Someone I know got a tech support scam popup that said their computer was being hacked. I said to bring the computer over. I wanted to see it.
I found the malicious site in the browser history–I’ll tell you how to do that after I finish my story–and pulled the page back up. The computer played an MP3 file with a scary-sounding message and urged me to call an 888 number. So I called. I got voicemail. I left a message.
Last Tuesday night my oldest son came into the room and told me he thought one of our computers was being hacked. So I kicked into incident response mode and walked into the other room to be greeted with a computer loudly telling me that Microsoft Security Essentials was unable to clean a virus and to immediately call Microsoft.
Instead I immediately shut down the computer. Here’s why.
I got e-mail the other day from Turbotax saying someone had filed my taxes for me. Obviously a cause for concern, right? Here’s how I determined the message was fake in about three minutes. You can spot phishing e-mails with Outlook the same way.
Some people will tell you not to even open a message like this, but if you’re a computer professional, at some point someone is going to want you to prove the message was fake. I think this is something every e-mail administrator, desktop support professional, security professional, and frankly, every helpdesk professional ought to be able to do.
So here’s how you can get the proof. And generally speaking, Outlook 2010’s default configuration is paranoid enough that this procedure will be safe to do. If you want an extra layer of protection, make sure you have EMET installed and protecting Outlook.
Buried unfortunately deep in August’s Social Engineer podcast was some outstanding advice from British TV star R. Paul Wilson, who turned scamming into prime-time BBC TV for several seasons.
Wilson, who literally has sold someone a bridge that he of course didn’t own, has lots of experience on both sides of scamming, so his experience is invaluable. I was just disappointed that we had to listen to 45 minutes of Christopher Hadnagy and David Kennedy arguing before we could hear it, so I’ll cut through the garbage.
Friday night, I took my wife out to get some coffee to get her a few minutes away from the house. There’s a corner in the front of the store next to the window that we always sit in, and it seems like some huckster is always huckstering something there.
And did we ever find a doozie on this Friday night.
There are a few hucksters on Ebay, whom I don’t care to give free advertising by mentioning by name, who hawk “graded” cards on Ebay and claim them to be especially valuable. One even puts supposed appraised values in his listings in parenthesis, then invites you to visit his page for an explanation of “graded” value, where he cites an example of a run-of-the-mill 1970s star card, normally worth $60, being worth $2,500 once graded.
The thing is, that’s an edge case. It’s important to understand those edge cases to avoid a ripoff.
I haven’t received a fake Windows tech support call in a very long time. A couple of the operations doing this have been shut down, but based on the continued popularity of the things I’ve written about them, I wonder if some people are still getting them.
That makes me reluctant to block them, just in case they call me again, but if you’re getting those calls and want them to stop, I can tell you how to do that.
I’m all torn up this morning. I’m torn up because Microsoft has sued a couple of tech support scam outfits for misrepresenting themselves and violating Microsoft trademarks.
I’m torn up because it’s taken this long. I’m also torn up because this may mean I’ll never get to see what kind of hilarity would ensue by telling a scammer with a fake western name that my name is “Suchita.” In the deepest voice I can muster, of course. Keep in mind that if I sing in falsetto, I’m a tenor. Also keep in mind that nobody wants to hear that.