Thursday, June 23, 2016

My 40 minute conversation with a "Microsoft" scammer

We've all heard about the "Microsoft" scammers for a long time now, they pretend they're calling from Microsoft support in order to scam you and make you pay for support you don't actually need. I've had several relatives and friends who have received calls from these scammers, but I've yet to receive one myself. Until today.

Before I tell you this story, I'd like to point out that you should not try this yourself unless you are absolutely confident that you know what you're doing. If you get this call, hang up. And don't ever run any commands that you do not know the consequences of.

Him: "Hello, I'm calling from the IT services and support department"
Me: "Excuse me, what department?"
Him: "The IT services and support department"

I have an active support ticket with the actual Microsoft support department, so I was a bit confused at this point as to whether this was a scam or the real deal.

Me: "What company are you calling from?"
Him: "I told you, the IT services and support department"
Me: "Yes, but which company is that department in?"
Him: "Microsoft Corperation"

Every time he said Microsoft throughout our conversation, he said it extremely fast and he mumbled the words. My guess is they're aware that the scam has been all over the media and that people know Microsoft is being used

Me: "Alright. What is this about?"
Him: "We have reports showing that your computer downloads malware whenever you go on the internet."
Me: "Oh, that doesn't sound good. How does that work?"
Him: "Whenever you go on the internet, on a web page, watch a video or pictures, malware is downloaded to your computer."
Me: "I had no idea. How does that happen?"
Him: "Don't worry, I will help you fix it. Are you in front of your computer?"
Me: "Yes"
Him: "What do you see?"
Me: "Uh, what do I see?"
Him: "On your screen"
Me: "I see a webpage"
Him: "Ok, please go to the desktop"
Me: "Alright"

I'm not going to type out all his spelling and my confirmations of doing what he said. Basically he asked me to open Run and type in 'eventvwr'. You guessed it, opening the Event Viewer. Pretty innocent so far.

Him: "What do you see?"
Me: "I see a window called Event Viewer. What is that?"
Him: "What does it say on the left hand side?"
Me: "Uh, it says 'Custom views', 'Windows logs', 'App...."
Him: "Click on 'Custom views' and then on 'Administrative events'
Me: "Done."
Him: "What do you see?"
Me: "I see lots of things, I have no idea what all of this is."
Him: "But what do you see?"
Me: "I don't know, are you sure about this?"
Him: "Are you below the age of 18, madam?"
Me: "No, why?"
Him: "Are you sure? You don't sound like you're an adult"
Me: "I'm an adult"
Him: "Are you sure? How old are you?"
Me: "I'm 29"
Him: "Are you on your personal computer?"
Me: "No, this is my work computer"
Him: "The problem is with your personal computer, can you get that please?"
Me: "Ok, hold on..."

I act as though I'm starting up my personal laptop, but what I'm actually doing is trying to get the recording on my laptop to work (I just got it, so I haven't set anything up yet). Unfortunately, he keeps asking what I'm doing and why I'm taking so long and I wasn't able to get a recording to work.

Me: "Ok, it's up. Should I open the event viewer again?"
Him: "Yes. Whenever you go on the internet, malware is downloaded and installed on your computer, and we're here to fix it. Now what do you see?"
Me: "Oh, I'm seeing lots and lots of errors and warnings. That can't be good?"
Him: "How many do you see? More than 10?"
Me: "Yes, there are thousands."
Him: "What do they say?"
Me: "I don't know, I don't understand what this is"
Him: "Read them to me"

I was scared of giving myself away at this point, so I tried to find the most meaningless warnings I could. I didn't want him to realize that I was on a computer that was part of a domain or that I was a developer.

Me: "There's something about not being able to connect to a service or something? Is that bad?"
Him: "Yes. Right-click the warning and go to 'Help'"
Me: "Done"
Him: "See the 'Online Help' option that's there?"
Me: "Yes"
Him: "That's what we're going to do. I'm the online help"
Me: "Oh, that's perfect"

Here's a screenshot of what I was seeing at that moment:

Him: "Now, close that window and hit Windows+r again. What do you see?"
Me: "Ok... I see the 'Run' window again"
Him: "Good. This time type in and hit enter"
Me: "Ok"
Him: "What do you see?"

I didn't actually want to go to this website as it might be unsafe, so from here on I was faking the entire conversation.

Me: "It's a website"
Him: "What sort of website? Can you explain what you're seeing?"
Me: "Uh... It's a support website?"

(Wild guess based on the URL he'd asked me to go to)

Him: "Good. Now, Microsoft gave you a six digit code when you bought your computer, do you have that code?"
Me: "A code? No, I don't have any code?"
Him: "Ok, I'll give you the secret code that Microsoft gave you when you bought your computer."
Me: "How do you know my code?"
Him: "You are connected to the Microsoft server, that's how I know your code"
Me: "Oh, ok."
Him: "Enter the code and click on download. Then click open or run."
Me: "Hold on a second"

Here I took some time to tweet a bit and before long he got impatient.

Him: "Can you tell me what's going on?"
Me: "It's downloading. I think there's something wrong with my internet...."
Him: "What do you see?"
Me: "Still downloading...

Or should I say, tweeting?

Me: "Ah, there. It's done. I pressed run"
Him: "What do you see?"

At this point, I'm pretty screwed as I have no idea what he thinks I just downloaded. Does it open a command window? Is it an application? I had no idea. But I wanted to try to fake it a bit longer.

Me: "It opened a new window"
Him: "What kind of window?"
Me: "What do you mean? I've never seen this before? Are you sure about this?"
Him: "Yes, just click next'
Me: "Ok"
Him: "Now what do you see?"
Me: "It went to the next step"
Him: "And what do you see?"

I simply couldn't fake it anymore. I had no idea what he expected me to say.

Me: "Alright, I think it's time to stop the scam now."
Him: "Yes, you have been scamming me this entire call, wasting my time, only talking bullshit. I knew it all along."
Me: "What? I've been scamming you? No, I've been doing exactly as you said but I don't have a good feeling about this anymore"
Him: "Well, I knew that you were scamming me from the second we started this call, so I entered a secret password into your computer. When you turn off your computer the next time, everything you have, all your pictures and videos and documents will lock down and you will need my secret password to open them up again."
Me: "Right, like I'm going to fall for that."
Him: "Don't you want your computer back? You can either do as I say and have a big smile when this conversation is over, or you can lose everything. You lose your computer."
Me: "Ok, ok. I don't want to lose my computer! Tell me what to do"
Him: "What do you see?"
Me: "I told you, that program you asked me to open"
Him: "Do you see the Microsoft Corperation box"
Me: "Yes"
Him: "Select that"
Me: "Ok"
Him: "Hold on a second"

He disappears, talking to one of his colleagues in the background.

Him: "We can't connect to your computer. Have you selected the Microsoft Corperation box?"
Me: "Yes"
Him: "Are you sure?"

I couldn't keep it up any longer...

Me: "Are you're working for Microsoft? You know, I actually work for Microsoft myself"
Him: "That's bullshit"
Me: "No, I'm serious. I work at Microsoft"
Him: "What department?"
Me: "Developer Experience"
Him: "I don't believe you, you are full of shit. What's your employee number?"
Me: "You think I'm handing my employee number over to a scammer?"
Him: "I am going to put my d*** in your a**"
Me: "Hey, that's not very compliant, seeing as we're colleagues and all"

I'm censoring the next two minutes of our conversation as that consisted of him yelling at me like I've never been yelled at before. There's no need to recite that, the initial comment above gives you an idea of the direction he was headed in.

And then he hung up.

My hands were literally shaking after this, I was furious and to be honest: a bit scared. I spent a minute trying to get a recording going and decided to call him back. Of course, he'd called from a one-way number so there was no answer.

What scared me the most about this experience was how far they're willing to go to get you to do what they want. They begin by being 'helpful', follow up by making threats and finish by scaring the hell out of you. I've never understood how elderly people fall for scams like this, not until now. I always assumed they were technically incompetent and naive, but now I've realized that maybe they were frightened into it.

After writing this blog post, I provisioned a VM in Azure to see what the website they wanted me to go to was. It turns out that it's a legit company called "LogMeIn Rescue", that delivers remote assistance to users. I hope they know their services are being used for scams. If not, I just told them on Twitter...

Lessons learned:
- Being scammed is a lot scarier than I had imagined
- I should always have a recorder installed. Yes, I'm prepared for next time now!
- Learn from Troy Hunt to scam the scammer