MS Tech Support phone scam victim

  • Thread starter DaveC426913
  • Start date
  • Tags
    Support
In summary, the senior security researcher from Malwarebytes played along with a Microsoft technical support scammer, documenting the whole episode in a video, to showcase the social engineering that takes place. They investigated the computer and found that there was no malware installed and that the computer connected to the internet wirelessly.
  • #1
DaveC426913
Gold Member
22,432
6,106
All my sphincters are in lockdown.

Normally my mother is extremely suspicious of strangers calling, but for some reason, this slipped by her. She apparently spent quite a bit of time the other day on the phone with someone "trying to help her fix technical problems with her Microsoft" system. She obviously gave them access to her system, since she said that they were manipulating her cursor and accessing various places on her computer.

She's away for a few days, so I dropped by to check out the damage. As far as I can tell, there are no obvious lasting effects. No software installed that I can see. I ran a virus check, turned on the Windows Firewall, and searched the drive to what has been installed during the time in-question. Still nothing.

I am highly dubious that they would put their grubby paws all over her system, yet not install anything. Maybe there's something on there that's invisible, or simply looks innocuous to my eye.

Does anyone have any suggestions for a deeper search?
 
Computer science news on Phys.org
  • #2
Assuming that she doesn't have a firewall, I would install one. That should let you know pretty quickly if there is something that's communicating with the outside world. There are other things to check but that would be my first.
 
  • #3
Borg said:
Assuming that she doesn't have a firewall, I would install one. That should let you know pretty quickly if there is something that's communicating with the outside world. There are other things to check but that would be my first.
Right. Yes, I turned on the standard Windows firewall.

I didn't stick around very long to see if it was doing anything though. And I shut the system down when I left.
 
  • #4
DaveC426913 said:
Right. Yes, I turned on the standard Windows firewall.

I didn't stick around very long to see if it was doing anything though. And I shut the system down when I left.
Sorry, that didn't register in my brain for some reason. :redface: Glad to see that you shut it down before you left. For now, you have to keep it that way and do not connect it to the internet until you can verify the integrity of the system.

Personally, I don't trust the Windows firewall. I wouldn't be surprised if they installed a rootkit or some back door that the Windows firewall wouldn't see. I like and use the free version of ZoneAlarm. The damn thing installs a toolbar on your browser these days but a quick Google search can show you how to get rid of it. Unlike Windows, ZA is a default-deny firewall where the Microsoft firewall tends to allow Microsoft OS processes access by default.

Coincidently, I just passed Security + certification this week. It may take some time to fully inspect the machine but, I'll be happy to help as much as I can.
 
  • #5
For the uninitiated - How the Microsoft tech support scam works.
A senior security researcher from Malwarebytes has played along with a Microsoft technical support scammer, documenting the whole episode in a video, to showcase the social engineering that takes place.
 
  • #6
Borg said:
Interesting. I did notice a couple of TeamViewer log files (we use TeamViewer at my work). But as far as I could tell, TeamViewer was no installed on the system. All I saw were two log files, one from TV9 and one from TV10.
 
  • #7
DaveC426913 said:
Interesting. I did notice a couple of TeamViewer log files (we use TeamViewer at my work). But as far as I could tell, TeamViewer was no installed on the system. All I saw were two log files, one from TV9 and one from TV10.
We can look into whether it's still there later. For now, I just consider it a means to their ends.

I haven't dealt with fixing a phone scam like this but I see two main possibilities for the phone scam - install malware that allows them to use the machine as part of a botnet or to install key loggers to obtain financial information.

Some questions:

Did she give them any financial information? You may have to ask this a couple of ways because of the social engineering that occurs in a case like this. They're very skillful in getting people to release information that the person doesn't realize that they've given.

Before you shut it down, had the computer been shut down and restarted after "tech support" had their hands on it? The reason I ask is that there could be a virus that activates when the system is restarted. If it's already been restarted once, then we can eliminate that danger.

How does the system connect to the internet? Wireless or direct cable? At some point, it may be necessary to turn it back on but you don't want it connecting to the internet when you do. Disconnecting the LAN cable is easy but many people have their wireless set up to autoconnect so you have to make sure that it can't by turning it off at the router.

What browser does she mainly use? I'm more knowledgible in Firefox but many non-technical people just use IE. I ask this because if she let's the browser save passwords, you may have to get them all changed.

What is the OS version?

BTW, if we get too far into the specifics of her system, I'm OK with discussing it through a conversation or personal email.
 
  • #8
Borg said:
I haven't dealt with fixing one of these but I see two main possibilities for the phone scam - install malware that allows them to use the machine as part of a botnet or to install key loggers to obtain financial information.

Some questions:

Did she give them any financial information? You may have to ask this a couple of ways because of the social engineering that occurs in a case like this. They're very skillful in getting people to release information that the person doesn't realize that they've given.

Before you shut it down, had the computer been shut down and restarted after "tech support" had their hands on it? The reason I ask is that there could be a virus that activates when the system is restarted. If it's already been restarted once, then we can eliminate that danger.

How does the system connect to the internet? Wireless or direct cable? At some point, it may be necessary to turn it back on but you don't want it connecting to the internet when you do. Disconnecting the LAN cable is easy but many people have their wireless set up to autoconnect so you have to make sure that it can't by turning it off at the router.

What browser does she mainly use? I'm more knowledgible in Firefox but many non-technical people just use IE. I ask this because if she let's the browser save passwords, you may have to get them all changed.

What is the OS version?

BTW, if we get too far into the specifics of her system, I'm OK with discussing it through a conversation or personal email.

Before I started it up, I physically disconnected the network cable from the modem.

I do not know what information she gave them. I will ask when she comes back. (I doubt she gave them any financial information. She is normally pretty savvy/suspicious.) I noticed when I started it up the first time, that it went to the restart menu, which indicates that the last time it was shut off, she did a hard power-down. It is conceivable that she simply got frustrated with the caller and powered off her computer. :fingers crossed:

It's Windows 7. It is connected via a modem to Bell. I used Chrome.
I think she is not sophisticated enough to use websites that require passwords, let alone have the browser store them.
 
  • #9
I've received two or three calls from some outfit telling me that they have discovered security errors on my computer. The first couple of times I just hung up. The last time, about a week ago, I said, "No, I don't have any problems with my computer. What makes you think I have problems?" He hung up.
 
  • #10
More information - http://www.pcadvisor.co.uk/how-to/security/3378798/microsoft-phone-scam-dont-be-victim/.
First of all don't beat yourself up. This could happen to anyone (and does). You need to change all the personal data that you can change. As much as you might like to you can't change your date of birth, and changing your name and address seems extreme. But you can change all your passwords and usernames, starting with your main email account and any bank- and credit card logins. Also, contact your bank to ask them to be on the look out for anything dodgy.

Again, use up-to-date security software to scan and cleanse your PC, and if the scammer did get you to do something to your PC using System Restore to roll back the settings is always a good idea. And tell the police. If you have lost money, it's possible your credit card company or contents insurance will cover the loss.
If she uses the computer for any kind of banking or financial stuff, these will have to be done. If so, she should immeadiately contact her bank(s). I would also place a fraud alert with the three credit bureaus. I assume that it works generally the same in Canada.
 
  • #11
Keeping Remote Assistance unchecked might help some, I'm not sure...

I keep it unchecked on my computer, anyway..
Remote Assistance  - Copy.JPG
 
Last edited:
  • #12
DaveC426913 said:
I am highly dubious that they would put their grubby paws all over her system, yet not install anything. Maybe there's something on there that's invisible, or simply looks innocuous to my eye.

Does anyone have any suggestions for a deeper search?

You won't like this but if a machine is compromised the only way to be safe is format it and reinstall.

There are things such as rootkits that can render themselves undetectable to the operating system. For example - and this is a gross simplification that will make security engineers cringe - they can add a file to the machine and patch the operating system (Windows itself) to simply never report that file's existence. Unless you scan that drive using a trusted installation of the operating system (i.e. a different computer), you'll never see it.

http://en.wikipedia.org/wiki/Rootkit
 
  • Like
Likes harborsparrow
  • #13
One of the best ways to find out if there's anything malicious program sending out data or listening for inbound connections is to use the netstat utility
https://technet.microsoft.com/en-us/library/ff961504.aspx

From within her account, close all the programs that you recognize (even in the system tray)
open up a command prompt
then run the netstat command with arguments -n -a
This will show you all the active connections as well as all the ports that are listening. From another system, run a whois for all the IP addresses you find and see if anything is out of the ordinary

This will ONLY show stuff that's currently running (open TCP/UDP or listening TCP/UDP) If the malware runs on a schedule, this won't see it.
 
  • #14
DaveC426913 said:
All my sphincters are in lockdown.

Normally my mother is extremely suspicious of strangers calling, but for some reason, this slipped by her. She apparently spent quite a bit of time the other day on the phone with someone "trying to help her fix technical problems with her Microsoft" system. She obviously gave them access to her system, since she said that they were manipulating her cursor and accessing various places on her computer.

She's away for a few days, so I dropped by to check out the damage. As far as I can tell, there are no obvious lasting effects. No software installed that I can see. I ran a virus check, turned on the Windows Firewall, and searched the drive to what has been installed during the time in-question. Still nothing.

I am highly dubious that they would put their grubby paws all over her system, yet not install anything. Maybe there's something on there that's invisible, or simply looks innocuous to my eye.

Does anyone have any suggestions for a deeper search?

I would reformat the computer because there is no telling if some 0day has been used that hasn't been picked up by anti-virus software. Formatting the computer will get rid of it if it exists. It may be annoying to reinstall windows and related software, but it won't be as annoying as someone stealing identity or other information.
 
  • #15
I was over there again the other day and noticed something new to me.

The ability to transfer control to an external user is built right in to Windows 7. You can configure it to let a user take control when you're troubleshooting something (for example, I was troubleshooting her printer). This is obviously what OCR was referencing in post 11 - the significance of which went right over my head at the time.

I have always assumed that, in order for someone to take control of your computer, you had to explicitly install and run a program. That's the way it was Back in the Day.

This is why I was so puzzled that someone could have been manipulated her system, yet I could find no trace of an installed program. (The caller must have told her how to go and tick that box.)

Thanks MS, for making it so convenient for someone to destroy my mother's computer.
 
  • #16
DaveC426913 said:
(The caller must have told her how to go and tick that box.)
I think that box is checked by default. You have to actually turn it off if you don't want that 'feature'.
 
  • #17
When that box is checked, the system will respond to remote assistance requests, but it still requires the user at the system to accept the connection. An external user cannot simply connect using the Remote Assistance application unsolicited.
 
  • #18
Routaran said:
When that box is checked, the system will respond to remote assistance requests, but it still requires the user at the system to accept the connection. An external user cannot simply connect using the Remote Assistance application unsolicited.
Yes, but in my day, it didn't come so ... innocently - you had to actually download and install the app, giving a user plenty of signals that this is a MAJOR change to their system.
 
  • #19
DaveC426913 said:
Yes, but in my day, it didn't come so ... innocently - you had to actually download and install the app, giving a user plenty of signals that this is a MAJOR change to their system.

It's surprisingly difficult to talk the user through installing remote access, especially if they don't have the installation media or there's something up with their internet connection, or they aren't an administrator (e.g. office machine, locked down by in-house IT) or there's an issue with the operating system and system library that causes an error on the install, and there's the time added to all your support calls.

Even if installing was a 'red flag' then in this case the user believes the caller is legitimate so no amount of red flag is going to save them.

I have a friend who works for a game studio and he says about 1/3 of their users have outdated drivers, and these are generally computer literate gamers who trend towards the geek side of the spectrum. The answer he gives as to why is simply, the installers just don't always work or they're on the office laptop.
 
  • #20
Carno Raar said:
Even if installing was a 'red flag' then in this case the user believes the caller is legitimate so no amount of red flag is going to save them.
Fortunately, 'Here's what you owe us...' was red flag enough for my mother to hang up on them, bless her heart.
 
  • #21
I have never had a “Microsoft technical support” call, they have always called themselves the “Windows technical department”, an organisation that does not exist.

They are after two things. Firstly a fee for the fake service, then possible access to your financial data. Taking a copy of your cookies may reveal some data and passwords that you also use for financial transfers.
 
  • #22
DaveC426913 said:
Yes, but in my day, it didn't come so ... innocently - you had to actually download and install the app, giving a user plenty of signals that this is a MAJOR change to their system.
Completely agree.
I like to call this the Mac effect, the desire for absolutely everything to "just work." No need to burden the user with explanations and information. Need help, just click yes on the dialogue box.
It goes too far in one direction and ends offering an easy avenue for malicious users on the internet to exploit the unaware.
 
  • #23
Baluncore said:
I have never had a “Microsoft technical support” call, they have always called themselves the “Windows technical department”, an organisation that does not exist.
I have never had one either but mostly because I immeadiately disconnect unknown numbers.
DaveC426913 said:
Fortunately, 'Here's what you owe us...' was red flag enough for my mother to hang up on them, bless her heart.
Glad to hear that but some additional user training may still be needed. Even though she probably won't fall for this again, there are some pretty convincing email scams out there. And not just on the internet - thieves love to target the elderly with door-to-door scams. First rule should always be that if you didn't contact them, there is a high probability that they aren't who they say they are.
 
  • #24
I love it when groups like that call me. I'll tell them that I have something cooking on the stove, and I will be right back. I sit the phone down, and I leave them hanging.
 
  • #25
Borg said:
Glad to hear that but some additional user training may still be needed. Even though she probably won't fall for this again, there are some pretty convincing email scams out there. And not just on the internet - thieves love to target the elderly with door-to-door scams. First rule should always be that if you didn't contact them, there is a high probability that they aren't who they say they are.

There was a "great" one the other day where they pretend to be a bank and tell the victim to call them back at the bank's number to prove their authenticity. The victim puts down their phone, picks it up and re-dials - but the scammer didn't put theirs down so they're still connected. They make dialling noises then put on a different voice and impersonate the bank. I tried it on myself but my mobile killed the call. I'm told it needs one of those old PSTN phones that has a wire to a physical network.
 

1. What is the "MS Tech Support phone scam"?

The "MS Tech Support phone scam" is a type of fraud where scammers pretend to be representatives from Microsoft or other tech support companies and contact unsuspecting individuals claiming their computer is infected with a virus or has other security issues. They then convince the victim to give them remote access to their computer and steal personal information or charge for unnecessary services.

2. How do scammers target their victims in this type of scam?

Scammers typically use phone calls, emails, or pop-up ads to target their victims. They may claim to be from a reputable company and use fear tactics to convince the victim to take immediate action.

3. What should I do if I think I have been a victim of this scam?

If you have given remote access to your computer or provided personal information to someone claiming to be from tech support, it is important to take immediate action. Contact your bank or credit card company to report any unauthorized charges, change your passwords, and run a full virus scan on your computer.

4. How can I protect myself from falling for this scam?

The best way to protect yourself from this scam is to be cautious and skeptical of unsolicited communication from tech support companies. Never give remote access to your computer or provide personal information unless you have initiated the contact and verified the legitimacy of the company.

5. Is it possible to recover any money or personal information lost to this scam?

In some cases, it may be possible to recover lost money by contacting your bank or credit card company and reporting the fraudulent charges. However, it is unlikely to recover any personal information that has been stolen by scammers.

Similar threads

Replies
10
Views
2K
  • General Discussion
26
Replies
895
Views
86K
  • Special and General Relativity
Replies
13
Views
2K
  • General Engineering
Replies
27
Views
8K
  • General Discussion
Replies
1
Views
8K
Back
Top