A scammer sends me a virus! - Part 1

Video Statistics and Information

Video

Captions Word Cloud

Captions

until recently no scammer had ever uploaded a real virus to me that was until I phoned one of these two numbers on a pop-up I don't withhold my caller ID and strangely within an hour of ringing one of those two numbers a scammer named Ricky called me back Ricky explained why he was calling me we have been reported is when those one of those devices or your computer is infected or corrupted or compromised then when your IP address is compromised and that's when you get this error message right and there generally get played by Windows Defender I mean this is generally what is reported to us whenever this sort of error message is played okay on a Windows computer right if you want to go ahead I can go ahead and check that for you may I take your name please yeah my name is Orson surname is Kart see hey Artie all right way that we can do this is through a remote access I'll be able to diagnose your computer basically and check if there are any foreign connections available on your IP address open w3 w dot bot support dot com so Ricky has lied to me several times at this stage already he lied that it was a Windows Defender message when he probably knows that it's the title of his fake webpage he's also used a bit of technobabble saying that my IP address is corrupted while it's possible to cropped a machine a device or a PC it's certainly not possible to corrupt an IP address lastly he stated that he was going to check for foreign connections I reckon he's gonna run the net stat fraud so I let him connect to my virtual machine and see what he does next yes I have the access of your computer no right I need a few things that is I need to diagnose a few things yeah okay hopefully then I'll be in a position to tell you if it's if the IP address is an issue or not once again my IP address has nothing to do with any infections it's all technobabble it'll take about ten minutes there's a Microsoft Kin that I need to do okay then the thing that I'll need to do is a net dot which will be done on PMD I point out to the JavaScript pop-up which is clearly visible on the screen he's looking at I make wisdom about what it means that's the first our serial error message fair enough to leave the computer with me for about ten minutes I'll leave you a call back okay all right okay thanks like senpai right instead of just pointing out that it's a fake message he decides to run a file system scan this will only check if the files and directories are intact and will do nothing to identify any kind of virus as the scam continues I noticed a second person connecting to my virtual computer Ricky does call back some time later and he explains that is probably a network issue he also starts off the Microsoft malicious software removal tool something he shoot on right at the very start of this call it's gonna take more time than I thought it would take network it is pointing towards some sort of network issue the next time Ricky calls it's when the file system scan is completed it did find one file which wasn't shut down correctly when the computer rebooted but it's nothing to worry about he's just dying to run the netstat command ok so I'm gonna do an exit right now ok which means it does it tells us about how many computers or devices are connected to your eye that's not does indeed show connections to a PC but scammers often use this as a way to fool people into thinking that they've got hackers connected there are these many published connections right now ok so basically it means that 1 2 3 4 5 6 7 8 and 9 and 10 so basically say that there are 10 device connected to your so he lies again he cannot possibly tell what devices are connected to a writer only those devices connected to this PC three or two devices which are genuinely connected the rest are foreign connections or you could say intrusions there are nothing of the sort it's his own connection that's the reason you receive that error because after the can and diagnostic that obtained it seemed as if your IP address is compromised after this misdiagnosis he gives me some dire warnings about what these people could do in my computer on how I would take the blame for their illegal activity I need two things they gave one of the IP marketing more technobabble IP masking is a thing but it's got nothing to do with protecting an IP address you may need typical network security he goes on to describe what cisco network security is and he mixes up terms like SSL firewall and network he's obviously got his technical spec suited to someone who isn't used to computers and it may sound convincing but he's being far from honest right in that kid that'd be a 50-pound charge for the cleanup not only this Ricky offer a 50-pound cleanup charge but he also offers a one-year warranty which would allow me to contact an O 800 number if I had a problem at this point I don't really know who the scamming organization is but usually the weak point is whenever they ask for a payment right how would you like to make the payments would you want to do a bank transfer or you would want to bathe in a car you can usually find out a good bit more about an organization by asking them for their bank details so this is what I hoped for we will provide you at the bank detailed so he finally reveals the details of the company behind the scam they're called micro PC support limited and the bank account number and details point to a bank account in Swindon in the UK the invoice reference as it turns out is a fairly standard format for Micro PC limited ask the scammer to send these details to me by email so I can find out a little more information I tell him that I'll make the bank transfer by phone and Ricky is happy enough continued in his work I also tell him that I'll have to go in a few minutes and I asked him for a phone number to ring him back on this will reveal yet more information about his company at Adyar one triple four three nine zero six one seven that is the number which appeared on my caller display but it's not the only at hundred number that I was looking for a Google search reveals nothing about that number I leave him on the computer for a little while and about thirty minutes later he phones me back claiming that the payment didn't work he gives me another Barclays bank account number and this time the branch is an Edinburgh in Scotland after he installs some useless ad blockers I noticed him fire up a remote file transfer program the file is named Network protection XE the file is being uploaded via the remote access software go to assist he changes the directory to the desktop then he launches my antivirus program he goes into its settings and disables any system scans once he's disabled at the antivirus he goes back to the file transfer and he uploads an executable file to my desktop he then quickly closes the file transfer window he then reenable z-- my antivirus software all of his actions are very deliberate I look at my desktop reveals a new icon that wasn't on my desktop before this new file was named network protection XE and was only two hundred and four kilobytes long and in the properties it described itself as restrict hacker I uploaded this filed virus total so that a number of virus checkers could analyze the file almost every one of them identified it as a proper virus a search on the internet revealed that it's a polymorphic file and factor which means that it can change its behavior it also infects local drives and remote drives so it's quite a nasty little virus but to make matters even worse I watched while the scammer opened up my email client and started reading around my personal email don't forget I told him that I wasn't up my keyboard and I would be back later when he'd knows he'd around enough he left me a note and finally I had his Oh a 800 number so having done a bit of background research on his company I asked him some questions so whereabouts are you based all right ok he's probably been told to say this because micro PC support limited have got a registered address in Glasgow the company directors are named Peter church and jagrata Gupta there's links to this public information and the related companies in the description below I challenged him some more you can see my screen right why did you lie about that stop I did not lie about Neff that if you close my connection and then check about net that you'll find exactly the same thing ok if not the same thing that may be something different but then it was not something which was influenced by myself or by the company okay just a second we'll go through this line by line then do you agree that MCS three - two - ISP HTTP there was one two three four five six lines those first six lines are entirely this remote access client go to assist do you agree with that well to be honest you know I would not have a lot of information on that if you're a network engineer you would know that better okay but have you tried running that yourself yes so you're connected at the moment and I also have some webpages open and you can see them there so this this grip isn't hiding your connection okay I'm up s I'm up s is the email clamp as you know those are just lip back connections these connections are closed this old web pages and the remaining are all closed by a tour time we had sort of time toyed they are oh there are old connections the only ones which are established if you look at this is my email client what you can see open loopback these which are all your connection like why is this screen is all your connection as well except this is established because I had downloaded the caduceus client from fast support that's why it was established and you can see it's HTTP and HTTPS there's no back doors just no anything else this is exactly what you would see if you just downloaded Goethe Assist and it's somebody connected and we both know that you're lying to people when you say that there's only one or two of those connections you're implying that that is the people connected to this computer and it should only be one or two that's that was your exact words if your is your real name mr. card like Orson cart that's not your real name is it correct nor is Ricky your correct name no my name is Ricky long okay right I'll ask you a very simple question approved to you that you're lying okay I'll prove that you're lying there are things that you may not know there are things that I may not know okay and I smell that doesn't matter I'll ask you a very simple question and if you can answer it quickly I might believe you you know it cream that if you are trying to scam me right now okay I'll ask you another ask you another question I'll ask you another question because because you're lying and I can prove you're lying if you listen to me for one second I'll ask you one other question what is the square at the center of Glasgow called what's what's the square at the centre of Glasgow called everybody in Glasgow noses not being in glass for a very long time talk to me about London about maybe talk to me about Hayes or yeah I cut short all of Ricky's excuses and I look at my email and I find that the company have sent me an e-mail Ricky has signed it and when I analyzed the headers it distinctly says that it has come from India either Delhi or Mumbai that matches what I see on Wireshark when I look at micro PC support comm their website I also see the same IP address it in part 2 of this video something interesting appears in my keylogger aha that must be some of their other customers I think I asked Micro PC support some very simple questions and get this and that's why we have been strictly advised not to talk to you on the phone and I get to speak to one other micro PC support customer see his experience she talked about paying I said hello to me I've already paid so please hit the subscribe button if you haven't done already I'm also available on Twitter of Jim browning 11 and if you can support me on patreon there's a link in the description below once again thank you for watching

Info

Channel: Jim Browning

Views: 1,064,842

Rating: 4.9563808 out of 5

Keywords: micro pc support, techcure, micro online, microsupportuk, data telecoms, micropcsupport, 08000886016, 01444390617, scam, tech support scam, microsoft scam

Id: Ooh6bV8FwTo

Channel Id: undefined

Length: 16min 4sec (964 seconds)

Published: Tue Apr 03 2018

Reddit Comments