Microsoft Phone Scam Still Running

Have you seen reports about people from Microsoft Tech Support, who call you because you have malware on your computer? Have you had a call from a plausible sounding agency saying you have a virus on your PC? Did you feel uneasy about someone who knew your name and had details about how slow your PC was running? Chances are that you have been at least peripherally involved with a Phishing attack. Today’s security incident concerns the Microsoft Phone Scam, which is still running after eight years or so.

Why the Microsoft Phone Scam?

This attempt to get access to PCs, or personal information on them, often targets Windows users, so the scammer claims to be from Microsoft tech support. They target Windows based PCs, because there are a lot of them, but they are equal opportunity criminals. They will attempt to hack a Mac too.

What the Scammers Do

Today the support line received a call from a very helpful gentleman named Derek, who claimed to be from Microsoft tech support. He asked for me by name, which was nice, but then went on to explain how my PC had become infected by malware, and so was running slowly. A safe bet really. Is there anybody who doesn’t think their Facebook response time could be quicker? Pity that his technical report did not tell him I was using a Mac. Still, we decided to let the call run, as we were recording for training purposes.

He then proceed to explain that the fix for this problem was simple, and would only involve typing something into the command line. We got him to repeat the instructions several times to make sure we got it right. Had we actually been following his very patient instructions, we would have connected to fastsupport.com and accepted a GoTo Assist remote call. This would have given him unrestricted access to our PC, at user level, so he could have installed anything he liked.

Unfortunately we developed “technical difficulties” once we received the support key number, and had to hang up on Derek. He was persistent, and called back five times over the next ten minutes. He even let the phone ring for up to two minutes at a time. When we tired of this game, we answered, and informed Derek that we were cyber security specialists, investigating Phishing attacks. We told him that we were recording the conversation, and pointed out that our PC was, in fact, a Mac. He still tried to get us to accept the remote access call!

You couldn’t make this up!

How the scam works

Rather than producing computer virus directly, which is time consuming and involves skill, these scammers resort to Social Engineering. This is the practice of manipulating people so they give up confidential information. If they can trick you into letting them access your computer remotely, they can secretly install their malicious software themselves. That would give them access to your passwords and bank information, as well as giving them control over your computer.

How to deal with Microsoft phone scam calls

As Fast Support is a legitimate company, they have a mechanism to prevent abuse of their system. If you want to get one back at the scammers, play along up to the point that they give you the support key. Get them to repeat it a couple of times, to make sure you have it right, and then hang up and report the incident to Fast Support using the following link:
www.fastsupport.com/abuse. You will only need the support key number, and it only takes a couple of seconds

What Else You can Do

Probably the most important thing you can do is let people know about the Microsoft phone scam. It preys on people’s insecurity about their lack of technical knowledge. The best defence against Social Engineering is sharing knowledge, so tell everyone about it.

You can also report the incident to the police through www.actionfraud.police.uk/. As we have pointed out previously, they will only record the incident for statistical purposes.

Microsoft Lobbying Practices Accused Again

Once again, Microsoft has been accused over it’s UK government lobbying practices, according to an article in Computer Weekly yesterday.

In the article by Brian Glick, a former director of strategy to David Cameron while opposition leader and as prime minister, Steve Hilton has claimed that Microsoft threatened to shut down research facilities in Conservative constituencies over Tory plans for government IT reforms.

According to The Guardian, Hilton told an event in London to promote his new book that, “When we proposed this, Microsoft phoned Conservative MPs with Microsoft R&D facilities in their constituencies and said, ‘We will close them down in your constituency if this goes through’.”

It appears that Microsoft has lobbied for years to prevent the government pursuing its open standards policy, which arguably levels the playing field for other software vendors. After a somewhat controversial consultation process, the adoption of the open source Open Document Format (ODF) as the standard for document formats was confirmed by government in July last year.

The International Organisation for Standardisation (ISO) had previously approved the open source Open Document Format (ODF) as an international data format standard. The ODF Alliance, a cross-section of industry associations with more than 150 members worldwide, academic institutions and suppliers, had all been lobbying for the decision. The ODF Alliance was created to resolve the potential problem of proprietary software limiting the ability of governments to access, retrieve and use records and documents in the future.

While it is often good sport to knock Microsoft for being a giant of the industry, and stifling (or buying up) the competition, if these accusations are true then the criticism is justly deserved. Round the office, we suspect that the motivation may be less about open standards, and more about potential market share and loss of revenue. If government should enact the long threatened Open Source initiative, then the writing may be on the wall for the big ticket software packages, at least in public service.

Perhaps that would be a good thing for consumers in general, and tax payers in particular.

For more on the story of the open source Open Document Format see the following links:

Microsoft Offers Reward for Information on Rustock Botnet

In a further move against international cyber criminals, Microsoft has offered a reward of $250,000.00 reward for information that results in the identification, arrest and criminal conviction of those responsible for controlling the notorious Rustock bot-net.

Microsoft says that IP address infections of Rustock have reduced by more than 50% worldwide since the company took action in March. Microsoft took the infamous Rustock botnet down earlier this year alongside U.S. enforcement agents, and claims that it remains dead.

The Rustock botnet was the largest source of spam in the world, consisting of around 150,000 machines sending around 30 billion spam messages a day. The take down was part of Microsoft’s fight against illegal botnets, designed to stop the spread of malware and spam mail.

Anyone with information on the Rustock botnet or its operators should contact Microsoft at avreward@microsoft.com.

To find out more about Microsoft Offering a Reward for Information on Rustock Botnet, click here to see the post on the Official Microsoft Blog.

If you have missed previous TechCo Support posting about the fight against the menace of Botnets and the progress of the Microsoft Digital Crimes Unit please see:

Microsoft Reward Document

Microsoft Floors The Coreflood Botnet

With headlines like “More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme”, the U.S. Department of Justice (DoJ) and Federal Bureau of Investigation announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications.

The Coreflood botnet is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server.

Interestingly, the US Government also obtained a temporary restraining order (TRO), granting authorization to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers.

Essentially the DoJ was allowed to impersonate the commanding servers and send a Stop command to the botnet agents that were tethered to the 5 illegal computers, known as a command and control (C&C or CnC) servers. This is believed to be a precedent, and opens the door for more active countermeasures against these criminal money-making machine networks.

Following on from the earlier successes against the Rustock botnet in March, and the Waledac botnet in February, this action takes the war against these cyber crimanls a stage further.

Other links on the subject:

Microsoft Claims Rustock Botnet Takedown

Have you missed your daily dose of spam emails advertising everything from Viagra to fake pharmaceuticals and watches this week? According to a link spotted on eWeek, Microsoft is claiming responsibility for the takedown of the massive Rustock botnet, which stopped sending out spam midmorning on 16 March 2011.

This operation, known as Operation B107, is the second high-profile takedown in Microsoft’s joint effort between Microsoft Digital Crimes Unit (DCU), Microsoft Malware Protection Center and Trustworthy Computing – known as Project MARS (Microsoft Active Response for Security) – to disrupt botnets and begin to undo the damage the botnets have caused.

The previous operation against the Waledac botnet (B49) followed a judgement by the US District Court of Eastern Virginia, that upheld a recommendation to grant Microsoft’s motion for the transfer of the domains behind the Waledac botnet to Microsoft.

The Rustock Botnet is estimated to have infected up to 1.7 million computers worldwide, and up to the end of 2010 may have been responsible for almost 50% of the spam sent worldwide. At times Rustock was capable of sending 30 billion spam e-mails per day.

The Rustock Botnet was identified as being more complicated than the Waledac botnet, using hard coded IP addresses rather than domain names, and peer-to peer command and control servers. To combat this Microsoft obtained a court order allowing them to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis.

The amount of computers which can be linked in a botnet is mind boggling, and because the bots are so versatile their use is limited only be the imagination of their controller, or bot-herder.

In order to combat botnets, Microsoft encourage every computer owner to make sure their machine isn’t doing a criminal’s dirty work. If you believe your computer may be infected by Rustock or other type of malware, we encourage you to visit support.microsoft.com/botnets for free information and resources to clean your computer.

Further links and resources

Finally, for everyone who likes comics, check out the Microsoft comic strip Terrifying Tales of Digital Delivery

Microsoft Takes Down The Waledac Botnet

In a post on the Official Microsoft blog, entitled Cracking Down on Botnets, Microsoft announced the takedown of the Waledac botnet, one of the 10 largest botnets in the United States and a major distributor of spam globally. Microsoft achieved this after a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals.

In a complaint filed in the Eastern District of Virginia on the 22 February against John Does 1-27 et al, Microsoft alleged that the “Doe defendants have undertaken the forgoing acts with the knowledge that such acts would cause harm through the .com domains located in Virginia and through user computers located in Verginia, therby injuring Microsoft, its customers and others both in Virginia and elsewhere in the United States”. This argues that the Virginia Court has jurisdiction over the case regardless where the perpetrator reside.

The takedown of the Waledac botnet, or Operation B49 as it was known internally in Microsoft, was the result of months of investigation. The Waledac botnet is believed to have had the capacity to send over 1.5 billion spam emails per day. From Microsoft’s analysis, between 3-21 December 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone.

This legal and industry operation against Waledac is the first of its kind, but hopefully it won’t be the last. Microsoft has acted with experts from the international security communication to combat this menace to computer users everywhere. However, taking down the botnet is not the end of the story.

Thousands of computers are still infected with the Waledac computer worm, a self-replicating malware computer program. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware. Microsoft advise users people running Windows machines to visit the Microsoft Security Web site, where they can find Microsoft’s Malicious Software Removal Tool, which removes Waledac.

Links and resources relating to Microsoft Takes Down The Waledac Botnet: