THE SQL Server Blog Spot on the Web
Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search
Home Blogs Downloads   Opml View as RSS news feed in XML

John Paul Cook

Scammers on the loose pretending to be Microsoft

UPDATE: The scammers called back today informing me that my computer had been sending “error messages for quite a long time”! They identified themselves as the “Technical Maintenance Department”. I was told that the count at the top of my Event Viewer is the number of infections on my computer. For $199 they would help me fix my computer. They directed me to browse to ms7.us, presumably to purchase something. I didn’t browse to that address, but I did a whois which indicated that the domain is registered to someone in India. Today, like yesterday, the people on the phone were very difficult to understand. Also like yesterday, the supervisor is very easy to understand when he curses. Perhaps he has practiced English curse words more than regular conversational words.

YESTERDAY: Minutes ago I received a phone call that the caller ID listed as “Out of area”, which I knew was a bad sign. It was difficult to understand the caller because of his very thick accent. He told me that he was from Microsoft and that my computer was throwing a large number of errors and he was calling to help me. He directed me to use Windows R to open a run dialog box, type eventvwr and then look at the Event Viewer. Within Event Viewer, he instructed me to open Custom Views and then open Administrative Events. He wanted to know the number of events. I told him that the count was 16,908, which he said was very bad. He routed me to his supervisor.

The supervisor asked me if I knew what this meant. I said yes, it meant that he wasn’t with Microsoft, and that he was a scammer. He asked me if the other guy indicated they were Microsoft. I said yes. He said that they were not Microsoft but instead a contractor to Microsoft, a certified and authorized company trying to help me. He said that if he was a scammer, he could hack my computer (after all, he said he knows my IP address), but he wouldn’t because he is a legitimate business. He did some cursing and hung up on me. His cursing was amazingly good, actually accent free as far as I could tell.

In case you don’t know what the Event Viewer is, it is a log of things that happen on your computer. It is not a listing of malware infections on your machine. It is completely normal for it to have tens of thousands of events. Don’t fall for someone calling you trying to scare you about how many events are in your event logs. Microsoft doesn’t call Windows users at home and have them open a run dialog box.

Published Wednesday, December 19, 2012 7:58 PM by John Paul Cook

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

StephenL said:

Too funny! I just got off the same call. I recorded part of it, for the fun of it. I did go to ms7.us - from a test machine. They have you install TeamViewer from TeamViewer.com. This looks like a legitimate application - but, once you give the person the connection info, it DEFAULTS to remote full control. You'd think the application would require a request for control. Anyhow, I quickly removed remote control and opened a chat window. They didn't respond to my "hello?". :) And, shortly thereafter, the phone line went dead.

I checked a few logs, and, I don't see that they were able to do anything. Because the test machine was part of my domain, I decided to drop them before they could do anything... next time, I might have a truly disconnected test machine and see what they decide to do.

January 10, 2013 2:58 PM
 

NathanD said:

I just got the same call. Fortunately, I know enough about computers to be skeptical.

The Indian-sounding man on the line claimed he was from Microsoft Technical services and was calling me because they were getting error reports from my Windows 8 computer. I asked how I could verify this and he asked me to open Run... and type in www.ms7.us. That tipped me off, and I stopped following his directions and instead searched for the site in my browser. I eventually went to the site, trusting that I'd know before anything crazy happened. He then asked me to click a link (#4 on that page), which began downloading some random EXE file, at which point, I pulled the plug on the download and started pressing the guy. He claimed that the EXE file would help their technicians show me the problems.

I told him that I'm well aware of Event Viewer and asked him to walk me through it. He basically just had me open up the Event Viewer Application log and made vague comments about these being errors. I pressed him more to prove to me that something was wrong. He then asked me to open my Windows Prefetch folder and double click on any file...acting like the fact that Windows didn't find an appropriate application to open those files meant they were malicious. I quickly searched for the prefetch folder in Google and informed him what it was for from the Microsoft website.

At this point, I asked him to point me to anywhere on the Microsoft website that discussed this issue. His response--we're not from Microsoft, we're their technical services and "if we just posted it on the web site, why would I be calling?" LOL!

Next, I asked him for ANY link to a trustworthy antivirus or news site mentioning this issue. Obviously, no response. At that point, I started accusing him of being a scammer and trying to get me to install malicious software. I pointed out that Microsoft wouldn't be calling all their end users, which he emphatically insisted was what was happening even at that point.

He began trying to get off the phone, saying that it's my problem if my computer starts crashing in a few days. I basically told him that he's trying to scam people who don't know enough about computers to resist it and kept repeating "Stop doing this. Stop scamming people." until he hung up.

The bad part about this, is that I could totally see someone falling for this if they didn't have past experience with Event Viewer, know a bit about file extensions and have a basic understanding about how this kind of thing works.

Sadly, there's not much on Google yet about this scam, so I'm hoping that my description here will help get this page higher in the ranks. MS7.US are scammers. Don't be scammed by MS7.US. Repeat: WWW.MS7.US is a scam.

January 16, 2013 2:05 PM
 

SteveL said:

Thank you guys for your comments. Last night I I got this call. Since, I was half asleep and not familier with event viewer, I ended up with this guy remote controlling my computer. I did not buy anything, especialy when the pay-pal thing was called "loot" something in India. Is there any way that he may have put anything in my computer and get past Nortons? I ran Nortons and did not find anything, but have not allowed any internet connection since!

thank you.

February 12, 2013 11:13 PM

Leave a Comment

(required) 
(required) 
Submit

About John Paul Cook

John Paul Cook is both a Registered Nurse and a Microsoft SQL Server MVP experienced in Microsoft SQL Server and Oracle database application design, development, and implementation. He has spoken at many conferences including Microsoft TechEd and the SQL PASS Summit. He has worked in oil and gas, financial, manufacturing, and healthcare industries. Experienced in systems integration and workflow analysis, John is passionate about combining his IT experience with his nursing background to solve difficult problems in healthcare. He sees opportunities in using business intelligence to satisfy healthcare meaningful use requirements and improve patient outcomes. Contributing author to SQL Server MVP Deep Dives and SQL Server MVP Deep Dives Volume 2.

This Blog

Syndication
©2006-2012 SQLblog.comTM
Brought to you by Adam Machanic & Peter DeBetta
Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement