Maybe you’ve heard of the microsoft phone scams going on lately. They started in the US and the UK and recently more and more Swiss people are getting called. If you don’t know what I’m talking about, a lot of news sites have lengthy articles on the matter: ZDnet, the guardian, Microsoft Security Blog to only name a few.
So recently I already got called by a number, which after some googling turned to be out exactly this. I missed the call and was very sad I did so, because I thought it would be a lot of fun.
Then today I got called again. YES! So there was a guy with a very strong indian accent who told me my computer was at risk.
While I told him my computer was booting, I started up vmware (damn, recompiling modules… okay, told him my computer was a bit slow so it will take a while) and did a snapshot, removed my VMware shared storage folders (a very wise thing to do!) then booted my Windows XP VM. And that’s what happened afterwards:
He explained to me where on my keyboard the Windows button was, then told me to press Windows+R, what – of course – opens the Run-window. There he told me to enter inf which displays the Windows inf folder:
He explained to me these were malicous files installed by viruses (yeah, right.) and he wanted me to count how many files there are. I didn’t have the status bar turned on when he was calling, so I told him there were a lot and I’m not counting them. So my computer “was in great danger”. Okay, cool. Then he told me to open the run-prompt again and enter www.ammyy.com – some (non-harmful) remote control software, similiar to Teamviewer. Then he walked me through opening it, telling the Windows firewall to accept it, and accepting his connection. Later he also opened a www.showmypc.com and I somehow saw a TightVNC-instance running, but it seems he did not use these. I hope they did eat some bandwidth 😀
Then he told me to go to www.support.me (these guys seem to know remote desktop tools really well!) and told me to enter some random code, which of course did not exist. His reaction to this was something like “See? Your Windows security certificate has expired and your computer is at risk, and we are the service provider to give you a new certificate”.
After that, he asked multiple times if I was the only person using this computer, if this is my computer, and if I want to renew my security certificate for one, two, three or five years. While talking to me, he also changed the windows color scheme to black/white because there were probably some problems with his remote thingy. It took him like two minutes to do that alone, and my colors went from Windows Classic to Windows XP Blue, to Windows XP Olive, then to this Win98-Teal-Thingy, and then to black/white:
Oh well… Then while talking to me he started deleting some Windows files and all of my personal data (!) – of course I was amused, because I had a snapshot.
He also told me multiple times the certificate was free, I would only pay for cleaning the PC and make it work right again. This makes total sense, because the price gets higher the longer I wanted the certificate, huh? He wanted like 200 pounds (yes, he said pounds, not Swiss francs!) for the 5 year one.
At the point when it came to paying, I asked him if he knew VMware. Then I asked him if he knew Linux. He said yes to both. Then I told him he was working in a virtual machine and that I was an IT-guy and a Linux-user, and it was a lot of fun wasting his time. I also showed him this screenshot:
That’s where things got really entertaining.
First of all, he started uninstalling some of my software. I responded to this by showing him a picture of Goatse (if you don’t know it, don’t google it, you have been warned). He was not very impressed and asked me if that was my ass. 😛
Then he renamed my Computer and Documents-folders in the start menu to “Fuck Off” and changed my screensaver to 3D-Text with the text “Fuck Off” and clicked Preview. Hm, funny guy!
At this point, he discovered my adobe reader was finished updating, and since it was German, he clicked the “Restart now” button because he didn’t know what it meant. I told him what he did, and used the time to restore the original snapshot I had. Then I quickly downloaded and runned the admin tool again and he reconnected. For some reason, he didn’t seem to care at all, and just started deleting files and uninstalling software again.
While I wasn’t doing anything, he started watching some Youtube videos. No idea what he wanted to do, maybe he thought my speakers were on. Then he opened pinball and told me he wanted to watch me playing this game, so I did. Heck, that guy must be bored.
Then my phone battery went down, so the phone call was finished. He opened Windows Notepad to ask me where I went, and I wrote back, so he told me “okay, let’s write here then”.
I told him “Okay, this was fun, but I still could give you my credit card information for the certificate, right?”. I then gave him a fake number with an expiry date in the 1990s. He got it (pfff!) so I told him I was kidding and the date is actually in 2014.
Now he told me he’d call me again in 30 minutes, and I should leave the computer like it is. I used the opportunity to gather some other shock sites and open them. He never called again, and closed the connection some time later.
Damn, it was so much fun messing with him. 🙁