Can’t believe it is Microsoft calling?

Scammer Phone Call

While writing up a report this week for a client for their Cyber Security strategy I took a call from a UK number with a very kind and polite person from Microsoft calling me to assist me with a problem that my computer is suffering from. I knew very quickly that this was a scam but I wanted to see how mature this was so I put some time into this but also playing hard to get by constantly questioning what they were asking me to do and asking if it was a scam to give them a chance to end the call.

The caller had an Asian accent but their English was very clear and understandable. The opening line in the call was that Microsoft central servers had received repeated entries from my computer stating that I had a problem and that they were going to assist me in fixing the problem. The errors that were reported were very serious apparently and as a valued Microsoft customer they wanted to resolve the problem and ensure that my computer was working as efficiently as possible.

Once this person had managed to get me to confirm that I was in front of my computer, I should note that this was done without confirming that I actually had a Windows computer by any other means than I had a keyboard with a Windows key on it. This person was very clear and persistent about being from Microsoft and when I claimed that I had heard about scams like this on the radio he just re-iterated that he had access to a number that only I and Microsoft could possibly know and we started the process to confirm this number as follows:

  • I was asked to use Windows Key+R to bring up the Run dialog box, a very clever step as it gets over all the user problems
  • I was then asked to type cmd and press Enter
  • In the resulting command prompt window, I was asked to type assoc and press Enter
  • I was then asked to find a line towards the bottom of the screen that started with ZFSendToTarget and then they read out 888DCA60-FC0A-11CF-8F0F-00C04FD7D062 that was on that line to confirm this unique number from my computer
  • I confirmed that this was the number that I could see knowing fine well that this is the identifier for the shell extension for the Send to/Compressed (zipped) folder shortcut that pretty much any Windows user will have following a quick Google Search for it which also confirmed the scam.

This person’s job was now finished as they had managed to get my confidence in them up by confirming the unique computer identifier that only Microsoft and I and apparently all of the Internet know. I was then passed straight on to a level 3 advisor due to number and type of the logged errors that were being reported for my computer, this is a good scam technique to show priority on their part and keep me moving in their process.

The third operator that I spoke with had a much harder accent and was much more difficult to understand but their job appeared to be to determine if my computer was a home or business computer, when I said that this should not matter as they were Microsoft and they could advise me of what was wrong and this could be sorted out by them and the operator seemed happy with the response. The next question I was asked is ‘Are you over 18?’ I asked why that was relevant to the problem unless they were looking for payment for something and they said that it was their support policy to confirm the age of the person that they were speaking with before they provided support. Once confirmed I was over 18, the operator asked me to go through the same Windows Key+R routine but type ‘eventvwr.msc’ and press Enter. In an attempt to again get them to realise that I knew something about computers, I said ‘oh bring up event viewer’ but they they just asked ‘What can you see on screen?’ and we went on. It was at this point that the operator’s accent became a problem and I was passed to another operator with a clearer spoken voice. Once they had gone through a basic checks in Event Viewer that are only available as an administrator, I can read the Security log, I was passed to a level 5 tech.

This very polite and well spoken girl asked me to look at the ‘Custom Views’ and then the ‘Administration Events’ in Event Viewer. I was then asked how many events were in this log to highlight the problem as this is what they were getting reported at Microsoft and I said ‘Oh I have too many to count but the number at the top shows over 2000’. At this point the ‘virus’ word was introduced into the conversation and this was how things progressed in their explanation of what the problem was but I did not need to worry as they could fix my computer. I was asked to provide some details of a few entries in there so I provided some information from Cisco VPN client that is logging some debug information in that log and she seemed alarmed by how bad my computer was infected and was passed to another operator who in turned passed me onto someone to ‘fix’ my computer.

I was now at the point that they asked me to access a web page by typing the address www.supremocontrol.com in a Run box after pressing Windows Key+R. I questioned why the address was not a Microsoft address and the advisor said that this was a recent acquisition by Microsoft and the site had not been updated. It was at this point that I stopped them in their tracks and said that I was going to put the phone down as this was a scam and the person continued to proclaim that they were Microsoft, needless to say they did not call me back as they were so worried about my computer that was heavily infected with viruses and reporting countless errors to Microsoft every few hours. The remote control tool that was being used by the scammers is genuine remote control software but they will use it to access your computer to install software onto it like key loggers so they can access your online accounts or encrypt your data files and hold you to ransom.

This is a well published scam and Microsoft will not call you unless you have initiated a support incident with their product support team. Microsoft have a very clear protocol to identify that they are indeed Microsoft and you will trust them when they go through that process. This call lasted 45 minutes and used 6 operators on the scammers part but demonstrates a level of sophistication on their part to resource a scam like this as it must be worth their while on the returns that they get.

The Cyber Security threats do not just come by eMail or the Internet, the phone is still a very profitable way of getting access to our computers. Think about why this company would be calling you at this time if you get a call out of the blue from your bank or HMRC for instance. If you are uncertain, get details of the caller including the phone number and asked them to update their logging system that they have to show that they called and that you will call back in, call a known and trusted number for the company and check the log that you asked to be there is there. If the log is not there, notify them of the scam and provide the details that you obtained when you were called to assist them in their fight against the scammers.