What Happens When a Tech Support Scammer Cold Calls Emsisoft?
It’s called the Microsoft Tech Support scam, and it’s been around for years. Last week, Emsisoft and Bleeping Computer intercepted one of these scammers, and in addition to messing with him for a good three hours, we took detailed notes on how the Microsoft Tech Support scam works.
Someone calls you up, claiming to be from Microsoft, and scares you into thinking that your otherwise normally functioning PC is infected. If they scare you well enough, they’ll then connect you to a remote administration software that lets “their experts take a look at your PC.” From there, a number of bad things can happen, including malware installation, data theft, or simply more scare tactics, all in an attempt to sell you some expensive program that doesn’t work – or doesn’t even exist.
People all across the world get contacted by Microsoft scammers every single day, and all too often they become victims.
The Set Up
Step 1: Cold call victim, then lie, using fancy tech buzzwords
Like many a con job, the Microsoft Tech Support scam starts out with a cold call. In this case, it was to one of our friends over at Bleeping Computer – probably one of the worst people in the world a tech support scammer could connect to.
The scammer, who we’ll call Mr. Z., started his ruse by introducing himself as a Microsoft support tech. Mr. Z told our friend that he was calling about an urgent issue. The issue was that our friend’s computer was sending errors to the Window’s server, and that this was a critical problem that needed to be fixed. Being a volunteer support tech himself, our friend immediately knew what he was dealing with. There is no “Windows server” to which all Microsoft computers magically connect, and Microsoft technicians do not cold call their users about critical errors that need to be fixed.
This was a straight up scam.
Step 2: Use the Windows Event Viewer to scare them with things they’ve never seen
Nevertheless, our friend decided to play along. Feigning naivety, he took the bait. He told Mr. Z that his computer had been acting funny, and he asked Mr. Z how he knew there was a problem. All too ready to supply the evidence, Mr. Z began to give instructions.
You will need to open your command prompt. You will then need to type eventvwr and hit Enter.
In scammer-textbook fashion, Mr. Z was making use of one of the oldest tricks in the book. The Windows Event Viewer is simply an administrative tool that displays information about significant events that occur on your computer. Scammers make use of it because “significant events” are often just little glitches, such as a program failing to launch or update. Over the lifetime of a typical computer, many of these glitches will be logged as an event, and displayed as a warning or an error, even though they are not necessarily critical– or even noticed by the typical user.
As someone who works with computers on a daily basis, our friend knew the Event Viewer trick all too well, but, still, he played along. Feigning concern, he asked Mr. Z if all those warnings and errors in his Event Viewer were a problem.
With the utmost seriousness, Mr. Z confirmed that they were.
Step 3: Have them download TeamViewer and Establish Remote Control
It was about at this point that our friend decided to share the fun. Having read about this type of thing before, he knew that the next part of the scam would be to connect to his computer with a remote administration software. This type of connection can be dangerous if given to a stranger because it allows them to control your computer.
Fortunately, malware researchers have useful tools called virtual machines. A virtual machine is essentially an operating system emulator, which allows the researcher to study malware in its natural environment, without having to infect their own computer. Our friend knew that Emsisoft’s researchers used virtual machines on a daily basis, and since he didn’t have one of his own he decided to pass the scammer on to us.
As expected, Mr. Z told our friend that the only way to fix the warnings and errors that appeared on his Event Viewer would be to download TeamViewer and grant Mr. Z remote control. Here, our friend once again complied; however, instead of supplying the access code to connect Mr. Z to his computer, he gave Mr. Z the access code to connect to ours.
The Scare Tactics
Here is where things get really interesting.
Mr. Z is connected to one of our virtual machines in Europe. He’s been told by our friend, who lives in North America, that he’s going to let his daughter take over the computer because this whole TeamViewer thing is way too complicated for him. Mr. Z is no longer on the phone with our friend from Bleeping Computer. He’s in a TeamViewer session. With us.
In a typical Microsoft Tech Support scam, this is usually the point where all hell breaks loose. Malware infection, sensitive file rifling, installation of a covert backdoor for future access – you name it. Mr. Z could do anything, and we were ready for it. To test Mr. Z’s legitimacy, we even infected our virtual machine with malware, to see if he would notice – but notice he did not.
Through it all, Mr. Z had one primary objective: scare us into thinking something was wrong, and then sell us his “support program,” which would magically fix it all.
Step 4: Reiterate the Event Viewer Problem
The first scare tactic Mr. Z employed was a rehash of his Event Viewer shtick. We were, after all, the original contact’s “daughter,” and we needed to know what the problem was.
The Lies:
MRZ-PC (8:04 PM):
i m showng u tis again becoz befor line ws dissconnctd
EMSISOFT-WIN764 (8:05 PM):
ok
MRZ-PC (8:06 PM):
these r the error n warning which z harming ur computer
ok?
EMSISOFT-WIN764 (8:06 PM):
where?
I don’t see errors
can you show it with the mouse pointer?
MRZ-PC (8:06 PM):
u knw wat , ur computr z very slow
these r the errors ok
EMSISOFT-WIN764 (8:07 PM):
yes, I see it now
that looks quite bad
can you fix that?
The Truth:
Event Viewer is a normal part of your Windows PC, and logged warnings and errors are just minor glitches. To access Event Viewer on your own, open the Control Panel, then click System and Security > Administrative Tools > Event Viewer.
Step 5: Tell them about “good files” and “bad files”
Before he would “fix anything,” though, Mr. Z had an educational agenda. Showing us a few little event errors was not enough to achieve his ultimate goal. Like all scammers, Mr. Z needed to misinform us and instill fear. Mr. Z, in a nutshell, needed to show us which computer files were good, and which computer files were bad.
According Mr. Z, good files could be deleted and bad files could not.
The Lies:
MRZ-PC (8:07 PM):
ok , jst go ahead n try to delet them ok
yes m here to help u , first f ol u hav to try to delet hthem if u nt able to delet them, i will help u ok /
EMSISOFT-WIN764 (8:08 PM):
erm, okay
MRZ-PC (8:09 PM):
do u see ther z no delet option
it means u can not delet them by your own
ok
MRZ-PC (8:10 PM):
yes u can not delet them by your own , becoz some f the errors n warnings truns in to virus tats the reason u can nt able to delet them by your own
EMSISOFT-WIN764 (8:11 PM):
ah, I see
MRZ-PC (8:12 PM):
can u see i click on team veiwer and they giving nme the delet option becoz teamveiwer z a good file and good file always gives u the delet option n bad file never giv u the delet option , remember tat in future like u will know which z th good file n which z bad file
EMSISOFT-WIN764 (8:13 PM):
oooh, so for good files you have a delete option and for bad files not gotcha!
MRZ-PC (8:14 PM):
these errors and warnings they harm your computer services , services means which runs your computer , which z very impotant to your computer
now let me go ahead n show u th services
The Truth:
The “files” Mr. Z was trying to have us delete were really just logged events in the Event Viewer. Furthermore, whether or not a file can be deleted has nothing do with its maliciousness.
Step 6: Tell them about the “dangers” of stopped services
Now that we were good and concerned about our evil files which we could not delete, Mr. Z needed to make it clear why these files were such a problem. According to Mr. Z, the bad, undeleteable files were disabling our services – and if it got to the point where all of our services were disabled, our computer would die.
The Lies:
MRZ-PC (8:16 PM):
so these r the services which z very important to your computer , n now u can see ther xz so mny services hav stopped working ?
EMSISOFT-WIN764 (8:17 PM):
I see
MRZ-PC (8:17 PM):
ok
EMSISOFT-WIN764 (8:17 PM):
I guess in the middle pane it says stopped, not stopp
MRZ-PC (8:18 PM):
its a same thing
ok
EMSISOFT-WIN764 (8:19 PM):
yes
MRZ-PC (8:21 PM):
ok
can u see , 70% services has stopped runing inside your compuyter , n only 30% serivices z running inside your computer , which z not good
EMSISOFT-WIN764 (8:24 PM):
can’t I just start them or so?
MRZ-PC (8:24 PM):
onec these all sevices will stopped running , your computr will completely stopped and u can be able to use your computer any more
yaa u hav to reinstall the services
ok
EMSISOFT-WIN764 (8:25 PM):
omg, would that mean we’d need a new computer?
MRZ-PC (8:25 PM):
no , i mm here to help u out , we will repair the services
ok
now let me go ahead and check youir antivirus
EMSISOFT-WIN764 (8:26 PM):
phew, okay, I was scared there for a sec
The Truth:
Services are simply background processes that perform many tasks on your computer. They do not appear in your point-and-click graphical user interface, and instead operate behind the scenes. To take a look at which services are running on your PC, simply press CRTL ALT DELETE, open the Task Manager, and then click on the Services tab. Here you will see that some services are running and some are not. This is not a problem. Services are designed to automatically start and stop when they are needed and when they are not; and, as Elise points out at 8:24, a stopped service can be started manually. Just right click.
Step 7: Tell them about their “useless” antivirus
After showing us what was wrong with our computer, Mr. Z needed a scapegoat. Computers don’t just stop working on their own, mind you. To explain why we had undeleteable files that were disabling our services, Mr. Z pointed the blame at our “incompatible” and “useless antivirus”…Emsisoft Anti-Malware!
The Lies:
MRZ-PC (8:29 PM):
ok let me go ahead and sjow u , your antivirus status
ok
ok i click on compatability
MRZ-PC (8:29 PM):
now can u see thr z a written
MRZ-PC (8:30 PM):
run tis program and compatabilty mode for windows XP service pack 3
EMSISOFT-WIN764 (8:30 PM):
but isn’t that unchecked?
MRZ-PC (8:30 PM):
so it means , your anti virus z nt working ion your computer
ok
The Truth:
Right click on your Emsisoft Anti-Malware shortcut, choose Properties, and then click on the Compatibility tab. You’ll see a drop down Compatibility mode menu which allows you to manually set the operating system for Emsisoft to run on. This menu was Mr. Z’s proof that Emsisoft Anti-Malware was incompatible with our computer!!!
Now, we were willing to play dumb…but not that dumb, so we pressed this whole incompatibility issue by running a scan.
More Lies:
EMSISOFT-WIN764 (8:31 PM):
but it runs, I mean, I can’t trust what it says?
I have another antivirus I think
MRZ-PC (8:31 PM):
if u hav a very good antivirus in your compter , those errors & warnings will never enter in to your computer
EMSISOFT-WIN764 (8:32 PM):
okay, I’m running that too now
look, it found stuff!!!!
MRZ-PC (8:33 PM):
its just showing u yay z running , but actually it z nt running , tats why there r somany error n wrnings in your computer
EMSISOFT-WIN764 (8:33 PM):
damn
MRZ-PC (8:33 PM):
u paid for tis antivirus or its free ?
EMSISOFT-WIN764 (8:33 PM):
okay, I won’t click on that message then
my father did, yes
or he got a free year license or so
MRZ-PC (8:34 PM):
how much un paid ? or u paid yearly or monthly or something like tat ?
EMSISOFT-WIN764 (8:34 PM):
let me ask him
MRZ-PC (8:34 PM):
ok
EMSISOFT-WIN764 (8:34 PM):
he says he paid 30 dollar yearly
but he got a free license from a friend
MRZ-PC (8:35 PM):
ohhhh really , u r payng t30 dollr yearly for tis useless anti virus
omg
EMSISOFT-WIN764 (8:36 PM):
well, idk, but it is detecting stuff right now, although it doesn’t seem to help much
MRZ-PC (8:37 PM):
see , these r use less , if it really works then u will not get these errors in your computer
ok
EMSISOFT-WIN764 (8:37 PM):
thats true
do you know what I could use best?
More Truth:
Emsisoft Anti-Malware was indeed working. It was detecting the malware we had pre-loaded onto the virtual machine before the TeamViewer session even began!
Step 8: Scan the computer’s brain
Now that Mr. Z had shown us the error of our ways, it was time to start problem solving. As he had so clearly shown us, we were running a useless antivirus that was allowing undeleteable files to disable our services! To provide a more accurate diagnosis of the situation, Mr. Z began by scanning our computer’s brain.
The Lies:
MRZ-PC (8:38 PM):
now let me go ahead n scan the brain f brain f your computer n let seee wat it says , if u hav any iother any problm tis scan will tell us
ok
i will tell u
EMSISOFT-WIN764 (8:38 PM):
ok
MRZ-PC (8:38 PM):
about th best antivirus fr ypur computer
MRZ-PC (8:45 PM):
jst wait it will tak same time
ok
EMSISOFT-WIN764 (8:45 PM):
yes
MRZ-PC (8:46 PM):
just look at the first window
what z wrtten over there ?
EMSISOFT-WIN764 (8:47 PM):
hmm
it says something about a trozen
whats that?
the second says warning
and the other something about the license
MRZ-PC (8:47 PM):
yes, do you knw wat z trojen virus ?
EMSISOFT-WIN764 (8:48 PM):
I know its bad yes
The Truth:
Mr. Z did not scan our computer’s brain. Instead, he just typed tree c: /f into the command prompt. This is a harmless command that simply creates a “tree-styled” graphic display of the specified directory in the command prompt. In this case, that display was quite large, and as it was created it simply looked like a scan. To see this in action yourself, open your command line prompt (find it using Windows Search), type tree c: /f, hit Enter, and voila – you too have “scanned your computer’s brain.”
If you take a closer look at Mr. Z’s brain scan, you’ll also see 3 messages at the end:
warning!!!
trozen virus found -250
computer liscebse will expire will expire in two week
First of all, these messages have nothing to do with running tree c: /f. If you type the command yourself, you can see that none of them appear after the command has run. So how did Mr. Z make it look like his brain scan had produced these results?
He typed them into the command prompt. And by the looks of it he used a broken keyboard.
Just as you can tell your computer’s command prompt to run tree c: /f (or any other command for that matter), you can also tell it to run warning!!! This isn’t a command the command prompt recognizes, though. In fact, if you take a closer look you’ll see that this lack of recognition is indeed the prompt’s response.
Step 9: Reference the Almighty Google and Wikipedia
Mr. Z was now moving in for the kill. Having used his extensive technical knowledge and highly effective brain scan, he had shown us that our computer was infected with “trozens.” Mr. Z. wanted to be absolutely sure that we were aware of the dangerous, though. Mr. Z needed us to understand what these “trozens” were… and to Mr. Z, there was no finer way to do so than through Wikipedia and Google.
MRZ-PC (8:48 PM):
ok let me show u wat z exactly trojen
ok
EMSISOFT-WIN764 (8:49 PM):
yes
MRZ-PC (8:51 PM):
yes m showing u , wat trojen vius
ok m gonna type trojen in the google n let see wat it says …..
ok
EMSISOFT-WIN764 (8:53 PM):
yes
MRZ-PC (8:53 PM):
wait
EMSISOFT-WIN764 (8:53 PM):
sorry, some text appeared
MRZ-PC (8:53 PM):
just wait … m doing somthng so do not touch your computer
opk , now go ahead n read the highlightd line
tis z about trojan viruses
EMSISOFT-WIN764 (8:55 PM):
ok
I understand
that sounds quite bad
MRZ-PC (8:55 PM):
hmmmm
below tat u can see ther z a written purpose and uses
EMSISOFT-WIN764 (8:56 PM):
yes
MRZ-PC (8:57 PM):
thr z writtn , TROJAN MAY GIVE HACKER TO GIVE REMOTE ACCESSES
TO TARGET COMPUTER SYSTEM
and below that
EMSISOFT-WIN764 (8:57 PM):
yes
MRZ-PC (8:58 PM):
thr z a written crashing the computer wit blue scree up death
let me show u
the blue screen
EMSISOFT-WIN764 (8:58 PM):
oh, I’ve never seen that
but it looks baad really :(
MRZ-PC (8:58 PM):
can u see the blue screen ?
yes
EMSISOFT-WIN764 (8:59 PM):
yes, I see it
MRZ-PC (8:59 PM):
if trojen will crtash your computer then u can see the blue screen
EMSISOFT-WIN764 (8:59 PM):
oh, and I definitely don’t want that
MRZ-PC (8:59 PM):
and when ever u turn on your computer
u can see the same screen
n they will ask u to restart your PC again
and no matter
haow many time u go ansd open your computer , u will get the same screen
EMSISOFT-WIN764 (9:00 PM):
I see
MRZ-PC (9:00 PM):
and just below that can u see ther z written , ELECTRIC MONEY THEFT
it mean they can steal your money from your BANK ACCOUNT
EMSISOFT-WIN764 (9:02 PM):
wow
MRZ-PC (9:02 PM):
jst below tat thr z a writtn , DATA THEFT
EMSISOFT-WIN764 (9:02 PM):
yes, I see
MRZ-PC (9:02 PM):
DATA THEFT means they can steal your personal infirmation from ur computer
like YOUR USER ACCIOUNT , PASSWRD
PHOTOS , YOOUR PERSONAL INFORMATION
EMSISOFT-WIN764 (9:03 PM):
omg
MRZ-PC (9:03 PM):
they can steal YOUR CREDIT CARD DETAILS
EMSISOFT-WIN764 (9:03 PM):
shoot
MRZ-PC (9:03 PM):
can u see , ther z writtn PAYMNT CARD INFORMATION
now i will like to see u
EMSISOFT-WIN764 (9:04 PM):
yes
MRZ-PC (9:04 PM):
do u do INTERNET BANKING ?
ONLINE SHOPPNG
?
PAYNING BILLS?
OR SOMETHING LIKE TAT ?
R U THR ?
??
EMSISOFT-WIN764 (9:05 PM):
sorry
yes
I sometimes shop online
and I think my father does banking
MRZ-PC (9:06 PM):
hav u read tat thing ? m asking u something?
EMSISOFT-WIN764 (9:06 PM):
yes
MRZ-PC (9:06 PM):
i think u hav to stop doing tat things
EMSISOFT-WIN764 (9:06 PM):
yeah, I’ll definitely stop that
MRZ-PC (9:07 PM):
you shuld nt do tat things UNTILL N UNLEWSS u do nt remove th TROJAN VIRUS from your COMPUTER .
ok
EMSISOFT-WIN764 (9:07 PM):
yes
MRZ-PC (9:07 PM):
ok
now do u undrstand , wat z TROJAN ?
EMSISOFT-WIN764 (9:08 PM):
yes
The Truth:
There is a Wikipedia article about Trojans.
The Big Sell
Step 10: Give them a .txt file they can’t refuse
It had now been over an hour on TeamViewer. In all that time, we had learned about warnings and errors, undeletable files, stopped services, ineffective antivirus programs, brain scans, and the dangers of “trozens” by way of Wikipedia and Google. Thanks to Mr. Z, we were now completely misinformed and “desperate” for an answer. Lucky for us, Mr. Z had a solution.
MRZ-PC (9:11 PM):
now let me discuss to MY SENIOR TECHNICIAN about your computer
EMSISOFT-WIN764 (9:16 PM):
ok
MRZ-PC (9:17 PM):
ok
wait
m talking to my senoir superwiser about your computer problem
what should be the best solution
EMSISOFT-WIN764 (9:18 PM):
ok thanks
MRZ-PC (9:18 PM):
pk
now m going to write down on the NOTEPAD SOLUTION FOR YOUR COMPUTER
OK
A Heartfelt Thank You on Behalf of Bleeping Computer and Emsisoft
Final Step: When they realize it’s a scam, deny everything
By now of course we weren’t even sure if we could still play along. Mr. Z had provided over 2 hours of tech support… and now he was trying to get us to pay for extended service, with poorly written ads pasted into Notepad. In all honesty, this final tactic put us at somewhat of a loss for words, but after some careful consultation with a few of our friends from Bleeping Computer, we eventually developed an adequate response (continuing the conversation in Notepad).
Not to anyone’s surprise, Mr. Z denied all allegations of being a scammer until the very end.
Moral of the story? Some people will do anything to scam strangers on the Internet, even if it’s more work and less pay than getting an actual job. Don’t let them scam you.
Have a great (Mr-Z-free) day!
Your Emsisoft Team.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trial* Note: All of “Mr. Z’s” spelling and grammar has been left in its original form. If you can’t understand about half of what he’s saying, don’t worry – neither could we! In general, grammar like this – regardless of language – is a telltale sign that you’re dealing with a fraud.