What Happens When a Tech Support Scammer Cold Calls Emsisoft?

It’s called the Microsoft Tech Support scam, and it’s been around for years. Last week, Emsisoft and Bleeping Computer intercepted one of these scammers, and in addition to messing with him for a good three hours, we took detailed notes on how the Microsoft Tech Support scam works.

 

Someone calls you up, claiming to be from Microsoft, and scares you into thinking that your otherwise normally functioning PC is infected. If they scare you well enough, they’ll then connect you to a remote administration software that lets “their experts take a look at your PC.” From there, a number of bad things can happen, including malware installation, data theft, or simply more scare tactics, all in an attempt to sell you some expensive program that doesn’t work – or doesn’t even exist.

People all across the world get contacted by Microsoft scammers every single day, and all too often they become victims.

 

The Set Up

Step 1: Cold call victim, then lie, using fancy tech buzzwords

Like many a con job, the Microsoft Tech Support scam starts out with a cold call. In this case, it was to one of our friends over at Bleeping Computer – probably one of the worst people in the world a tech support scammer could connect to.

The scammer, who we’ll call Mr. Z., started his ruse by introducing himself as a Microsoft support tech. Mr. Z told our friend that he was calling about an urgent issue. The issue was that our friend’s computer was sending errors to the Window’s server, and that this was a critical problem that needed to be fixed. Being a volunteer support tech himself, our friend immediately knew what he was dealing with. There is no “Windows server” to which all Microsoft computers magically connect, and Microsoft technicians do not cold call their users about critical errors that need to be fixed.

This was a straight up scam.

Step 2: Use the Windows Event Viewer to scare them with things they’ve never seen

Nevertheless, our friend decided to play along. Feigning naivety, he took the bait. He told Mr. Z that his computer had been acting funny, and he asked Mr. Z how he knew there was a problem. All too ready to supply the evidence, Mr. Z began to give instructions.

You will need to open your command prompt. You will then need to type eventvwr and hit Enter.

cmd eventvwr

In scammer-textbook fashion, Mr. Z was making use of one of the oldest tricks in the book. The Windows Event Viewer is simply an administrative tool that displays information about significant events that occur on your computer. Scammers make use of it because “significant events” are often just little glitches, such as a program failing to launch or update. Over the lifetime of a typical computer, many of these glitches will be logged as an event, and displayed as a warning or an error, even though they are not necessarily critical– or even noticed by the typical user.

event_viewer_warnings

As someone who works with computers on a daily basis, our friend knew the Event Viewer trick all too well, but, still, he played along. Feigning concern, he asked Mr. Z if all those warnings and errors in his Event Viewer were a problem.

With the utmost seriousness, Mr. Z confirmed that they were.

Step 3: Have them download TeamViewer and Establish Remote Control

It was about at this point that our friend decided to share the fun. Having read about this type of thing before, he knew that the next part of the scam would be to connect to his computer with a remote administration software. This type of connection can be dangerous if given to a stranger because it allows them to control your computer.

Fortunately, malware researchers have useful tools called virtual machines. A virtual machine is essentially an operating system emulator, which allows the researcher to study malware in its natural environment, without having to infect their own computer. Our friend knew that Emsisoft’s researchers used virtual machines on a daily basis, and since he didn’t have one of his own he decided to pass the scammer on to us.

As expected, Mr. Z told our friend that the only way to fix the warnings and errors that appeared on his Event Viewer would be to download TeamViewer and grant Mr. Z remote control. Here, our friend once again complied; however, instead of supplying the access code to connect Mr. Z to his computer, he gave Mr. Z the access code to connect to ours.

The Scare Tactics

Here is where things get really interesting.

Mr. Z is connected to one of our virtual machines in Europe. He’s been told by our friend, who lives in North America, that he’s going to let his daughter take over the computer because this whole TeamViewer thing is way too complicated for him. Mr. Z is no longer on the phone with our friend from Bleeping Computer. He’s in a TeamViewer session. With us.

In a typical Microsoft Tech Support scam, this is usually the point where all hell breaks loose. Malware infection, sensitive file rifling, installation of a covert backdoor for future access – you name it. Mr. Z could do anything, and we were ready for it. To test Mr. Z’s legitimacy, we even infected our virtual machine with malware, to see if he would notice – but notice he did not.

Through it all, Mr. Z had one primary objective: scare us into thinking something was wrong, and then sell us his “support program,” which would magically fix it all.

Step 4: Reiterate the Event Viewer Problem

The first scare tactic Mr. Z employed was a rehash of his Event Viewer shtick. We were, after all, the original contact’s “daughter,” and we needed to know what the problem was.

The Lies:

MRZ-PC (8:04 PM):

i m showng u tis again becoz befor line ws dissconnctd

EMSISOFT-WIN764 (8:05 PM):

ok

MRZ-PC (8:06 PM):

these r the error n warning which z harming ur computer

ok?

EMSISOFT-WIN764 (8:06 PM):

where?

I don’t see errors

can you show it with the mouse pointer?

MRZ-PC (8:06 PM):

u knw wat , ur computr z very slow

these r the errors ok

event_viewer_warnings_boxed

EMSISOFT-WIN764 (8:07 PM):

yes, I see it now

that looks quite bad

can you fix that?

The Truth:

Event Viewer is a normal part of your Windows PC, and logged warnings and errors are just minor glitches. To access Event Viewer on your own, open the Control Panel, then click System and Security > Administrative Tools > Event Viewer.

Step 5: Tell them about “good files” and “bad files”

Before he would “fix anything,” though, Mr. Z had an educational agenda. Showing us a few little event errors was not enough to achieve his ultimate goal. Like all scammers, Mr. Z needed to misinform us and instill fear. Mr. Z, in a nutshell, needed to show us which computer files were good, and which computer files were bad.

According Mr. Z, good files could be deleted and bad files could not.

The Lies:

MRZ-PC (8:07 PM):

ok , jst go ahead n try to delet them ok

yes m here to help u , first f ol u hav to try to delet hthem if u nt able to delet them, i will help u ok /

EMSISOFT-WIN764 (8:08 PM):

erm, okay

event_viewer_no_delete

MRZ-PC (8:09 PM):

do u see ther z no delet option

it means u can not delet them by your own

ok

MRZ-PC (8:10 PM):

yes u can not delet them by your own , becoz some f the errors n warnings truns in to virus tats the reason u can nt able to delet them by your own

EMSISOFT-WIN764 (8:11 PM):

ah, I see

MRZ-PC (8:12 PM):

can u see i click on team veiwer and they giving nme the delet option becoz teamveiwer z a good file and good file always gives u the delet option n bad file never giv u the delet option , remember tat in future like u will know which z th good file n which z bad file

shortcut

EMSISOFT-WIN764 (8:13 PM):

oooh, so for good files you have a delete option and for bad files not gotcha!

MRZ-PC (8:14 PM):

these errors and warnings they harm your computer services , services means which runs your computer , which z very impotant to your computer

now let me go ahead n show u th services

The Truth:

The “files” Mr. Z was trying to have us delete were really just logged events in the Event Viewer. Furthermore, whether or not a file can be deleted has nothing do with its maliciousness.

Step 6: Tell them about the “dangers” of stopped services

Now that we were good and concerned about our evil files which we could not delete, Mr. Z needed to make it clear why these files were such a problem. According to Mr. Z, the bad, undeleteable files were disabling our services – and if it got to the point where all of our services were disabled, our computer would die.

The Lies:

MRZ-PC (8:16 PM):

so these r the services which z very important to your computer , n now u can see ther xz so mny services hav stopped working ?

 

stopped_services

 

EMSISOFT-WIN764 (8:17 PM):

I see

MRZ-PC (8:17 PM):

ok

EMSISOFT-WIN764 (8:17 PM):

I guess in the middle pane it says stopped, not stopp

MRZ-PC (8:18 PM):

its a same thing

ok

EMSISOFT-WIN764 (8:19 PM):

yes

MRZ-PC (8:21 PM):

ok

can u see , 70% services has stopped runing inside your compuyter , n only 30% serivices z running inside your computer , which z not good

EMSISOFT-WIN764 (8:24 PM):

can’t I just start them or so?

MRZ-PC (8:24 PM):

onec these all sevices will stopped running , your computr will completely stopped and u can be able to use your computer any more

yaa u hav to reinstall the services

ok

EMSISOFT-WIN764 (8:25 PM):

omg, would that mean we’d need a new computer?

MRZ-PC (8:25 PM):

no , i mm here to help u out , we will repair the services

ok

now let me go ahead and check youir antivirus

EMSISOFT-WIN764 (8:26 PM):

phew, okay, I was scared there for a sec

The Truth:

Services are simply background processes that perform many tasks on your computer. They do not appear in your point-and-click graphical user interface, and instead operate behind the scenes. To take a look at which services are running on your PC, simply press CRTL ALT DELETE, open the Task Manager, and then click on the Services tab. Here you will see that some services are running and some are not. This is not a problem. Services are designed to automatically start and stop when they are needed and when they are not; and, as Elise points out at 8:24, a stopped service can be started manually. Just right click.

Step 7: Tell them about their “useless” antivirus

After showing us what was wrong with our computer, Mr. Z needed a scapegoat. Computers don’t just stop working on their own, mind you. To explain why we had undeleteable files that were disabling our services, Mr. Z pointed the blame at our “incompatible” and “useless antivirus”…Emsisoft Anti-Malware!

The Lies:

MRZ-PC (8:29 PM):

ok let me go ahead and sjow u , your antivirus status

ok

ok i click on compatability

MRZ-PC (8:29 PM):

now can u see thr z a written

MRZ-PC (8:30 PM):

run tis program and compatabilty mode for windows XP service pack 3

scammer

EMSISOFT-WIN764 (8:30 PM):

but isn’t that unchecked?

MRZ-PC (8:30 PM):

so it means , your anti virus z nt working ion your computer

ok

The Truth:

Right click on your Emsisoft Anti-Malware shortcut, choose Properties, and then click on the Compatibility tab. You’ll see a drop down Compatibility mode menu which allows you to manually set the operating system for Emsisoft to run on. This menu was Mr. Z’s proof that Emsisoft Anti-Malware was incompatible with our computer!!!

Now, we were willing to play dumb…but not that dumb, so we pressed this whole incompatibility issue by running a scan.

More Lies:

EMSISOFT-WIN764 (8:31 PM):

but it runs, I mean, I can’t trust what it says?

I have another antivirus I think

MRZ-PC (8:31 PM):

if u hav a very good antivirus in your compter , those errors & warnings will never enter in to your computer

EMSISOFT-WIN764 (8:32 PM):

okay, I’m running that too now

look, it found stuff!!!!

MRZ-PC (8:33 PM):

its just showing u yay z running , but actually it z nt running , tats why there r somany error n wrnings in your computer

EMSISOFT-WIN764 (8:33 PM):

damn

MRZ-PC (8:33 PM):

u paid for tis antivirus or its free ?

EMSISOFT-WIN764 (8:33 PM):

okay, I won’t click on that message then

my father did, yes

or he got a free year license or so

MRZ-PC (8:34 PM):

how much un paid ? or u paid yearly or monthly or something like tat ?

EMSISOFT-WIN764 (8:34 PM):

let me ask him

MRZ-PC (8:34 PM):

ok

EMSISOFT-WIN764 (8:34 PM):

he says he paid 30 dollar yearly

but he got a free license from a friend

MRZ-PC (8:35 PM):

ohhhh really , u r payng t30 dollr yearly for tis useless anti virus

omg

EMSISOFT-WIN764 (8:36 PM):

well, idk, but it is detecting stuff right now, although it doesn’t seem to help much

MRZ-PC (8:37 PM):

see , these r use less , if it really works then u will not get these errors in your computer

ok

EMSISOFT-WIN764 (8:37 PM):

thats true

do you know what I could use best?

More Truth:

Emsisoft Anti-Malware was indeed working. It was detecting the malware we had pre-loaded onto the virtual machine before the TeamViewer session even began!

Step 8: Scan the computer’s brain

Now that Mr. Z had shown us the error of our ways, it was time to start problem solving. As he had so clearly shown us, we were running a useless antivirus that was allowing undeleteable files to disable our services! To provide a more accurate diagnosis of the situation, Mr. Z began by scanning our computer’s brain.

The Lies:

MRZ-PC (8:38 PM):

now let me go ahead n scan the brain f brain f your computer n let seee wat it says , if u hav any iother any problm tis scan will tell us

ok

i will tell u

EMSISOFT-WIN764 (8:38 PM):

ok

MRZ-PC (8:38 PM):

about th best antivirus fr ypur computer

MRZ-PC (8:45 PM):

jst wait it will tak same time

ok

EMSISOFT-WIN764 (8:45 PM):

yes

MRZ-PC (8:46 PM):

just look at the first window

what z wrtten over there ?

EMSISOFT-WIN764 (8:47 PM):

hmm

it says something about a trozen

whats that?

the second says warning

and the other something about the license

MRZ-PC (8:47 PM):

yes, do you knw wat z trojen virus ?

EMSISOFT-WIN764 (8:48 PM):

I know its bad yes

The Truth:

Mr. Z did not scan our computer’s brain. Instead, he just typed tree c: /f into the command prompt. This is a harmless command that simply creates a “tree-styled” graphic display of the specified directory in the command prompt. In this case, that display was quite large, and as it was created it simply looked like a scan. To see this in action yourself, open your command line prompt (find it using Windows Search), type tree c: /f, hit Enter, and voila – you too have “scanned your computer’s brain.”

If you take a closer look at Mr. Z’s brain scan, you’ll also see 3 messages at the end:

warning!!!

trozen virus found -250

computer liscebse will expire will expire in two week

First of all, these messages have nothing to do with running tree c: /f. If you type the command yourself, you can see that none of them appear after the command has run. So how did Mr. Z make it look like his brain scan had produced these results?

He typed them into the command prompt. And by the looks of it he used a broken keyboard.

Just as you can tell your computer’s command prompt to run tree c: /f (or any other command for that matter), you can also tell it to run warning!!! This isn’t a command the command prompt recognizes, though. In fact, if you take a closer look you’ll see that this lack of recognition is indeed the prompt’s response.

Step 9: Reference the Almighty Google and Wikipedia

Mr. Z was now moving in for the kill. Having used his extensive technical knowledge and highly effective brain scan, he had shown us that our computer was infected with “trozens.” Mr. Z. wanted to be absolutely sure that we were aware of the dangerous, though. Mr. Z needed us to understand what these “trozens” were… and to Mr. Z, there was no finer way to do so than through Wikipedia and Google.

MRZ-PC (8:48 PM):

ok let me show u wat z exactly trojen

ok

EMSISOFT-WIN764 (8:49 PM):

yes

MRZ-PC (8:51 PM):

yes m showing u , wat trojen vius

ok m gonna type trojen in the google n let see wat it says …..

ok

EMSISOFT-WIN764 (8:53 PM):

yes

MRZ-PC (8:53 PM):

wait

EMSISOFT-WIN764 (8:53 PM):

sorry, some text appeared

MRZ-PC (8:53 PM):

just wait … m doing somthng so do not touch your computer

opk , now go ahead n read the highlightd line

tis z about trojan viruses

EMSISOFT-WIN764 (8:55 PM):

ok

I understand

that sounds quite bad

MRZ-PC (8:55 PM):

hmmmm

below tat u can see ther z a written purpose and uses

EMSISOFT-WIN764 (8:56 PM):

yes

MRZ-PC (8:57 PM):

thr z writtn , TROJAN MAY GIVE HACKER TO GIVE REMOTE ACCESSES

TO TARGET COMPUTER SYSTEM

and below that

EMSISOFT-WIN764 (8:57 PM):

yes

MRZ-PC (8:58 PM):

thr z a written crashing the computer wit blue scree up death

let me show u

the blue screen

bsod

EMSISOFT-WIN764 (8:58 PM):

oh, I’ve never seen that

but it looks baad really :(

MRZ-PC (8:58 PM):

can u see the blue screen ?

yes

EMSISOFT-WIN764 (8:59 PM):

yes, I see it

MRZ-PC (8:59 PM):

if trojen will crtash your computer then u can see the blue screen

EMSISOFT-WIN764 (8:59 PM):

oh, and I definitely don’t want that

MRZ-PC (8:59 PM):

and when ever u turn on your computer

u can see the same screen

n they will ask u to restart your PC again

and no matter

haow many time u go ansd open your computer , u will get the same screen

EMSISOFT-WIN764 (9:00 PM):

I see

MRZ-PC (9:00 PM):

and just below that can u see ther z written , ELECTRIC MONEY THEFT

it mean they can steal your money from your BANK ACCOUNT

EMSISOFT-WIN764 (9:02 PM):

wow

MRZ-PC (9:02 PM):

jst below tat thr z a writtn , DATA THEFT

EMSISOFT-WIN764 (9:02 PM):

yes, I see

MRZ-PC (9:02 PM):

DATA THEFT means they can steal your personal infirmation from ur computer

like YOUR USER ACCIOUNT , PASSWRD

PHOTOS , YOOUR PERSONAL INFORMATION

EMSISOFT-WIN764 (9:03 PM):

omg

MRZ-PC (9:03 PM):

they can steal YOUR CREDIT CARD DETAILS

EMSISOFT-WIN764 (9:03 PM):

shoot

MRZ-PC (9:03 PM):

can u see , ther z writtn PAYMNT CARD INFORMATION

now i will like to see u

EMSISOFT-WIN764 (9:04 PM):

yes

MRZ-PC (9:04 PM):

do u do INTERNET BANKING ?

ONLINE SHOPPNG

?

 

PAYNING BILLS?

OR SOMETHING LIKE TAT ?

R U THR ?

??

EMSISOFT-WIN764 (9:05 PM):

sorry

yes

I sometimes shop online

and I think my father does banking

MRZ-PC (9:06 PM):

hav u read tat thing ? m asking u something?

EMSISOFT-WIN764 (9:06 PM):

yes

MRZ-PC (9:06 PM):

i think u hav to stop doing tat things

EMSISOFT-WIN764 (9:06 PM):

yeah, I’ll definitely stop that

MRZ-PC (9:07 PM):

you shuld nt do tat things UNTILL N UNLEWSS u do nt remove th TROJAN VIRUS from your COMPUTER .

ok

EMSISOFT-WIN764 (9:07 PM):

yes

MRZ-PC (9:07 PM):

ok

now do u undrstand , wat z TROJAN ?

EMSISOFT-WIN764 (9:08 PM):

yes

The Truth:

There is a Wikipedia article about Trojans.

The Big Sell

Step 10: Give them a .txt file they can’t refuse

It had now been over an hour on TeamViewer. In all that time, we had learned about warnings and errors, undeletable files, stopped services, ineffective antivirus programs, brain scans, and the dangers of “trozens” by way of Wikipedia and Google. Thanks to Mr. Z, we were now completely misinformed and “desperate” for an answer. Lucky for us, Mr. Z had a solution.

MRZ-PC (9:11 PM):

now let me discuss to MY SENIOR TECHNICIAN about your computer

EMSISOFT-WIN764 (9:16 PM):

ok

MRZ-PC (9:17 PM):

ok

wait

m talking to my senoir superwiser about your computer problem

what should be the best solution

EMSISOFT-WIN764 (9:18 PM):

ok thanks

MRZ-PC (9:18 PM):

pk

now m going to write down on the NOTEPAD SOLUTION FOR YOUR COMPUTER

OK

A Heartfelt Thank You on Behalf of Bleeping Computer and Emsisoft

Final Step: When they realize it’s a scam, deny everything

By now of course we weren’t even sure if we could still play along. Mr. Z had provided over 2 hours of tech support… and now he was trying to get us to pay for extended service, with poorly written ads pasted into Notepad. In all honesty, this final tactic put us at somewhat of a loss for words, but after some careful consultation with a few of our friends from Bleeping Computer, we eventually developed an adequate response (continuing the conversation in Notepad).

thank_you_note_4

Not to anyone’s surprise, Mr. Z denied all allegations of being a scammer until the very end.

scammer_finale_1

Moral of the story? Some people will do anything to scam strangers on the Internet, even if it’s more work and less pay than getting an actual job. Don’t let them scam you.

Have a great (Mr-Z-free) day!

Your Emsisoft Team.

 

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

* Note: All of “Mr. Z’s” spelling and grammar has been left in its original form. If you can’t understand about half of what he’s saying, don’t worry – neither could we! In general, grammar like this – regardless of language – is a telltale sign that you’re dealing with a fraud.

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next