Hello Sir, This is the Microsoft Support Calling…

Microsoft SupportYou know what? I’m happy and proud to have received my first call from the “Microsoft Support“! When I came back at home, there was already three missed calls on my private line, all of them from a strange number (001453789410). A few minutes later, the phone started  to ring again… I picked up the phone and, amongst the noise of a call-center, I heard: “Hello Sir, this is the Microsoft Support calling!“. Bingo, I’m targeted! Nothing brand new with this type of social engineering attack, but it was a first live experience for me. It was too tempting to play the game! [Note: I had no recording device so I briefly took notes during the conversation]

All the aspect of a social engineering attacks were covered in the caller’s presentation: First, he tried to get my attention (of course I had all my attention! ;-): “I see that you’re using a Windows computer at the moment. didn’t you detect any suspicious activity for a while?“. Then, he tried to scare me: “Your computer is infected with malwares and viruses!“. The next step was to make me confident: “Let’s see how we can solve this together…“.

Then the fun part started! “Are you in front of your computer right now? Oh, I see again some malicious activity!”, then “I’ll ask you to type some commands to solve all your problems“. The guy was very patient and even helped me to find the “Windows” key on my keyboard (“You see, the key with four small squares representing the Windows logo“). Another three minutes to explain me how to press “Windows”-R at the same time. And again a few minutes to spell the URL to type: “W like William, again W like William, etc” (he never mentioned technical terms like URL, browser, etc…). At this point, I expected to collect some interesting URLs with a malicious payload but why do complicated stuff when the Internet is full of remote control services?

He asked me to visit www.support.me which is an alias for secure.logmeinrescue.com/Customer/Code.aspx and gave me the 6-digits code required to download and start the remote support session! During all the conversation, I tried to grab information about him, how did he got my number, how Microsoft detected that my computer was infected. I also asked him to “connect to my computer” to get his own in my firewall logs but no luck… Every time the guy came back to his “script”. After approximatively 15 minutes, I dropped the call (I did not have a computer ready for him).

A few minutes later, I booted a fresh VM and provided the 6-digits code but… it was already expired! Too late… I was so curious of see what operations the guy would have performed on the computer once logged in (anybody has more info?). I’m also wondering why they called me in English. Based on my home phone, they should know that I’m a native French speaker! I’m sure that the same scenario with the victim’s mother tongue could be much more successfull…

17 comments

  1. Apparently in Belgium we’re good targets. I got the same call Yesterday and had one already a few weeks ago. As I’m living in Ardenne, getting a phone call in English should really limit the number of potential targets that can answer them in English.
    How they got the phone number remains strange to me.

  2. It was a group presentation. Not all presenters agreed with that back-of-the-envelope calculation. 🙂

    I did once find an ad for phone scammers. They made less than $2,000/year. (Though their bosses might make a lot of money.)

  3. They’ve been calling people in non-English speaking countries for quite some time. (IIRC at least France, Sweden, Netherlands, Switzerland.) I spoke to someone in France who told me that the fact that they spoke English made it sound more serious.

    They also call me, in the UK, quite a lot. Because I have convinced them twice I fell for it – once gave a made-up cc number., the other time I promised I’d get a pre-paid debit card later on. They run a few free tools (disk defragementation, sometimes they install Security Essentials). Nothing malicious and the sad irony is that for some people, this would make their computer actually run better.

    Few screenshots here (PDF – from page 13)
    http://www.virusbtn.com/pdf/conference_slides/2012/Harley-etal-VB2012.pdf
    The best part was that I had already been confirmed to speak on the issue at an APWG meeting. So I was sitting back, taking screenshots while this guy was basically writing my presentation slides for me…

    Ping me if you want to know more!

  4. My parents have been contacted too. Sometimes multiple times a day, days in a row. At first they tried to get rid of it by stating they don’t understand english. After a few times, they contacted them again in their native language (with a very bad accent).
    All of it stopped after my parents told them they don’t have a computer…
    They are persistent for sure!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.