Windows Support Call Hoax

Keeping the hoax callers busy…

It’s Monday morning, about 10am and I get a call on my home land line. The lady explains that her name is Shirley and she’s calling from Microsoft about a security issue on my computer.

Well, already I know it’s a hoax and I know what ‘Shirly’ is going to ask me to do, it’s the same old script but I do notice a few improvements this time that could mislead an unsuspecting user, even if you don’t give over control of your computer.

First up, she’s introduced herself adding a bit of a personal touch, not sure if the criminals have been studying psychology or if by accident, but introducing yourself as a person with a name is known to help foster a sense of trust. Secondly, she said she was from Microsoft. This is the first time I have heard Microsoft used, previously they have said they are from ‘Windows’ which is of course a product line, not a company.

So I’m intrigued by how many other changes they might have made, and I feel it’s my little way of helping the community by keeping their phone operative busy for as long as I can.

Shirley asks me to startup my computer. Well I’m actually working on my computer at the time but I don’t tell her that, instead I startup VirtualBox and load a virtual computer running Windows 7, I also startup a Linux Virtual Computer that can act as a Gateway configured so I don’t disclose my real IP details.

Once up and running I tell Shirley that I am logged on and she instantly falls back to the old script; “Click the Windows Key + R” (this opens the RUN dialogue box)
“Type in EVENTVWR and press enter” (Windows Event Viewer, this is where the OS and installed apps log events that help diagnose issues on your computer, NOTE: It’s completely common for there to be 10’s of thousands of log messages, with lots of red crosses and yellow triangles. If you are worried about anything you see in the Event Viewer, contact us and we can tell you if it’s something that needs urgent attention)

Windows Event Log, especially when filtered, can look very scary, but don’t let that fool you. While these are errors that probably need attention, they are not an indication of a virus.

I’ve duly opened up the event viewer and Shirley asks me to click on the FILTER CURRENT LOG and to tick the WARNING and ERROR boxes, this is another new part to the script, as previously I’ve just been asked to read out the NUMBER OF EVENTS listed at the top of the screen. With the log filtered, it’s now a sea of scary looking error messages.

Shirley informs me that those are all infected files, this is a revert to the old script again. She tells me that unless I fix the files in 1 hour, Microsoft will cut off my computer from the internet and I will have viruses that allow people to access my computer.

Well, obviously I don’t want a virus riddled computer that been disconnected from the internet, right?

But not to worry, just a few questions and install a file to connect me to the Microsoft central computer and I’ll be fine to go about my business.

Shirley asks me if I use online banking, I say ‘yes’ and she asks me who I bank with. I don’t know why but the first bank I can come up with is Deutsche Bank. I get asked a series of questions that will help ‘them’ find out where the viruses came from. In reality what these questions are doing is helping to build a list of information they need to get from me or my computer, and a list of files they will be looking for when they eventually get onto my PC.

How many people use the computer for online banking, online shopping or online gaming?
Do I use any other computers?
How often do I change my passwords?
Do i use the same password on many sites?
Do I have any antivirus software?
… and so on…

Log Me In & TeamViewer

Once I have given satisfactory answers to the questions, I am directed to the Team Viewer website and asked to download the app so they can connect me to the ‘Microsoft Central Computer’, which sounds very exciting. But I have to be quick as I might get my computer cut off soon.

I have been trying to waste their time without arousing suspicion, so I gave VERY long detailed answers to the questions, including why I bank with a German bank (and my fictitious 2 years in Germany helping the Kremlin to move funds and gold into off-shore banks based in Panama) and asking for everything to be spelled out in the phonetic alphabet, but then mixing up my phonetic names ‘H’ for Hoax, ‘S’ for Scam)

Eventually I start to download TeamView…. and then the internet breaks!! My ISP has an outage and I am left unable to finish the download. I could switch to my 4G account, but I have used TeamViewer lots of times in the past, I can bluff this!

I pretend the download has finished and I have installed the application, Sheila asks me to read out the 9-digit user ID (good job she told me how many digits as I couldn’t remember!) “it’s 456 123 789” I say, and the pass-code “that’s 654321” I tell her…. a pause, then “can you read that out again, it’s says it’s not recognised”

At this point, Sheila was hopeing to log into my computer and take control over it. Probably she would have tried to make copies of the files in the folder I keep on the desktop called “Bank Account Details” (the contents of which are two word documents, one infected with a macro script that renders the boot disk of the infected computer un-bootable, the other is full of apparently random data that spells out “Who watches the Watchers” in long hex) maybe install a cryptoware or keylogger app and setup a backdoor so others could log on in the future, and download anything else that might be of use to them.

But instead she spends about 20 minutes trying to figure out why the number I have given her is not working, which is not helped by me changing the numbers around each time.

Eventually she gives up and moves onto www.support.me (Log Me In) again witout any actual internet access I know I can’t start this, but I bluff and ask her for the session code, she gives me a code and I write it down, making a note of the exact time so I can email it to the LogMeIn abuse email account once I have access.

I manage to make this last another 10 minutes before saying that my computer is restarting after doing Microsoft updates. Shirley is getting quite impatient with me now but doesn’t give up. She almost shouts at me that i am going to get my computer cut off and all these viruses are going to infect my other computers.

After nearly 2 hours (I think this must be some record) I am the one who admits defeat, well actually I am getting peckish and feel I have done my bit for the day, so I ask Shirley if she can call me back after I have been to the pub, thinking she will realise I am winding her up, but Shirley is not going to give in so easily. She tells me she will call me back after I have been to the pub!! and she does. But it’s her home time now and she can’t fix my computer today so she is going to call back tomorrow to try again.

Microsoft won’t call you

If you get an unsolicited call from Microsoft, McAfee, Apple or anyone else telling you that you have a virus on your computer, it’s most likely a scam. Take a note of the callers name and company name, and ask them for a phone number. Check out the details online to put yourself at ease, or contact us and we will check up on them for you.

#WeCanHelp

Don’t let the hoaxers catch you out. No matter how convincing or how insistent an unsolicited caller is, never take their word for anything. This applies to banking calls as well as these hoax support calls. If a caller asks you to provide some information to confirm you are who you say you are, don’t until they have proven they are who they say they are.

Never download or go to websites that allow remote access unless you know 100% who it is you’re talking to. Tricksters will always try to sound convincing and will use any means they can to get you to lower your guard.

If you suspect your computer may have been infected or compromised, or you think you may have fallen victim to a scam, you should alert the police cyber crime department, and if you have online banking you might need to alert your bank too.

07825650122 | it@tinsleyNET.co.uk | @tinsleyNET | +tinsleyNETcouk | www.tinsleynet.co.uk | Facebook | #Stuff4Steph
tinsleyNET LTD | IT Services Consultants
Offering IT Services to businesses and home users across the UK
#WeCanHelp