Blog

Hack the Hacker

INTRODUCTION

Social engineering is social hacking - or a popular way of stealing information - manipulating the 'human being' as the weakest link. This typical social engineering attack, usually a phone scam, has been popular for years. The victims get tricked into believing their computers have been updated with security features while in reality their computers have been compromised. Many people fall for this type of scam resulting in time loss and all too often financial damage. We believe the main reason for this is because they target people who lack (deep) technical knowledge and interest of how their computer and the online world works.

The solution? We can't expect everyone to be a technical expert one day. The reason for this blog post and why we keep repeating the message is to raise security awareness, and to create an understanding in how to deal with these kinds of attacks! Use common sense, never give any kind of confidential data (passwords or otherwise) by phone or email, never install anything when you are not certain who is asking you to do so. These attackers follow written scripts that trigger an immediate panic or fear-reaction (you are in danger!) and once they have your attention, they are trained to keep you on the phone and making sure you follow their instructions, while reassuring you that you are doing the right thing.

The "Microsoft Tech scam" is a popular social engineering technique that has been around since 2008 and targets the less tech-savvy computer users in our society, aka 'the vast majority'. It originates from call centers in India, but can occur in all countries that have a strong English-speaking (business) culture.

Scammers try to convince people into giving remote access to their computer by convincing the user their computer is infected and propose a solution for a small fee.

AN UNEXPECTED PHONE CALL

Last week at ZIONSECURITY, we received a call from an English speaking-person with a strong Indian accent from a Dutch telephone number. He introduced himself as a Microsoft Tech Support employee.

We immediately realized the intent of the call and decided to play along. The scammer provided us with lots of valuable information to allow an in-depth analysis of the attack. Meanwhile we could waste his time to avoid making real victims.

After a short introduction, the so-called "support engineer" notified us of several security issues on our computer. We quickly setup a virtual machine and used it in our cry for help. Apparently, our local computer shop would be unable to repair our damaged computer so we turned all our attention to the "support engineer". He showed us around our computer with great patience.

First, he explains us how to open the event manager. There are several security events on our machine as shown below. It's easy to be tricked into believing that there is a real problem.

Secondly, we were asked to open the certificate manager. The scammer guides us to one specific Microsoft certificate which has been expired since 1995!!! An unsuspecting user will be convinced easily that maintenance is required to ever safely use this computer again.

This far into the conversation we have spent about half an hour following instructions only to be convinced of the problem. This shows the persistence and patience these assailants can muster.

Our 'savior' on the other end of the line reassured us that everything can be resolved but we must closely follow his instructions. We were asked to download an older version of TeamViewer and connect to his partner ID. This way he can follow our every move and take over control of the computer. Surprisingly he does not act once given control over our device. He explains that we are connected to a Microsoft secure server and asks us to write a code down. We grab pen and paper and he starts to dictate. While we look down at our paper, he quickly takes control of the computer to disable the graphics card. The support engineer explains that we might see a flicker and a black screen. The screen turns black but as we are working in a VM; the screen is resized and we have full visibility on what the attacker does next. He asks us to tell him as soon as the screen restores itself. This lets him know to stop whatever he is doing. So, we play along and tell him the screen remains dark.

CONVERSATION

Below you can find a snippet of the conversation.

Hello, this is Microsoft tech support. We see malicious events/viruses on your computer. We are going to guide you through the process of fixing your computer.

Oh no! Can you really see that my computer is infected? Please help me to get rid of the viruses.

Don't worry! I am going to show you how to clean up your computer. In the windows search bar at the bottom of your screen, please type eventvwr. Do you see a window popping up? Can you tell me how many error messages you see?

Yes sir, I typed in eventvwr in the search bar and we see many error messages as the program opened. Are you going to be able to fix them?

The command eventvwr stands for "Event Viewer". Microsoft Event viewer is a management console to display information related to system, security and setup events on your computer. Running eventvwr from the command line is just an alternative way to open it besides from the control panel.

..in the windows search bar type certmgr ... go to certificates->Microsoft Hardware compatibility -> click on open. When you see: "This certificate is expired" It means you are at high risk, we are going to fix that issue for you. Please open your browser and download TeamViewer from http://filehippo.com/download_teamviewer/

When non-technical people notice that they have errors on their computer for the first time, they start to panic and want a solution, they trust the so-called Microsoft Tech Support guy on the other end of the line with the problem. The scammers really want to show people first that their computer is at risk. By showing the errors in windows event viewer is an example and by showing old certificates that reside on your computer.
TeamViewer is a software package for remote control, desktop sharing and online meetings. In this case it is being used to take over your computer for malicious purposes.

Is this program going to fix all my viruses? Thank you so much!

It is noticeable that the scammer is speaking calmly and you even can tell that he reads it from a checklist. He really is trained trying to convince people into the scam. Social engineering is a technique used to get information from people by convincing them into performing actions that they normally wouldn't do.

When you successfully installed and executed TeamViewer., it will ask you for a password to login. This will able you to connect to our secure Microsoft Server. The password is ******. Once you see a window popping up, you are connected to the Microsoft Secure Server.

OK, we entered the password and we see a program window.

Do you see any changes to the screen? Please take pen and paper.

What do you want us to write down?

Nasty trick here! He asked us to take a pen and paper to distract us while he pokes around your computer.
The first action the scammer did was disable the monitor, so we couldn't see what was happening. He asked several times if we could see the screen again. But as a reaction to comfort people that is nothing wrong, he just says that it is automated program to check your computer for errors.

I am going to open a tool that checks your computer for malicious events/viruses and automatically removes them.

The command syskey stands for SAMLOCK tool. it's a utility that encrypts the hashed password information in a SAM database. The SAM database is a file on your computer where your system password is stored.

After you enable the SAMLOCK tool with a password, the next time your computer boots up, it's going to ask you for a password, because the scammer had control over the computer and provided the SAMLOCK tool password himself, only the scammer can unlock your computer.

After playing along for over an hour we carefully let the scammer know that we were going to stop the call. We had enough information to go on.

FIRST AID FOR NEW VICTIMS

1. Disconnect your computer

Unplug the network cable of the affected computer's network card and turn off its wireless connection. You can also put the device in airplane mode (Windows 10).

If you installed the remote admin tool as they directed, then they may have access to your personal files, even after the phone call is over. They also can install keylogger malware to record your passwords, including bank accounts. You should assume from this point that your computer is not yours anymore.

You should restore an older backup or even reinstall your computer. If you're not comfortable doing this, consider taking your computer to a repair technician or contact your local sysadmin.

2. Change your passwords

After you make sure that your system is free of malware and keylogger software, change all your important passwords. Make sure to choose strong passwords when creating new ones. Don't do this while the computer is still infected, only after it has been repaired.

We highly recommend to use a password manager like 1Password, KeePass, LastPass or Dashlane..

3. Alert and educate about this scam

Even though this scam is affecting millions of people, there is an astonishingly large number of people who are not aware of these practices and are still easy targets. Security awareness and prevention is key to avoid this type of scam. Social-share this message and spread the word to your friends and family.

Awareness TIPS:
  • NEVER give any personal information or passwords to anyone
  • A technical support call is always initiated/asked/triggered by you. Large enterprises will never call people at random for PC or Tech Support.
  • Never let a third-party get control over your computer (business or private) unless you are 100% sure it is a legitimate source. If any doubt, write the number down, end the call and ask someone!

Thanks for reading! Feedback welcome info@zionsecurity.com

Add comment