New "Microsoft Virus Scare" Scam that looks relatively authentic to the uninitiated

[britechguy]

A new client just got scammed yesterday, and this is one of the more convincing versions of this scam I've seen. I'm impressed that she took the photo, but a bit confused as to why she did if she did not have instant suspicion. But she terminated the interaction too late. They'd already remoted in with Teamviewer and asked her to pay them, in Bitcoin, after having removed ESET and noodling around for a while (looking for what, I don't know). She did not pay, and terminated things, but too late.

A completely clean reinstall of Windows was done, and I Fabs-ed her user data off the old and back on to the freshly reinstalled again. I figure if anything was implanted in a user data file either Windows Defender or ESET will detect it.

 

[sapphirescales]

Why do you think this looks more authentic than the other 10 billion scam pop ups out there? Am I missing something?

 

[frase]

View attachment 16760

A new client just got scammed yesterday, and this is one of the more convincing versions of this scam I've seen. I'm impressed that she took the photo, but a bit confused as to why she did if she did not have instant suspicion. But she terminated the interaction too late. They'd already remoted in with Teamviewer and asked her to pay them, in Bitcoin, after having removed ESET and noodling around for a while (looking for what, I don't know). She did not pay, and terminated things, but too late.

A completely clean reinstall of Windows was done, and I Fabs-ed her user data off the old and back on to the freshly reinstalled again. I figure if anything was implanted in a user data file either Windows Defender or ESET will detect it.

I am unsure if I would have restored her data, once someone has breached [remoted in], that is it full nuke with no survivors. MS never ask one to contact them immediately, it takes forever if not on an Admin Business Sub. I think maybe your clients need to be more educated on this factor.

 

[britechguy]

@frase:

This is a residential user.

I am willing to roll the dice, and have many times, with restoring user data, as I've never had an issue and I'd hope that any competent security suite would detect, and remove, anything that could be embedded in data.

But the OS, no.

To be perfectly honest, I consider this kind of scam a "smash and grab" kind of affair, but since they could leave something behind and lurking "deep down" it's a nuke and pave on the OS side.

I have educated the client that no legitimate security focused product, Microsoft's or otherwise, will EVER present any sort of warning asking you to call them. I think I definitely have a "once burned, twice shy" situation here, which is just what I want. She's now on her guard.

 

[fincoder]

I am unsure if I would have restored her data, once someone has breached [remoted in], that is it full nuke with no survivors.

I get customers with these remote access scams nearly every week. All I've seen are quite unsophisticated. The remote access is to convince the watching victim that there are severe problems that need fixing. Sometimes they display the event log filtering for just warning and errors, other times they install certain malware scanning apps that always display items that need fixing. These are the reasons for remote access, simply to convince them to pay money.

The worst I've seen is configuring remote access software to allow unattended access, so some days later the victim gets a fright when someone takes control of the cursor and writes a message in notepad. Years ago they used to sometimes change the password (or add a registry password) in an attempt to get the victim to call the scammer back.

Never have I seen actual malware planted on a victim's computer by these remote access scammers. There's no need to nuke their personal data.

 

[britechguy]

Never have I seen actual malware planted on a victim's computer by these remote access scammers. There's no need to nuke their personal data.

That's been my experience, too. There was a time when I would have gone so far as to take a "watch and wait" approach and doing virtually nothing because doing an N&P was such a grand PITA (which it no longer is) and even reloading data, settings, etc., was way more of a PITA in my personal "Pre-Fabs" era.

They really want to be paid, and paid as quickly as possible, and they they're generally gone. Even if they're not paid, and the whole interaction is terminated, they're generally gone.

The N&P is as much a "security blanket" as being really about security.

Both Windows Defender and ESET gave the restored data the "All Clear" before the OneDrive unlinking debacle.

 

[xrobwx71]

Just came across this here: https://www.techguy.org/threads/acc...umber.1293085/?post_id=10019243#post-10019243

 

[britechguy]

Just came across this here: https://www.techguy.org/threads/acc...umber.1293085/?post_id=10019243#post-10019243

Another variant of the same scam. This one sounds worse based on the description of the addition of audio warning messages (though that should be a huge tip-off, too - when has any warning from Microsoft or any legit company included an audio script telling you to do or not do something?).

I wish that, somehow, word would finally make it out to the world, and stick in the minds of its inhabitants, that Microsoft simply never presents anything like this, and the best course of action should such occur is an ungraceful shutdown (hold the power button until the machine powers off). Don't interact with anything, at all.

Usually, that does it. It's the interacting and/or calling that is the road to hell.

 

[NviGate Systems]

Fear is mans worst enemy, causing him to do irrational things.

 

[phaZed]

I just had a customer that was "scared" into calling the number... installed a remote software for the bad guys - and then 2 other remote softwares were installed (a total of 3 RMs). They then attempted at least 50 times to perform wire-transfers from his investment accounts overnight. The RM IP addresses resolved to an RU IP address, but who knows really where it originated. The poor guy is 91, but still sharp. He still "trusts" what he reads and hears on the phone, unfortunately.

 

[britechguy]

The poor guy is 91, but still sharp. He still "trusts" what he reads and hears on the phone, unfortunately.

Well, I'm not doubting what you've said at all, but I would hope that, "Once burned, twice shy," applies here. Getting taken in by this once is one thing, but more than once is entirely another.

 

[phaZed]

Well, I'm not doubting what you've said at all, but I would hope that, "Once burned, twice shy," applies here. Getting taken in by this once is one thing, but more than once is entirely another.

He's getting a Standard User account, and not an Administrator Account - so he won't be able to install software. He's signed up for my managed services and his daughter and I will help him address things in the future.

 

[britechguy]

He's getting a Standard User account, and not an Administrator Account - so he won't be able to install software.

I've actually taken that approach with a couple of senior clients with their consent, and it works well. The only time you really run into trouble is for ones that have reason to actually be installing legitimate software more frequently than you'd think, but they are few and far between.

I also recently set up a client who is a minor with the "child monitoring" features that are available on Windows 11, and those could be quite useful for the daughter in this situation even though the person being monitored is not a child. It does let you keep your "finger on the pulse" of activities (and further restrict some, if desired).

 

[ell]

View attachment 16760

A new client just got scammed yesterday, and this is one of the more convincing versions of this scam I've seen. I'm impressed that she took the photo, but a bit confused as to why she did if she did not have instant suspicion. But she terminated the interaction too late. They'd already remoted in with Teamviewer and asked her to pay them, in Bitcoin, after having removed ESET and noodling around for a while (looking for what, I don't know). She did not pay, and terminated things, but too late.

A completely clean reinstall of Windows was done, and I Fabs-ed her user data off the old and back on to the freshly reinstalled again. I figure if anything was implanted in a user data file either Windows Defender or ESET will detect it.

anything telling you to call a phone number is BS