So last night “Bob from Microsoft” called me because my computer was infected and “he was there to help me”. Yeah right.
Because the Internet is such a wonderful, sharing place, I’d been alerted to these types of cold-call, social engineering attacks a while ago. One of my neighbors had received one of these calls too. In fact, months ago I received two of these calls in the same week. If you are not lucky enough to be on the “right” phone lists to get them, read on.
The general progression of the call is someone calls you and says that they are calling to help you and that your computer has malware, viruses, trojans and other bad stuff on it. They run you through some “checks” (which are all fake) and then offer to remotely connect into your computer to help you. Troy Hunt, an Aussie infosec researcher, has a wonderful hour-long video of his conversation with these guys here http://www.troyhunt.com/2014/01/scammer-identifies-viruses-in-brand-new.html.
Once these guys get on your computer via the remote control software, they do all sorts of bad things to it.
But last night, I was feeling puckish and decided to let Bob “help” me to a point.
Scripts and English
The people that have called me in these phone calls all were non-native speakers and sounded like they were from the Middle East part of the world. Previously the caller ID was something odd but this latest “attack” had a caller ID from the Washington DC area code (202). So they may be getting better…or lucky.
These attackers read from a script and usually do not understand responses aside from “yes” and “no”. If you do give them other answers, they transfer you to a supervisor (which means a person that speaks better English). Once that person has dealt with you and answered your questions, you go back to the guy with the script and he/she will start over at the beginning and re-read the script.
Also, if you happened to be unfortunate enough to let them install the remote access software on your computer, you’ll then be transferred to someone else that actually knows what the heck to do with it. So these people have a tiered system. Some people do the initial calling, convincing and installation. Then others do the exploitation.
Educating My Family
I mentioned that they called my house two other times. The first time they did, I let them walk me through what they asked me to do. When they were going to remote into my system, I hung up.
Then, later in that same week, they called me at dinner. I thought that it was a perfect time to show my wife and kids what these guys do. So, I turned the phone on to speaker and set it in the middle of the kitchen table. “Bob” (or whomever it was that night) would be our honored guest for the evening.
In my work past, I’ve done helpdesk for Windows, Macs (old and new), Solaris, Linux and some other systems too. I can mentally “walk through” those systems and menus in my mind. So it was easy to provide the appropriate responses to “Bob” as I sat in my kitchen eating my food (and not in front of my computer).
Sure enough, “Bob” followed the exact same script that the person that called me earlier that week did. My kids and wife heard what he asked me to do and, as I pretended to do what “Bob” was asking, I told my family what would be happening on the computer if I did this and WHY “Bob” was trying to get me to do these things.
After 15-20 minutes, it became tedious and my food was getting colder so I politely told “Bob” to go away because I knew he was a scammer. While my family and I had some chuckles about the responses I gave to the scammer, it helped them see a real-life attack and how to deal with it.
I have to admit I kind of have fun yanking the scammer’s chain and “playing along” with their ploy albeit in a passive-aggressive way. Those of you that know me know that this is right up my alley.
In fact, now that my whole family has heard these guys and what they say, they LOOK FORWARD to their calls and listening to me play with the callers. Love that.
For those of you that have not received these calls yet and don’t want to watch/listen to Troy Hunt’s video above, here is kinda how the call went last night. For readability, I’ll note the caller’s statements with Bob: and mine with Me:.
Bob: Hi this is Bob from Microsoft. Your computer, when it goes on the Internet and contacts our servers has been shown to have a security problem. I am here to help you.
[Now, I’m a geek. Bob doesn’t know this but I have 5+ laptops in my home, servers, NAS devices, Virtual Machines (VMs) and other things that I KNOW go out on the Internet. So when someone assumes I only have 1 computer, I know he really is not for real.]
Me: Thanks for calling Bob. I’ve noticed weird things on my computer and I’m very concerned about these things.
Bob: OK. Are you in front of your computer?
[I was…just I happened to be in front of my Mac and not my Windows system. But Bob didn’t need to know that. And of course, there was no way I was going to let him touch my system anyway.]
Bob: Is your computer on?
[I thought this was a nice touch. Nothing like trying to do tech support on a computer that is off. I used to do help desk work and was really surprised by a user who couldn’t turn their computer on because they had plugged the plug-strip the computer was plugged into, into itself. Where did you think the power would come from??? But I digress. Yes. We need the system to be on.]
Me: Yes it is.
Bob: OK. Go to the Start menu and….
Me: There is no Start menu.
Bob: What? In the lower left there is a Start menu.
Me: No Bob. On my Mac there is no Start menu.
Bob: You have a Windows computer right?
Me: Of course Bob. It is on the Mac. I have Virtual Machines (VMs) of many Windows systems from Windows XP to Vista, 7, 8, 2003/2008 server and more. You are Microsoft. You know all about VMs right? Which VM do you want me to spin up? Heck Bob. I’m really concerned that one of my VMs may have a botnet on it and be participating in a Distributed Denial of Service (DDoS) against the financial sector companies. Can you help me with that?
[There was this long pause. Then he started at the beginning of the script again…]
Bob: Hi this is Bob from Microsoft. Let me transfer you to my supervisor.
[Translation: “You used big words and complex phrases that confused me. I will give you to someone who can make you conform to my script.]
Supervisor: This is the supervisor can I help you?
Me: I sure hope so. Bob was helping me out and he wanted me to start my Windows computer but I have about 10 different versions of Windows on VMs and I got confused.
Supervisor: Do you have Windows 7?
Me: Of course! [What kind of a tester would I be without at least 1 Windows 7 VM?]
Supervisor: Use that.
[And I was transferred back to Bob.]
Bob: Hi this is Bob from Microsoft.
[Back at the beginning again. I was getting bored and dessert was ready. So I decided to end this.]
Me: Bob. I’m having trouble with my phone. Can you tell me if this sounds like a dial-tone?
[Then….I hung up.]
The moral of this story is:
- No one that is legit is going to call you out of the blue and tell you your computer is doing bad things. We just don’t live in that kinda place yet.
- We should NEVER let anyone into our computers to “help us” without consulting a trusted, computer-savvy person. Get the “helpful” caller’s name and phone number and tell him you’ll call him/her back. Phone a friend, Google the issue…do something to verify that there is an issue. Don’t let some foreign Snake Oil Salesman make you do things to hurt yourself and your computer.
I did learn something else from these calls. When all else fails…when you don’t understand what is happening…start back at the beginning and try again. Thanks for that “Bob from Microsoft”. You did help me after all.
It is May 29, 2014 and I just had Jeffrey from Windows Technical Support in Salt Lake City, Utah call me. Same script. I told him I had only Macs at home. He told me to go ahead and press the Windows key and R to launch a command window on my Windows computer (script).
I told him I had Windows 95 and there was no malware that could run on it. He told me to go ahead and press the Windows key and R to launch a command window on my Windows computer (script).
I told him he was a scammer and not really from Microsoft. He had to prove it. So he told me he could verify my Security ID.
Jeff: “Go into a command window and type assoc then hit return.” [The assoc command shows associations not security IDs.]
I did it. At the bottom was a “ZFSendToTarget” CLSID. He read that to me. MAGICAL! It was the same as on my computer! Wait….a quick Google search and…aw man, it is the same on most ALL Windows computers because it is NOT a security ID. I told this to Jeff and when he asked me to press the Windows key, gave him my best…
Me: “I’m having trouble with my phone. Can you tell me if this sounds like a dial-tone?” and hung up.