PC Wizards eventvwr Scam!!!

bigbadwolf

A senior security researcher from Malwarebytes has played along with a Microsoft technical support scammer, documenting the whole episode in a video, to showcase the social engineering that takes place.

For the uninitiated, the scam involves people in Indian call centres ringing up and saying that they are representatives from Microsoft technical support. They then tell the victim that their computer is running slowly because of viruses or because they need an additional piece of software -- at a cost, of course. It's been floating around for almost as many years as the Nigerian money transfer scam and is still going strong.

This week, the scammers called the wrong person: Jerome Segura, a senior security researcher at anti-malware company Malwarebytes. Being familiar with the sting, Segura played along with the female caller, recording the entire episode in a handy YouTube video. It's not the first time that scammees have documented scammers -- there are many videos on YouTube such as this one, this one and this one -- but Segura made an effort to remain calm, not try and troll the scammers and genuinely try and understand the sophistication of the scam. He didn't expect it to turn nasty at the end when the scammers became impatient and deleted a load of files from his computer.

Most Wired.co.uk readers will have a highly-tuned Windows scammer filter, but we'll know of less tech-savvy relatives or friends that might be drawn in. Segura told Wired.co.uk: "Many of my family members have received these calls, so I wanted to play the game to see how the scam worked. My aim was to be totally respectful and play the perfect victim."

As soon as Segura received a call, he decided to turn on his virtual machine and start recording the call and his computer screen. The caller -- initially a woman -- directs Segura to look at his Event Viewer, which logs all Microsoft error reports. She asked him to count the number of red cross-marked errors and yellow warnings, before warning him: "These errors and warnings are very much harmful for your computer. These are major problems and it doesn't matter if you have one or two errors or more than that. Each one has already started corrupting your whole computer system."

She then instructed Segura to enter in "Prefetch" into the start>run menu, which opens up the prefetch folder, which actually keeps track of how your computer starts and which programs you commonly open. She said that these were "malicious hacking files that are making the computer infected and the system slow". She warned not to delete any of the files as they could be activated and crash the computer. "You have 100 hacking files on your computer, you are very high risk."

Segura explains: "The woman really wanted me to be involved and count the errors. It's all about social engineering. But part of the plan is on Microsoft for having errors that look like this [quite alarming]."

The caller then went on to say that that Segura's software warranty had expired after three years and that she then asked him to have a look at the System Configuration Utility services tab. She explained that the reason that some of the services in that tab were marked with a "stopped" status was because a warranty had expired and only a Microsoft technician could start them again.

At this point a male "technician" takes over to get Segura to register for a warranty renewal that will cost "only" $299 (£195). It's a complete one off payment for the whole lifetime of the computer. An absolute bargain.

Segura is asked to download TeamViewer to allow a third party to control his computer. They then open up a browser and instruct Segura to enter in his personal information, including banking information and make a PayPal payment of $299. Segura purposefully enters in wrong banking details knowing it will be rejected.

At this point the scammer gets spiteful, takes control of Segura's computer and deletes all of the documents from his computer. The scammer then looks for more ways to corrupt the system, heading to device manager to delete the Ethernet adapter driver. Before deleting, he posts "bye asshole" (sic) in the TeamViewer chat log.

Segura asks the operator who was deleting the files on his computer, and why the technician called him an asshole. A male voice replies that the "technician is always correct. If he is saying that you are something then you must be. He cannot be wrong."

Segura is surprised that this scam -- which has been floating around since 2008 -- is still going on. "Many older people may fall for the trick." He hopes to educate more people about the scam and try and track down the people behind them.

源济