied and at some point had put a syskey on the system. I had no clue but once I realized she someone how let him into the computer I panicked and shut it down. I should've just unplugged the Ethernet cable. No matter what I probably wouldn't have found out about the syskey. I had to take out the hard drive and get all the pictures off of it then reformat it and reinstall Windows. So if this ever happens to anyone else, don't shut it down, and remove that syskey. I think you can disable it without having a password if you're still in Windows, once you shut it down, it's all over.


Sorry this happened to your "mom" I refer back to my post.. above, give them the chance and you might get a person that can do real damage... though we can have "fun" with these jerks for every success they get even more bold and hurt innocent people. They are scum, period. I have a licensed version of TV and though you can get their number.. it works nicely with an onion product.. so much for that idea.

It does not take a rocket scientist to see the breeches that have happened even to the most secure accounts or networks... Is it SNOWden where they are? <idunno> What I do know is if you do not have a firewall set up for your phone, you have a couple on the PC, one is the CAT cable and the other is the power plug. Game over, they are going into a sinkhole.
ICI2I

63 Posts
I found a way to take a HUGE chunk of their time. I am retired after 30 years in computer industry (mainly Oracle Corp) so I knew a bit about this scam, and have all the time in the world.

I am lucky enough to have multiple machines - on one of which I was about to remove RedHat and put on Oracle Unbreakable Linux. This machine has nothing on it apart from the O/S, So I figured - well if they trash this machine, who cares (I was about to do it anyway). So making sure all other computers were off I "followed" their instructions BUT made sure I didn't tell them it wasn't a Windows machine.

About 10 minutes were wasted as when pressing the "Windows" + "R" key it did nothing (well duh!), and the caller got his "supervisor" involved.

Then they told me to use IE to connect to https://secure.logmeinrescue.com/Customer/Code.aspx. I patiently explained I don't have IE on this machine - but use Firefox instead, and managed to waste a couple of minutes discussing whether it had to be IE and should I install it?

Finally they "persuaded" me to connect to the site via Firefox and asked me to enter the 6 digit code which they said Microsoft would have supplied with the machine. I then said I would find it saying be back in a couple of minutes and before they could tell me not to I walked away from the phone.

I then took up about 10 mins of their time "searching" for the non-existent documentation (which I have never had).

Eventually I came back to the phone (having made a coffee and having managed to get a couple of the clues in today's crossword) and told them I couldn't find it. They then provided the value 585577 to connect.

So I did that. It then provided a pop-up to save an executable (Note: as this is Linux it didn't offer to Run it). At this point I became totally "computer illiterate" and said that my wife was the computer expert and she had always told me never to download unknown files to my system. The "scammer" then said that it wouldn't download any files - but would enable them to investigate the "problem files" on my computer. So I conducted a long "dumbass" discussion as to how it could be offering to save a file if it wasn't downloading one? Just to take a bit more time I went to the login page at https://secure.logmeinrescue.com/Customer/Code.aspx in another browser window - where there is a helpful "how it works" link. This link states that it downloads a file to the computer, and so gave me enough ammunition to drag out the argument as to whether it was downloading a file or not. In all I managed to stretch this argument to nearly 20 minutes.

I then decided I needed to "throw them a bone" as if they felt there was no chance of getting me to do what the wanted they would close the call and move on to some other victim.

So I clicked on the "Save file" option which duly downloaded the file. Then the guy on the other end showed how out of their depth they are when going "off-script". He didn't seem to know what I needed to do next - and said he would consult a fellow member of staff. after about a minute he was back and said I needed to double-click the down loaded file (Support-LogMeInRescue.exe), I ummed and ahhed a bit feigning ignorance as to how I needed to do this but eventually capitulated and double clicked it.

He then asked me what I was seeing. I told him I had a pop-up box saying "This link needs to be opened with an application. Choose an application" - which had a "Choose an application button. I garbled it a bit - and had to repeat it a couple of times - but eventually he decided I needed to click on the "Choose an application" button. I did this.

He then asked what I was seeing. I told him the options were: Desktop, install.log and install.log.syslog, (I didn't mention the "anaconda-ks.cfg" file as this might have given them an inkling it wasn't a Windows box). He suggested choosing the install.log, which I did (it was not going to do ANYTHING with that file). I then told him nothing had happened but it had returned to the "Choose an application" pop-up (which it had).

He got me to try it a couple more times (and I thought I could hear him scratching his head), but of course nothing worked.

Then he had a brainwave - and asked me to connect to www.ammyy.com I spun this out a bit by prefixing the URL with "https://" rather than "http://" - this cost me (and them) about 5 minutes - but eventually the page came up.

He then asked me to click on the "Start working with Ammyy Admin (it's free)" link. I did this and again it only offered an option to save the file "AA_v3.exe" not run it. He was surprised at that, (I wasn't). We then went round the loop of double clicking the saves file and being asked to choose an application for a few more minutes.

Eventually (as I was becoming curious to see what would happen) I suggested that as these executables were for Windows, maybe they were failing because I was running Linux?

Immediately he passed me to another colleague who said that I needed to "reactivate" some virus software which is supplied with the machine and had expired. This would cost £150.00 for one year, £200.00 for two years or £350.00 for lifetime coverage for unlimited machines. I asked what this software was, and he at first said "Windows Defender". A VERY long discussion ensued as to why Windows Defender couldn't possibly work on Linux, at which point it became "Linux Defender" that we were reactivating. I queried how I could be reactivating something which had never been installed on this machine, and he said "it was bundled with the original hardware when Microsoft built the machine". I pointed out Microsoft never built the machine, at which point it was "built into the CPU" A long discussion of how that was not actually possible (Antivirus firmware built into the CPU - a gap in the market?), at which point it wasn't in the CPU but in the memory chips (interesting concept). Lots more discussions on how that was impossible.

As a Unique Selling Point he also mentioned at one point that activating this software would block-out any other antivirus software I have installed and so would save me money as I wouldn't need to pay for them. I pointed out that my Antivirus software was free anyway.

I then asked him which Linux Kernel this software was compatible with. He said all of them. So I asked if it was EVEN compatible with kernel 6.3.34 (the actual latest is 3.16), and he assured me it was as he has installed it on that version himself!

Finally, needing a toilet break after spinning them along for 2 hours 50 minutes, I explained that one reason I use Linux was because I don't need to pay for software so I would not be interested in their "product" unless I could have a free 6 month trial with full Product Support for which I would need a contact number in case I needed help in installing it.

This ended the "session" - So very nearly 3 hours of their time wasted and multiple people (who were presumably taken from other calls as I appeared "promising").

Sorry this rant was so long - but it was a DAMN sight longer for them (and me).
ICI2I
1 Posts

Sign Up for Free or Log In to start participating in the conversation!