“Microsoft” Social Engineering Scam
Recently a client came to us asking for help. They had received a phone call from “Microsoft Technical Support” telling them that they had malware on their PC. They were instructed to fire up their laptop and browse to a website so the support representative could connect and help them fix the issue. Our client diligently followed the instructions and watched as they cleaned up their PC until…Oh dear, this problem is worse than we thought. You will need to pay £80 for the software needed to fix this issue.
It was at this point the client realised something was wrong, unfortunately a little too late.
So what had happened?
The caller wasn’t from Microsoft they were merely calling from a London based number, they identified themselves as Microsoft technical support and explained they had detected an issue with the clients PC. Our client had no idea that this caller could be malicious and the use of the Microsoft brand instilled trust, so they had no reason to disbelieve them. Unfortunately what the caller was doing on the computer was installing some ransomware. A piece of software that encrypts vital files and the only way to get it off is to pay the fee.
Now the damage is done and the user is prompted with a login box whenever they restart machine.
“This computer is configured to require a password in order to start up. Please enter the Startup Password below.”
The system could not be booted into safe mode either, so what now?
Follow these steps:
- POWER OFF your PC immediately.
- Boot to external media of some sort (NOT your Windows installation, such as a USB bootable Linux distribution) and navigate to the %SYSTEMROOT%\system32\config folder.
- Backup the registry hives in this folder to a temporary location. The files are:
- Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier.
- Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder.
- Reboot the PC.
In this particular instance we put the hard drive into another machine instead of using a USB OS such a Kali.
When we rebooted the system and the computer and data had recovered.
So the malware encrypted the registry hives, these files are what let you login to your Windows computer and they are small enough to be encrypted quickly. This is only one version of ransomware, much more complex versions exist which are virtually impossible to remove due to the encryption involved. The most disconcerting part of this whole incident was the social engineering aspect. Here our client was duped into believing they were at risk and then sat and watched the attacker encrypt their files and remove system restore points. Talking to our client all the time to make it seem as though they were helping. The bravado of attackers such as this is one example of how confidence can instil trust and that trust lowers our guards.
It is just human nature and it is vital that you and your staff are frequently tested for social engineering techniques. These techniques can be phishing emails, phone calls such as this or face to face incidents but all are employed far too often with an impressive success rate.
Microsoft offer some tips on how to fight this kind of call: (https://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx
If someone claiming to be from Microsoft tech support calls you:
- Do not purchase any software or services.
- Ask if there is a fee or subscription associated with the “service.” If there is, hang up.
- Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
- Take the caller’s information down and immediately report it to your local authorities.
- Never provide your credit card or financial information to someone claiming to be from Microsoft tech support.