You know what? I’m happy and proud to have received my first call from the “Microsoft Support“! When I came back at home, there was already three missed calls on my private line, all of them from a strange number (001453789410). A few minutes later, the phone started Â to ring again… I picked up the phone and, amongst the noise of a call-center, I heard: “Hello Sir, this is the Microsoft Support calling!“. Bingo, I’m targeted! Nothing brand new with this type of social engineering attack, but it was a first live experience for me. It was too tempting to play the game! [Note: I had no recording device so I briefly took notes during the conversation]
All the aspect of a social engineering attacks were covered in the caller’s presentation: First, he tried to get my attention (of course I had all my attention! ;-): “I see that you’re using a Windows computer at the moment. didn’t you detect any suspicious activity for a while?“. Then, he tried to scare me: “Your computer is infected with malwares and viruses!“. The next step was to make me confident: “Let’s see how we can solve this together…“.
Then the funÂ part started! “Are you in front of your computer right now? Oh, I see again some malicious activity!”, then “I’ll ask you to type some commands to solve all your problems“. The guy was very patient and even helped me to find the “Windows” key on my keyboard (“You see, the key with four small squares representing the Windows logo“). Another three minutes to explain me how to press “Windows”-R at the same time. And again a few minutes to spell the URL to type: “W like William, again W like William, etc” (he never mentioned technical terms like URL, browser, etc…). At this point, I expected to collect some interesting URLs with a malicious payload but why do complicated stuff when the Internet is full of remote control services?
He asked me to visit www.support.me which is an alias for secure.logmeinrescue.com/Customer/Code.aspxÂ and gave me the 6-digits code required to download and start the remote support session! During all the conversation, I tried to grab information about him, how did he got my number, how Microsoft detected that my computer was infected. I also asked him to “connect to my computer” to get his own in my firewall logs but no luck… Every time the guy came back to his “script”. After approximatively 15 minutes, I dropped the call (I did not have a computer ready for him).
A few minutes later, I booted a fresh VM and provided the 6-digits code but… it was already expired! Too late… I was so curious of see what operations the guy would have performed on the computer once logged in (anybody has more info?). I’m also wondering why they called me in English. Based on my home phone, they should know that I’m a native French speaker! I’m sure that the same scenario with the victim’s mother tongue could be much more successfull…