Battling fake Microsoft Support scammers

Published November 10, 2014

Fake antivirus support is a problem. We know fake “Microsoft representatives” call targeted Windows users to persuade them that their computers are inundated with warnings and errors as shown in the Windows Event Viewer, a legitimate Microsoft application that lists system information. We even watched Jerome Segura, a senior security researcher at Malwarebytes—catch some of these over-the-phone tactics on video.

Unfortunately it seems scammers still use the telephone to cold call folks pretending to work for Microsoft (or some other reputable software company) in order to convince users that their computer needs “fixing.” But as users get smarter, scammers get bolder. Recently, scammers have begun claiming that they need immediate remote access to computers in order to fix security threats. Once they convince the user to allow them remote access in order to “take care of the problem,” these savvy scammers then suggest installing fake malicious software—in order to “protect” the machine from future infections.

Just a few days ago, this happened to one of our clients. After receiving a phone call from someone claiming to be from “Microsoft Security Services,” Sally, as we’ll call her, was told that her computer had been hacked by someone in Austin, TX, and the “representative” claimed he needed to remote in to fix it right away.

Of course, Sally was panicked—a normal and reasonable reaction. Following the scammer’s instructions, she went to a website, entered a few different numbers, clicked a few “ok” prompts, and then allowed the scammer to take control of her computer. As he worked through these steps with her, he used a few tricks to fool her into thinking that her computer was badly infected when, in fact, it was fine.

In order to trick Sally, the scammer pulled up legitimate, normal IT troubleshooting tools - such as:

Netstat

CPU Monitor

Event viewer

...etc. in order to confuse her. For someone in the IT business, like us, these screens are commonplace and useful for regular computer maintenance; for others, these look like a bunch of numbers and error messages which make no sense and cause serious alarm or fear that the computer is terribly at risk.

After driving this fear home, the scammer told Sally he could fix the problem for a fee. Sally then gave him her credit card number, but after a few minutes, the scammer claimed that the credit card transaction had failed and that he would need to try a different card. At that point, Sally said she wanted to call us, her IT support. Of course, the scammer tried to convince her otherwise, but she knew better.

After she told me what happened, I not only recommended she immediately cancel her credit card, but I immediately inspected her machine.

After a few minutes on her computer, I realized something wasn’t right. While I performed various diagnostics, the mouse cursor moved, windows closed, and different things stopped running. Thinking it was Sally, I asked her to wait until I finished checking things out. But it wasn’t Sally. Instead, it was the scammer still connected to the machine, and he was trying to install malware!

Immediately it was a race to win full control of the computer. The scammer closed programs and tools as fast as I could get them open. He eventually tried to lock the machine by installing a fake AV program with a bogus warning, “FBI Has Locked This Computer Due To Fraudulent Activity.” He also tried to encrypt files in order to hold Sally’s data for ransom. Luckily I was able to run a quick series of commands to end the rogue processes, before blocking the scammer’s network access. He could have won; it was close—too close.

You might be wondering, “Isn’t antivirus software supposed to protect my computer from this kind of stuff?” Good question. Here’s our answer: AV software does not, and more importantly, CANNOT protect a computer from every threat out there. You have to think of antivirus software like suspenders on pants. They can go a long way in preventing your pants from falling down, but if you pull hard enough, they will still fall off. AV software is just the same. It can go a long way to prevent your machine from becoming infected, but if you click “yes” enough times and give scammers access to your machine, even the best antivirus software will be defeated.

The biggest lesson to learn: educate yourself. User education is the most important factor to not getting infected and/or scammed. Be cautious before clicking “yes” and NEVER trust someone that calls out-of-the-blue, claiming he or she is from Microsoft or some other well-known software or security company. Microsoft and other such companies will NEVER call you to let you know that your computer is infected and then ask for money to fix it.

(In addition, there are convincing illegitimate websites and pop-up ads designed to trick users into believing that their computers are infected, that they need immediate assistance, and that salvation requires a phone call to the scammer. It’s usually something like, “WARNING: Your computer is severely infected. Call 1-800…”)