Ironically I’ve seen warnings from other techs like Dawn, Mickey and more of my IT peers about fake Microsoft calls. Today, I got the pleasure of speaking with one.
When these people call you, they will identify themselves as a Microsoft employee or some other prominent company. Microsoft will not call you to tell you that your computer is running slow or that it is infected with malware/virus.
Within one minute of talking with this individual, he wanted to take control of my computer. Knowing what was taking place, we have virtual computers in controlled labs that would be perfect for this caller. With the help of Pat and Nathan, we fired up a virtual computer and kept talking to the individual.
Note: The virtual computer was in a controlled environment. The computer had Windows 10 Technical Preview installed and had no viruses or malware. The virtual machine had 2 gigabytes of RAM, 2 processors and the virtual hard drive was only 30 gigabytes .
Giving the individual a name (he got it wrong twice) and a 555-5554-555532 phone number, I was asked to go to a website that allowed remote control of my computer. I in turn asked for his name again and he gave me another name that was not the original one from the start of the call. I also asked for his Microsoft badge number and he said bb65tr9 (fake of course).
Prior to going to the website, I started the problem step recorder so I could record him navigating through Windows.
Navigating to the website, I downloaded a software that allowed remote control. The individual kept insisting that my computer had viruses and that he would have to get an engineer to fix them if he couldn’t.
Once he gave me the whole spill on how bad my computer was, he opened up the services tab and insisted that ALL of the services should be running. He then showed me CSRSS.exe in the running processes and insisted it was a virus that was stopping the services from running.
Knowing that CSRSS.exe (What is CSRSS?) is a Microsoft program, I asked the students to be at the ready to pull the plug when needed.
After showing me the “virus”, the individual entered a link that lead directly to a software setup that would install another program on the computer (above). I asked what it was and he said it would scan my computer for performance. Instantly hundreds of errors appeared along with other visually terrifying effects. Microsoft’s Gold Partner was on the software (fake) and another company which I am sure is also fake.
I had one of the students unplug the RJ45 cable and pretended to lose the connection. The individual said that would not be a problem, he could always log into my computer with the remote program I had downloaded at any time. He also stated that they would have to charge me for removal of the virus.
After more than 25 minutes online of listening to this person tell me how bad my computer was, I hung up. I had what I needed-a great lesson for the students, files to analyze and information about the location of this individual.
Knowing that this was a fraudulent call, it gave the students a first hand view of what is going on in the world of computers and security.
Never give remote control to anyone you don’t know.
Below is the program that has been somewhat obscured so that people won’t search for it online. Note that he said I had hundreds of registry problems yet the screenshot shows a green check that the registry is ok.
We saved the PSR file and the programs on a secure flash drive and deleted the virtual computer. We will analyze the files later and will be analyzing the firewall to see the IP address and location of the individual.
List of rogue software. (This list is changing often)
PC cleaning apps scams