Original Post Author: Don C. Weber [Twitter: @cutaway]
Original Date Published: 25 April 2013
Mike Poor (@Mike_Poor) noticed Stephen Northcutt’s blog post about phone spear-phishing. This reminded him of an email that I sent to the Senior Security Analysts here at InGuardians back in December 2012.
For those of you not familiar with phone spear-phishing, I received a cold call about an infection on my computer. As you can see from the following details, I lead them on a little bit. The funniest thing is that I kept them on the phone for about an hour. I kept saying “my computer is slow and not responding” or “oh, dang, it is rebooting, we’ll have to wait.” They were very patient during this whole process and even escalated me to a manager to help me better.
Here is the email. It was internal thus I was sarcastic and succinct, as usual.
Subject: What was the name of that storm?
I just received a call that my Windows system was infected. As you can guess I was very concerned. So I followed their instructions.
First they wanted me to do “Cntl-R” and run “eventwvt”. Then they asked me to take a look at the Custom View -> Administrative Events. Sure enough, there were a ton of “Errors” and “Warnings”. Actually there were 3422 to which he responded with a very concerned “Oh, my golly gosh.” These, he explained, “were malicious programs which were attacking my boot-sector and could cause my computer to stop working and crash.”
Since they were “contracted” by Microsoft to help me, they wanted to access my system. They asked me to use the “Run” command (via the method above) and enter www.showmypc.com. Once IE presented the ShowMyPC website to me I was instructed to click on “Show My PC View Remote PC.” They then asked me for the access code to access my system. I was a bit confused at this point, but they told me it was a 12 digit number so I told them 617 373 686 174. For some reason they couldn’t access my system. I don’t understand why. So I got their contact information.
I was told to ask for John Walter, who was the person helping me. I asked where he was from and he told me Brooklyn, NY. So, I asked him about that storm. You know the one, I forget the name. He couldn’t remember either. I asked him if he had a lot of damage, and he did. But he still couldn’t remember the name.
What was the name of that storm?
For users without log analysis experience, the events that happen on a Windows operating system (such as the “errors” and “warnings” within the Windows Event Logs) are normal. They occur naturally during the use of a computer. These logs provide users with a view into what is occurring on the system and can be used to troubleshoot problems when they happen. However, if a user doesn’t know what they are looking at, the mundane log entries can seem unnecessarily important. Hence directing uneducated users to review these entries can be used to scare them into allowing these criminals access.
The reason the access number for ShowMyPC didn’t work was because I was giving them the wrong number. Of course, I read it over and over to them. Fast, slow. I think I “might have” updated some firewall settings (“might have” meaning I said I did but I didn’t). I acted really worried about it the whole time because “I don’t want an infected computer.”
Please listen carefully, because this is important. Microsoft will NEVER call you to help with your computer. They will NEVER hire a company to call you to help you with your computer. The people behind these calls are doing it to steal your personal information and install malware on your system. Stuff you won’t know about. Stuff that will most likely contain keystroke loggers that will give them access to your bank accounts. The scenarios are endless.
If you think your computer is compromised, take it to a technically-savy person you trust or a professional business in your local area. The competence of a local repair shop will vary, as always: Caveat Emptor. At least you will be able to trace back any malicious activity to an organization or an individual. It is very unlikely that the people making these calls will ever be caught by local law enforcement.
In addition to helping non-professional users understand these attacks, the secondary purpose of this blog post is to bring these on-going scams to the attention of the security community. Most likely, I am not the only security researcher who will be subject to this type of scam. I am hoping that one or more of you who read this will be ready with a virtual machine setup to capture what these scammers do on the system once they get access. Knowing the steps they take, data they exfiltrate, and types of malware they install (e.g. trojans, keystroke loggers, ransomware) will help us understand these attackers better so that we can provide better recommendations.
Go forth and do good things.
P.S. The name of the storm was Sandy.