posted 02 Jun 2012, 00:18
Fake AV scammers who pretended to be Microsoft agents might have wished they had double-checked who was on the phone when they called a security researcher at home. The scammers accidentally called Sourcefire security researcher named Noah Magram. They claimed to be working for Microsoft and said that the victim’s PC had been sending multiple error messages to Microsoft because of malware.
The researcher wondered whether he could see their script to find out what techniques the scammers used. He explained that the “Microsoft” agent was clueless and did not stray far from his script. So, Noah Magram pretended to be pulling up the event viewer on his Windows PC. After Magram said he saw a few errors in his event viewer, another agent came on the phone, who urged the victim to install a remote administration tool in order to let him get a closer look at the problem.
That’s when the security researcher started up a VMware virtual machine on his Windows computer to provide scammers an environment where every their movement was recorded. However, the scammers seemed to forget that they weren’t actually Microsoft, because they told him to visit not Vole’s website. The researcher “agreed” to a 1-year subscription for $50, and found himself on a webpage with a legitimate card processing service. After a test number was typed in, the transaction was rejected.
At this moment, the scammers started disabling all Windows services and claimed that if the victim didn’t renew his subscription, they couldn’t “be held responsible for whatever happens next”. Although the agent, identifying himself as Victor, assured that they were disabling malware, it was in fact a list of Windows services, including VMware. He then rebooted the PC under safe mode, and the agent on the line said it was too many viruses on the PC. The security researcher knew that their actions would disable the system altogether after a reboot, but the fake “Microsoft agents” were apparently trying one last-ditch effort to get Magram to cough up some cash.
When Magram finally told the scammers that they were on a virtual machine, and he was a security researcher who had been stringing them along, the scammers quickly hung up. He said their approach was so “stone age”, and added that they were using legal RAT instruments coupled with an unprofessional and shaky script. Meanwhile, their company’s physical address, if legit, appeared to be in Utah, but Magram doubted that was where the scammers were calling from.