Microsoft scam department

My letter and wish to Santa Claus was finally granted. Yesterday I got a call from +0191, claiming to be Microsoft Support and that I had been sending a lot of bad traffic during the last few days. I did exactly what my mother told me not to, talk to strangers and invite them in.

While stalling the technician to wait for my to boot my slow PC, I popped a Win 8.1 VM and made a few fake important files in my documents and at the desktop and disabled all security settings.

Let the game begin!


 

As expected, Microsoft had detected a lot of bad traffic from my computer and wanted me verify this by pressing “windows+r” and open eventvwr.exe (eventviewer). I was then told to click Custom views, Administrative Events and confirm all the malicious errors and warnings I had which was causing extreme problems for Microsoft.
eventvwr

To solve these error messages I had to google pc101.ga and click on the link “Windows Support – XPRS”. We started recording this conversation at the same time as I navigating to their support site.

I was doing my best to act as a noob while making them believe that I trust them, I followed their instructions blindly to install teamviewer where they will now solve all my problems.
Audio does not work with IE, use Chrome, FireFox, Edge or Safari

Windows security center

Microsoft was confirming all the problems I had through teamviewer and that they will now install protection to keep me safe and what they do here was a bit nasty. By activating Syskey with a manual password you will get an extra password prompt when starting your computer, and you won’t be able log in after a reboot if you do not know this password. There are some tricks to older systems like Windows XP where you can use “hirens boot cd” to remove Syskey, but using this on Windows Vista+ will cause a permanent boot loop. Your documents, pictures and data will not get encrypted by Syskey, so you can always mount and extract files through a linux live CD before you reinstall windows.

 
syskey

They kept repetedly asking me for what I was using this computer for
– Work / Private?
– Google/Facebook?
– Shopping?
– Important documents and pictures
– Online Banking, and specific if I had a bank account with DNB
– Visa or Mastercard

I was escalated to a senior technician after answering all their questions correctly.
The senior technician opened msconfig to show med that the service “Encrypted File System (EFS)” and “Windows Encryption Provider Host Service” was stopped due to all my errors.

Next, they was kind enough to explain and show me that my Microsoft License had expired. If I do not renew my license, I will then loose all my documents and files.

 
As you clearly see, the “license” in crtmgr.msc has clearly expired 😛
expired license

 
Since my license had expired, I clearly had to get a new one – right away!
And again, they where asking me if I had an DNB bank account.

I was actually surprised here, they opened up https://www.westernunion.no and clicked register, and zoomed chrome out 25% and and started to modify the header with the inspection tool.
inspect

As you probably already guessed, I declined to fill out the registration form – forcing me to log into my email account for registration verification while they where watching. I would also blow the whole thing if I registered under a temporary email like http://temp-mail.org/

This was unexpectedly escalated to the “leader of the department” – Lord of War, where the fun ended. Did he notice that my Windows user was “testuser”, the different hacking tools and scrips on Desktop and My Documents, or maybe that this is just a dead end?

They manually started going through my folders and delete any files they could find on the Desktop and under My Documents. O_o Yes, they did this through teamviewer while I was watching them.

I terminated the network connection to see if they left any traces, but without luck. I was unable to find any traces of file transfers in the teamviewer log, no new users, keyloggers, changed files, backdoors and no suspicious network traffic in the wireshark dump. Everything seems to be done through the teamviewer session.

 
Thank you Santa Claus for giving me 45 minutes of priceless fun with the Microsoft Scam Department!!!

Leave a Reply

Your email address will not be published. Required fields are marked *