The phone rings, you answer, and someone says they are from Microsoft or your Internet provider and have detected a virus on your PC. What next?
Well, it depends on how much time you have on your hands and your sense of humour, but before we get to that let’s just explain what is going on here.
I’ve been plagued with these calls, often once or twice a week. Someone, usually with a heavy Indian accent, calls and reports that they are calling from ‘Microsoft Security Centre’, stating that they have ‘detected viruses on my machine over the internet’.
Myth buster number one: This is not possible! Firstly, Microsoft never phones people to tell them that their PC is infected (assuming it actually is). Secondly, how would a company get your phone number based on your PC?
I had one such call recently and had a bit of time so I thought I’d a) waste their time so that they weren’t conning some unsuspecting old lady, and b) find out exactly what they were doing in order to ‘prove’ to people that there were problems with their PCs. I had what is known as a ‘virtual machine’ installed – this is like Windows running as an app in Windows. It is totally ring-fenced, and to the outside world they could not tell any difference. By letting them run in a sand-boxed system I knew that my main system was completely safe.
Step 1 – they gain access to your PC
After you’ve admitted that you have a PC they’ll start saying things like ‘have you noticed it going slow recently’. Let’s face it, all Windows PCs get slower over time, especially without a little bit of house-keeping, and they are never as fast as we want them to be. They will then ask you to go to a website and run an app. This part is actually legitimate as they are using a third party product that allows for remote support. You run an app, it displays a set of numbers which you then read out to the person on the phone, and they enter it into the software at their end – they can then see your desktop and control your keyboard/mouse as if they were in front of the PC. Note that at this stage your PC is not infected with anything – you’ve simply allowed remote blued control so that they can prove that your PC is compromised.
Step 2 – the convincer
Now they have to prove to you that there is a problem. The person that connected to me did two things:
a. They ran the Windows Event Viewer. This is an app installed on all versions of Windows that logs any errors that happen on the system. Note that an error to Windows is not always what we would consider an error. For example, when Windows boots up it’ll check to see what printers are available. If you have a printer driver installed, but the printer is switched off that will log an error. So our friendly ‘Microsoft Technician’ told me to go into the Event Viewer and proceeded to show me all of the errors on my PC. He told me on no account to click on any of the line items as he said that this would damage things further. In reality he was concerned that I would read the error log and see that it was telling me that my printer was not switched on…
b. Next he opened a Dos window by running ‘CMD’ from the Start/Run option. He typed TREE /S, which is a simple command that shows every single file and folder on the PC. As you can imagine on even a fresh install of Windows there are tens of thousands of files, so this takes a few seconds as they go whizzing up the screen. And while that is going on he’s typing something in the background which is only displayed once the computer has finished listing all of the files and folders. So at the end of this I could see ‘System Error: Antivirus software disabled’. Of course, this was not actually the case!
At this point he’s now ‘convinced’ that my PC is heavily compromised and that I need upgraded antivirus software. Bearing in mind that up to this point it had taken about 15 minutes.