Microsoft Phone Scam Still Running

Have you seen reports about people from Microsoft Tech Support, who call you because you have malware on your computer? Have you had a call from a plausible sounding agency saying you have a virus on your PC? Did you feel uneasy about someone who knew your name and had details about how slow your PC was running? Chances are that you have been at least peripherally involved with a Phishing attack. Today’s security incident concerns the Microsoft Phone Scam, which is still running after eight years or so.

Why the Microsoft Phone Scam?

This attempt to get access to PCs, or personal information on them, often targets Windows users, so the scammer claims to be from Microsoft tech support. They target Windows based PCs, because there are a lot of them, but they are equal opportunity criminals. They will attempt to hack a Mac too.

What the Scammers Do

Today the support line received a call from a very helpful gentleman named Derek, who claimed to be from Microsoft tech support. He asked for me by name, which was nice, but then went on to explain how my PC had become infected by malware, and so was running slowly. A safe bet really. Is there anybody who doesn’t think their Facebook response time could be quicker? Pity that his technical report did not tell him I was using a Mac. Still, we decided to let the call run, as we were recording for training purposes.

He then proceed to explain that the fix for this problem was simple, and would only involve typing something into the command line. We got him to repeat the instructions several times to make sure we got it right. Had we actually been following his very patient instructions, we would have connected to fastsupport.com and accepted a GoTo Assist remote call. This would have given him unrestricted access to our PC, at user level, so he could have installed anything he liked.

Unfortunately we developed “technical difficulties” once we received the support key number, and had to hang up on Derek. He was persistent, and called back five times over the next ten minutes. He even let the phone ring for up to two minutes at a time. When we tired of this game, we answered, and informed Derek that we were cyber security specialists, investigating Phishing attacks. We told him that we were recording the conversation, and pointed out that our PC was, in fact, a Mac. He still tried to get us to accept the remote access call!

You couldn’t make this up!

How the scam works

Rather than producing computer virus directly, which is time consuming and involves skill, these scammers resort to Social Engineering. This is the practice of manipulating people so they give up confidential information. If they can trick you into letting them access your computer remotely, they can secretly install their malicious software themselves. That would give them access to your passwords and bank information, as well as giving them control over your computer.

How to deal with Microsoft phone scam calls

As Fast Support is a legitimate company, they have a mechanism to prevent abuse of their system. If you want to get one back at the scammers, play along up to the point that they give you the support key. Get them to repeat it a couple of times, to make sure you have it right, and then hang up and report the incident to Fast Support using the following link:
www.fastsupport.com/abuse. You will only need the support key number, and it only takes a couple of seconds

What Else You can Do

Probably the most important thing you can do is let people know about the Microsoft phone scam. It preys on people’s insecurity about their lack of technical knowledge. The best defence against Social Engineering is sharing knowledge, so tell everyone about it.

You can also report the incident to the police through www.actionfraud.police.uk/. As we have pointed out previously, they will only record the incident for statistical purposes.

Another PayPal Scam Email To Delete

Another day, another PayPal scam email hits the in-box. It would be easy for someone to think that this was genuine, especially when is rendered with PayPal graphics. This is why we investigate each and every scam email to see how convincing they are, and assess the risk of people getting fooled into responding. We then report them through the appropriate channels, and encourage others to do the same.

What to look for on this PayPal scam email

The email, reproduced below, is based on a genuine PayPal notification, but with subtle differences.

PayPal Scam Email Image
PayPal Scam Email

A quick check of the sender by hovering over the from PayPal  shows that it is directing to someone called anitad@uvigo.es.  So the PayPal scam email would send your  reply there, not to PayPal! Be warned.

The Log in now button, does render in the browser as a button, but we have the html blocked to avoid surprises. As you might expect from a scam email it does not point to PayPal either, but an unlikely domain registered in Australia. This site is buried at the bottom of a deep sub-domain chain, so it is possible that the site owner does not know about it. We will be contacting the organisation separately, as they might not even be aware that their site is being used nefariously.

How to deal with PayPal scam emails

Make sure your family, friends and colleges are aware that these emails are out there, waiting to trap the unwary.  If you receive an email claiming to come from PayPal, please do not reply to it. Do not click on any link or button, or open any attachments. Simply forward the email to spoof@paypal.co.uk, then delete it.

You can also report the incident to the police, although they will only record it for statistical purposes. The police suggest that the public can help disrupt fraudsters by reporting scam emails. People are urged to report them through reportlite.actionfraud.police.uk.

What else can we do?

For further advice on fraud and how to avoid it, see the police fraud action  website: www.actionfraud.police.uk (opens new window)
For further information on phishing and malware please use the following links:
www.actionfraud.police.uk/fraud-az-phishing (opens new window)
www.actionfraud.police.uk/fraud-az-malware (opens new window)

VAT Return and Payment Overdue Scam Email

Why User Vigilance Is Important

Today we received a gentle reminder that no matter how hard we work to keep out cyber-threats, there is always a weak link to target in any business system. The users. This exploit concerns a VAT Return and Payment Overdue scam email which was received in the office today. The instant reaction was to jump to the conclusion that we had to do something quickly, to avoid a penalty. Which is just what the reprobate behind the email was hoping.

What To Look For

This is a warning about a VAT Return and Payment Overdue scam email, which may catch out the unwary. If you are a business owner or have responsibility for finance matters please watch out for this innocent looking communication.

VAT Return and Payment Overdue Scam Email image
VAT Return and Payment Overdue Email Scam

How To Tell It Is A Scam Email

VAT Return and Payment Overdue Scam WhoIs Result Image
WhoIs Result

If you hover the mouse over the sender, most good email systems will tell you the address you will be replying to. In this case you will not be surprised to learn that it is not from HM Revenue and Customs  (HMRC) at all! It comes from a suspicious email address which is registered to someone called Denis. Denis apparently lives in Moscow, and is using the unlikely email address of info@hmrccustomersupport157.top.

When The Penny Drops

After a few laps of the office, looking for a quick solution, or a way to pass responsibility over to someone else, the recipient had the good sense to check up via the HMRC website. The information there on the site , which is linked below, made him think twice. He reported the matter to Information Security, fortunately, before clicking on and opening the email attachment.

Cost of the VAT Return and Payment Overdue Scam

In our case, the cost of this particular email scam was trivial. It mostly involved additional wear and tear on the carpet and some lost productivity. According to an anonymous source in finance, there was also some lost paint from the ceiling. It could have been much more costly, if the user had opened the attachment and did not have up to date anti virus.

While HMRC may send you an email if you are overdue with VAT payments, they will use the normal contact email address, and will recommend that customers pay online to avoid further action. These emails will never ask you to provide personal or financial information. You won’t be able to reply to the emails, which will be sent from no.reply@advice.hmrc.gsi.gov.uk.

In Conclusion

This VAT Return and Payment Overdue scam email has been timed to catch the unwary by being the right date, but a month early. Let people know that they should ignore the call to act immediately, and instead report the matter to IT security. Even if there is no malicious payload in the attachment, scam emails like this can disrupt the flow of energy in a business and ultimately cost money.

The Upside

On the upside, this scam is an early reminder that our VAT return has to completed at the end of this month, so I might go and give the finance team a gentle reminder!

Further Information

For authoritative information about when your VAT return is due, see www.gov.uk/vat-returns/deadlines

To report instances of this email scam, forward the suspicious emails to HMRC phishing team at: phishing@hmrc.gsi.gov.uk

Visa Scam Email Circulating

The spam filters are currently picking out a Visa Scam Email circulating at the moment which is claiming that your card has been blocked for security reasons. If your email browser will render the html, it looks something like this Visa Scam Screenshot:

Visa Scam Screenshot
Visa Scam Screenshot

Analysis of the content shows a hyperlink which claims to point to visa.ca, but in fact is a link to an IP address in the Republic of Korea. Launching the link will only get you a page that looks like this:

Visa Scam Link Screenshot
Visa Scam Link Screenshot

If you have received any of this type of email, and want to find out where the masked link is actually pointing, you could try looking it up via ipchecking.com. However, the best advice with this scam is to press delete, and save your mailbox space.