We came across a user that was presented with a PC support scam via Microsoft's Edge browser. The user unfortunately did follow through with the scam request but stopped the process someway through the process due to the "support" actor turning aggressive when quizzed on some of his actions. The user did take pictures of some of the actions that took place which gives us some interesting insight into what they are trying to accomplish.
The scam's entry point was via the Edge browser via "netsafty913.online", in this case employing a log on prompt as a security scare warning:
The broken english should be a red flag. Googling the support number (61-1800-431-440) also serves up many results related to the scam. The screen warns you about logon credentials that could be stolen but in reality it is likely to steal these credential when you call them. They warn the user about not shutting down and possible non booting issues - we'll come back to this at the end. Although the scam seems obvious, to an untrained user it may appear legitimate. Quite often your computer may have exhibited issues similar to what they are scaremongering about and in turn the user legitimises the warning as timely and expected.
Another curious detail they added to the page:
Top right they refer to the localhost as the "Microsoft Diagnostic IP Address" along with another pop up in the bottom right. A close up:
Not 100% sure what kind of pop was used in this case but it appears to imitate a Windows Defender event.
When a user calls the number apparently you are greeted by a friendly support person that walks you through the steps they will perform. It was described as sounding 'like a call centre environment'. They initiate a remote support session - we were unable to confirm what software or method they use to initiate the session but the powershell screenshot has some control items by the taskbar which might be a clue.
The scam actor opens a notepad windows and types a to do list:
A very ironic to-do list to be honest and a fairly expensive way to get your computer infected with various bits of malware. We would love to get our hands on the "anti malfunction" tools he has. Interesting that he plans to "security off" - probably the only truthful item on his to-do list.
Note also the Windows Event Viewer in the background, conveniently open to a list of bad events to alarm the user.
Alarmingly he also hopped into Powershell:
He highlighted the protection status on the recovery volume - pointing out that the "security off" from his to-do list has now been completed. Then a few returns at the end to obscure the command he typed in.
Next he jumped into regedit - not sure what intended to do, it may have been to fake some actions or remove or add some bad values:
At this point the user started asking questions about the procedure which caused the actor to become agitated. The user cancelled the remote session and switched the computer off.
Interestingly the computer was in a non-bootable state afterwards - the usual boot fixes were unable to restore boot functionality. Was it on purpose? Not sure, if they stole website credentials then a broken user PC will give them more time to use the the stolen credentials before the user can change their passwords. Otherwise if the object was to collect the $199 'support' fee then it would be unwise to break the PC.
The fix? Wipe and reinstall, change all your passwords ASAP.
Cover Designed by Macrovector