So this afternoon I got a call from a strange number – 248.562.1268. When I answered it was an Indian fellow who told me he was calling from tech support to help my computer. He said the last time my computer went online that it downloaded a virus and he wanted to help me fix it. At this point my day was made. I have been hoping that they would call me because I wanted to see what website they were directing unsuspecting users to. He told me I needed to be in front of my computer, which I wasn’t, so that he could help me. I got a scrap of paper and took notes and pretended to play along. He wanted to know what version of windows I was running before we got started. I said Windows 7 so he would keep going. First he wanted me to hold down the windows key and press “r” on the keyboard, this is the shortcut for the “Run” box on Windows. He phonetically spelled out “prefetch” so I played along and he said all of the files in there were virus files and to delete them all. Next he said to type “eventvwr” which launches the Windows Event Viewer. I said ok I have it open. We wanted me to scroll through the even viewer for the first red icon I could find I said I found one. He asked for me to read the number out beside it. I just said a random number, I said 5000. He says this is a very grave situation you have 5000 virus files on your computer. I will have to connect remotely to take care of the situation. In my opinion they would be doing a great job in building confidence with a user that was unaware of what they were doing. This call lasted almost 10 minutes before I was even to the exploit part of the call. Of course a lot of that was me saying “huh”, “what” and “could you say that again”. We spoke two very different dialects of English. He wanted me to visit www.360pcsupport.com at this point I could not go any further as I did not have a computer handy, nor was I about to visit it…. so I said I am very sorry I have another call on the line please call back later. So far he has not called me back but I really hope they do. I want to see where else he wanted to take me from one of my sandboxed workstations. If anyone else gets a call from them please let me know I want to see if there are any other links I need to add into our web filtering system to block. This was way too much fun.
- Quick Tip: Cobalt Strike Beacon Analysis, (Mon, Nov 23rd) November 23, 2020
- ISC Stormcast For Monday, November 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=7264, (Mon, Nov 23rd) November 23, 2020
- Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format, (Sun, Nov 22nd) November 22, 2020
- VMware privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005) - https://www.vmware.com/security/advisories/VMSA-2020-0026.html, (Sat, Nov 21st) November 21, 2020
- Malicious Python Code and LittleSnitch Detection, (Fri, Nov 20th) November 20, 2020