One of those fake AV scammers who pose as Microsoft agents probably wished they had checked who they were calling when they phoned a security researcher at home.
According to Dark Reading, they called Sourcefire security researcher Noah Magram and claimed they were working for Microsoft – and that Magram’s computer had been sending multiple error messages to the software company and he must have some viruses and malware.
Magram wondered if he could see what their script was and see if he could find what techniques they used.
Magram says the agent on other end of the line was clueless and didn’t stray far from his script.
Magram pretended to be pulling up the event viewer on his Windows machine.
When he said he saw a couple of warnings and errors in his event viewer, a new agent came on the phone.
He urged Magram to install a remote administration tool so the agent could get a closer look at the “problem”.
So he started up a VMware virtual machine on his Windows PC and he gave them an environment they could play in while every movement could be recorded.
But they seem to had forgotten by that point that they were not Microsoft. The site they told him to visit was not Vole’s.
Magram “agreed” to a one-year subscription for a one-time $50 fee, and they pushed him a webpage using a legitimate card processing service. He typed in a test number, which rejected the transaction.
They started disabling all Windows services and said that if Magram did not renew his subscription they couldn’t be “held responsible for what happens next”.
The agent said that they were disabling malware but it was a list of Windows services.
He started to dismantle the VMware and when asked what that was the engineer, identifying himself as Victor, claimed it was malware.
Victor rebooted the machine under safe mode while the agent on the line warned that there was so much malware on the machine that they wouldn’t be responsible for what happened next. Magram knew that Victor’s actions would disable the system altogether after a reboot, but the scammers apparently were trying one last-ditch effort to get him to cough up some cash.
When he told the scammers that they were on a VM, and he was a security expert who had been stringing them along, they quickly hung up.
Magram said the approach was “so stone age” and they were using legitimate RAT tools and an unprofessional and shaky script.
Magram was able to root out that their company’s physical address, if legit, was in Utah. But he doubted that was where they were calling from.
Why he did not try and counter hack them and find out exactly where they were from we don’t know.
There is a video of the whole thing here: