Link: https://domain343698.online/768/483957629/errorlist/093958356/7352305285/errorreport/x00EdsjsjhsOkhkasdVX0/
appears to be a working number of an Indian tech support call center
Link: https://domain343698.online/768/483957629/errorlist/093958356/7352305285/errorreport/x00EdsjsjhsOkhkasdVX0/
appears to be a working number of an Indian tech support call center
Thanks for the number! This was my first longer scam bait call, and I could keep them busy for more than one hour with a textnow number I said I was a farmer, got a new computer just last week. They did the usual thing with “tree” and then even created an eMail account and Paypal account for me.
Then they tried to send money with my credit card, a $1 burner card I bought somewhere on the internet, and surprisingly it didn't work. So they forwarded me to the page microsofttechs.com and entered all my fake address data and credit card number to it, I guess for some other processing method. Screenshot:
https://i.imgur.com/E08m7T3.png
Now they are on my VM and wasting more time with all the "security fixes", they said they will need 30-45 minutes. I'm recording a video of it. But looks half decent what they do, installing ad-block etc. Of course, still a scam how they get their customers, and I should pay $325, outrageous! :-)
@marilynbaiter#121827 always try to find out as much as possible such as their company websites, their company name etc. That was a good bait!
Will try to get more information next time, was a bit nervous. They are done now on my VM. They said they will disconnect, we said goodbye and phone call ended, but these scammers were still on my VM! I pretended to read some news for minutes, while they were happily watching. Then I disconnected it from my side.
The video is encoding now what they all did, will upload it later. They installed a few freeware programs and cleaned temporary files, and installed their number in the taskbar. At one point they even ejected my Oracle VM Guest Additions CD, oops :-)
They sent a "medicine2.txt" file to my desktop at the end and showed me 2 more numbers: 1888-604-3357 and 1800-291-7147. But might only work for registered customers. I guess the "lifetime" support lasts only until they disable the toll free numbers. Contents of the medicine file, with an eMail contact, which might provide more information about their company, geekswebllc.com:
Here is the video what they did:
https://www.youtube.com/watch?v=uRX1wgNdkcI
I would say it is better than grandson quality :-) but they probably wouldn't know what to do if there were a real problem and not just their fake popup. And I didn't notice it the first time, but they uninstalled Teamviewer! I installed it together with some other programs from https://ninite.com to make the VM look a bit more legit. I guess they don't want that other scammers who use Teamviewer are getting on my computer. And they told me if I would see this popup again, I should only call their number, not the number on the popup :-)
I have still the VM. Let me know if someone wants some of the other files they transferred before I reset it to the last checkpoint. They want to call me again tomorrow, they will probably complain about the credit card. Anything more I could do?
This is the content of the "Network Security" batch file:
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
exit
Their alternate # 800-642-3079 (as seen on microsofttechs.com)
Good news, a good Samaritan hacked their VM 800-642-3079
I did the work an reviewed my video in detail, to see what they did. TL;DR: except for installing the popup and ad blocker and removing some temporary files, they didn’t do anything useful, and many things were even harmful and intended to lower the security of the computer, and to make future scams more easier. Definitely not worth the requested $325. So I take it back, it was less than grandson quality. But if someone doesn’t know much about computers, it might look impressive.
Detailed log:
It went on a bit slow from this point on, maybe he was getting some coffee.
At minute 55 we said goodbye and the telephone call was ended, but he was still connected with GoToAssist, spying on what I was doing! I was pretending to surf the web for 5 minutes, no disconnect, finally I disconnected GoToAssist
I did restart the VM after this, and as expected, the Avira anti-virus main program was not running anymore. But some Avira services were still running. Maybe there will be no updates without the main program.