It’s called the Microsoft Tech Support scam, and it’s been around for years. Last week, Emsisoft and Bleeping Computer intercepted one of these scammers, and in addition to messing with him for a good three hours, we took detailed notes on how the Microsoft Tech Support scam works.

Someone calls you up, claiming to be from Microsoft, and scares you into thinking that your otherwise normally functioning PC is infected. If they scare you well enough, they’ll then connect you to a remote administration software that lets “their experts take a look at your PC.” From there, a number of bad things can happen, including malware installation, data theft, or simply more scare tactics, all in an attempt to sell you some expensive program that doesn’t work – or doesn’t even exist.

People all across the world get contacted by Microsoft scammers every single day, and all too often they become victims.

The Set Up

Step 1: Cold call victim, then lie, using fancy tech buzzwords

Like many a con job, the Microsoft Tech Support scam starts out with a cold call. In this case, it was to one of our friends over at Bleeping Computer – probably one of the worst people in the world a tech support scammer could connect to.

The scammer, who we’ll call Mr. Z., started his ruse by introducing himself as a Microsoft support tech. Mr. Z told our friend that he was calling about an urgent issue. The issue was that our friend’s computer was sending errors to the Window’s server, and that this was a critical problem that needed to be fixed. Being a volunteer support tech himself, our friend immediately knew what he was dealing with. There is no “Windows server” to which all Microsoft computers magically connect, and Microsoft technicians do not cold call their users about critical errors that need to be fixed.

This was a straight up scam.

Step 2: Use the Windows Event Viewer to scare them with things they’ve never seen

Nevertheless, our friend decided to play along. Feigning naivety, he took the bait. He told Mr. Z that his computer had been acting funny, and he asked Mr. Z how he knew there was a problem. All too ready to supply the evidence, Mr. Z began to give instructions.

You will need to open your command prompt. You will then need to type eventvwr and hit Enter.

In scammer-textbook fashion, Mr. Z was making use of one of the oldest tricks in the book. The Windows Event Viewer is simply an administrative tool that displays information about significant events that occur on your computer. Scammers make use of it because “significant events” are often just little glitches, such as a program failing to launch or update. Over the lifetime of a typical computer, many of these glitches will be logged as an event, and displayed as a warning or an error, even though they are not necessarily critical– or even noticed by the typical user.

As someone who works with computers on a daily basis, our friend knew the Event Viewer trick all too well, but, still, he played along. Feigning concern, he asked Mr. Z if all those warnings and errors in his Event Viewer were a problem.

With the utmost seriousness, Mr. Z confirmed that they were.

Step 3: Have them download TeamViewer and Establish Remote Control

It was about at this point that our friend decided to share the fun. Having read about this type of thing before, he knew that the next part of the scam would be to connect to his computer with a remote administration software. This type of connection can be dangerous if given to a stranger because it allows them to control your computer.

Fortunately, malware researchers have useful tools called virtual machines. A virtual machine is essentially an operating system emulator, which allows the researcher to study malware in its natural environment, without having to infect their own computer. Our friend knew that Emsisoft’s researchers used virtual machines on a daily basis, and since he didn’t have one of his own he decided to pass the scammer on to us.

As expected, Mr. Z told our friend that the only way to fix the warnings and errors that appeared on his Event Viewer would be to download TeamViewer and grant Mr. Z remote control. Here, our friend once again complied; however, instead of supplying the access code to connect Mr. Z to his computer, he gave Mr. Z the access code to connect to ours.

The Scare Tactics

Here is where things get really interesting.

Mr. Z is connected to one of our virtual machines in Europe. He’s been told by our friend, who lives in North America, that he’s going to let his daughter take over the computer because this whole TeamViewer thing is way too complicated for him. Mr. Z is no longer on the phone with our friend from Bleeping Computer. He’s in a TeamViewer session. With us.

In a typical Microsoft Tech Support scam, this is usually the point where all hell breaks loose. Malware infection, sensitive file rifling, installation of a covert backdoor for future access – you name it. Mr. Z could do anything, and we were ready for it. To test Mr. Z’s legitimacy, we even infected our virtual machine with malware, to see if he would notice – but notice he did not.

Through it all, Mr. Z had one primary objective: scare us into thinking something was wrong, and then sell us his “support program,” which would magically fix it all.

Step 4: Reiterate the Event Viewer Problem

The first scare tactic Mr. Z employed was a rehash of his Event Viewer shtick. We were, after all, the original contact’s “daughter,” and we needed to know what the problem was.

The Lies:

MRZ-PC (8:04 PM): i m showng u tis again becoz befor line ws dissconnctd EMSISOFT-WIN764 (8:05 PM): ok MRZ-PC (8:06 PM): these r the error n warning which z harming ur computer ok? EMSISOFT-WIN764 (8:06 PM): where? I don’t see errors can you show it with the mouse pointer? MRZ-PC (8:06 PM): u knw wat , ur computr z very slow these r the errors ok EMSISOFT-WIN764 (8:07 PM): yes, I see it now that looks quite bad can you fix that?

The Truth:

Event Viewer is a normal part of your Windows PC, and logged warnings and errors are just minor glitches. To access Event Viewer on your own, open the Control Panel, then click System and Security > Administrative Tools > Event Viewer.

Step 5: Tell them about “good files” and “bad files”

Before he would “fix anything,” though, Mr. Z had an educational agenda. Showing us a few little event errors was not enough to achieve his ultimate goal. Like all scammers, Mr. Z needed to misinform us and instill fear. Mr. Z, in a nutshell, needed to show us which computer files were good, and which computer files were bad.

According Mr. Z, good files could be deleted and bad files could not.

The Lies:

MRZ-PC (8:07 PM): ok , jst go ahead n try to delet them ok yes m here to help u , first f ol u hav to try to delet hthem if u nt able to delet them, i will help u ok / EMSISOFT-WIN764 (8:08 PM): erm, okay MRZ-PC (8:09 PM): do u see ther z no delet option it means u can not delet them by your own ok MRZ-PC (8:10 PM): yes u can not delet them by your own , becoz some f the errors n warnings truns in to virus tats the reason u can nt able to delet them by your own EMSISOFT-WIN764 (8:11 PM): ah, I see MRZ-PC (8:12 PM): can u see i click on team veiwer and they giving nme the delet option becoz teamveiwer z a good file and good file always gives u the delet option n bad file never giv u the delet option , remember tat in future like u will know which z th good file n which z bad file EMSISOFT-WIN764 (8:13 PM): oooh, so for good files you have a delete option and for bad files not gotcha! MRZ-PC (8:14 PM): these errors and warnings they harm your computer services , services means which runs your computer , which z very impotant to your computer now let me go ahead n show u th services

The Truth:

The “files” Mr. Z was trying to have us delete were really just logged events in the Event Viewer. Furthermore, whether or not a file can be deleted has nothing do with its maliciousness.

Step 6: Tell them about the “dangers” of stopped services

Now that we were good and concerned about our evil files which we could not delete, Mr. Z needed to make it clear why these files were such a problem. According to Mr. Z, the bad, undeleteable files were disabling our services – and if it got to the point where all of our services were disabled, our computer would die.

The Lies:

MRZ-PC (8:16 PM): so these r the services which z very important to your computer , n now u can see ther xz so mny services hav stopped working ? EMSISOFT-WIN764 (8:17 PM): I see MRZ-PC (8:17 PM): ok EMSISOFT-WIN764 (8:17 PM): I guess in the middle pane it says stopped, not stopp MRZ-PC (8:18 PM): its a same thing ok EMSISOFT-WIN764 (8:19 PM): yes MRZ-PC (8:21 PM): ok can u see , 70% services has stopped runing inside your compuyter , n only 30% serivices z running inside your computer , which z not good EMSISOFT-WIN764 (8:24 PM): can’t I just start them or so? MRZ-PC (8:24 PM): onec these all sevices will stopped running , your computr will completely stopped and u can be able to use your computer any more yaa u hav to reinstall the services ok EMSISOFT-WIN764 (8:25 PM): omg, would that mean we’d need a new computer? MRZ-PC (8:25 PM): no , i mm here to help u out , we will repair the services ok now let me go ahead and check youir antivirus EMSISOFT-WIN764 (8:26 PM): phew, okay, I was scared there for a sec

The Truth:

Services are simply background processes that perform many tasks on your computer. They do not appear in your point-and-click graphical user interface, and instead operate behind the scenes. To take a look at which services are running on your PC, simply press CRTL ALT DELETE, open the Task Manager, and then click on the Services tab. Here you will see that some services are running and some are not. This is not a problem. Services are designed to automatically start and stop when they are needed and when they are not; and, as Elise points out at 8:24, a stopped service can be started manually. Just right click.

Step 7: Tell them about their “useless” antivirus

After showing us what was wrong with our computer, Mr. Z needed a scapegoat. Computers don’t just stop working on their own, mind you. To explain why we had undeleteable files that were disabling our services, Mr. Z pointed the blame at our “incompatible” and “useless antivirus”…Emsisoft Anti-Malware!

The Lies:

MRZ-PC (8:29 PM): ok let me go ahead and sjow u , your antivirus status ok ok i click on compatability MRZ-PC (8:29 PM): now can u see thr z a written MRZ-PC (8:30 PM): run tis program and compatabilty mode for windows XP service pack 3 EMSISOFT-WIN764 (8:30 PM): but isn’t that unchecked? MRZ-PC (8:30 PM): so it means , your anti virus z nt working ion your computer ok

The Truth:

Right click on your Emsisoft Anti-Malware shortcut, choose Properties, and then click on the Compatibility tab. You’ll see a drop down Compatibility mode menu which allows you to manually set the operating system for Emsisoft to run on. This menu was Mr. Z’s proof that Emsisoft Anti-Malware was incompatible with our computer!!!

Now, we were willing to play dumb…but not that dumb, so we pressed this whole incompatibility issue by running a scan.

More Lies:

EMSISOFT-WIN764 (8:31 PM): but it runs, I mean, I can’t trust what it says? I have another antivirus I think MRZ-PC (8:31 PM): if u hav a very good antivirus in your compter , those errors & warnings will never enter in to your computer EMSISOFT-WIN764 (8:32 PM): okay, I’m running that too now look, it found stuff!!!! MRZ-PC (8:33 PM): its just showing u yay z running , but actually it z nt running , tats why there r somany error n wrnings in your computer EMSISOFT-WIN764 (8:33 PM): damn MRZ-PC (8:33 PM): u paid for tis antivirus or its free ? EMSISOFT-WIN764 (8:33 PM): okay, I won’t click on that message then my father did, yes or he got a free year license or so MRZ-PC (8:34 PM): how much un paid ? or u paid yearly or monthly or something like tat ? EMSISOFT-WIN764 (8:34 PM): let me ask him MRZ-PC (8:34 PM): ok EMSISOFT-WIN764 (8:34 PM): he says he paid 30 dollar yearly but he got a free license from a friend MRZ-PC (8:35 PM): ohhhh really , u r payng t30 dollr yearly for tis useless anti virus omg EMSISOFT-WIN764 (8:36 PM): well, idk, but it is detecting stuff right now, although it doesn’t seem to help much MRZ-PC (8:37 PM): see , these r use less , if it really works then u will not get these errors in your computer ok EMSISOFT-WIN764 (8:37 PM): thats true do you know what I could use best?

More Truth:

Emsisoft Anti-Malware was indeed working. It was detecting the malware we had pre-loaded onto the virtual machine before the TeamViewer session even began!

Step 8: Scan the computer’s brain

Now that Mr. Z had shown us the error of our ways, it was time to start problem solving. As he had so clearly shown us, we were running a useless antivirus that was allowing undeleteable files to disable our services! To provide a more accurate diagnosis of the situation, Mr. Z began by scanning our computer’s brain.

The Lies:

MRZ-PC (8:38 PM): now let me go ahead n scan the brain f brain f your computer n let seee wat it says , if u hav any iother any problm tis scan will tell us ok i will tell u EMSISOFT-WIN764 (8:38 PM): ok MRZ-PC (8:38 PM): about th best antivirus fr ypur computer MRZ-PC (8:45 PM): jst wait it will tak same time ok EMSISOFT-WIN764 (8:45 PM): yes MRZ-PC (8:46 PM): just look at the first window what z wrtten over there ? EMSISOFT-WIN764 (8:47 PM): hmm it says something about a trozen whats that? the second says warning and the other something about the license MRZ-PC (8:47 PM): yes, do you knw wat z trojen virus ? EMSISOFT-WIN764 (8:48 PM): I know its bad yes

The Truth:

Mr. Z did not scan our computer’s brain. Instead, he just typed tree c: /f into the command prompt. This is a harmless command that simply creates a “tree-styled” graphic display of the specified directory in the command prompt. In this case, that display was quite large, and as it was created it simply looked like a scan. To see this in action yourself, open your command line prompt (find it using Windows Search), type tree c: /f, hit Enter, and voila – you too have “scanned your computer’s brain.”

If you take a closer look at Mr. Z’s brain scan, you’ll also see 3 messages at the end:

warning!!!

trozen virus found -250

computer liscebse will expire will expire in two week

First of all, these messages have nothing to do with running tree c: /f. If you type the command yourself, you can see that none of them appear after the command has run. So how did Mr. Z make it look like his brain scan had produced these results?

He typed them into the command prompt. And by the looks of it he used a broken keyboard.

Just as you can tell your computer’s command prompt to run tree c: /f (or any other command for that matter), you can also tell it to run warning!!! This isn’t a command the command prompt recognizes, though. In fact, if you take a closer look you’ll see that this lack of recognition is indeed the prompt’s response.

Step 9: Reference the Almighty Google and Wikipedia

Mr. Z was now moving in for the kill. Having used his extensive technical knowledge and highly effective brain scan, he had shown us that our computer was infected with “trozens.” Mr. Z. wanted to be absolutely sure that we were aware of the dangerous, though. Mr. Z needed us to understand what these “trozens” were… and to Mr. Z, there was no finer way to do so than through Wikipedia and Google.

MRZ-PC (8:48 PM): ok let me show u wat z exactly trojen ok EMSISOFT-WIN764 (8:49 PM): yes MRZ-PC (8:51 PM): yes m showing u , wat trojen vius ok m gonna type trojen in the google n let see wat it says ….. ok EMSISOFT-WIN764 (8:53 PM): yes MRZ-PC (8:53 PM): wait EMSISOFT-WIN764 (8:53 PM): sorry, some text appeared MRZ-PC (8:53 PM): just wait … m doing somthng so do not touch your computer opk , now go ahead n read the highlightd line tis z about trojan viruses EMSISOFT-WIN764 (8:55 PM): ok I understand that sounds quite bad MRZ-PC (8:55 PM): hmmmm below tat u can see ther z a written purpose and uses EMSISOFT-WIN764 (8:56 PM): yes MRZ-PC (8:57 PM): thr z writtn , TROJAN MAY GIVE HACKER TO GIVE REMOTE ACCESSES TO TARGET COMPUTER SYSTEM and below that EMSISOFT-WIN764 (8:57 PM): yes MRZ-PC (8:58 PM): thr z a written crashing the computer wit blue scree up death let me show u the blue screen EMSISOFT-WIN764 (8:58 PM): oh, I’ve never seen that but it looks baad really :( MRZ-PC (8:58 PM): can u see the blue screen ? yes EMSISOFT-WIN764 (8:59 PM): yes, I see it MRZ-PC (8:59 PM): if trojen will crtash your computer then u can see the blue screen EMSISOFT-WIN764 (8:59 PM): oh, and I definitely don’t want that MRZ-PC (8:59 PM): and when ever u turn on your computer u can see the same screen n they will ask u to restart your PC again and no matter haow many time u go ansd open your computer , u will get the same screen EMSISOFT-WIN764 (9:00 PM): I see MRZ-PC (9:00 PM): and just below that can u see ther z written , ELECTRIC MONEY THEFT it mean they can steal your money from your BANK ACCOUNT EMSISOFT-WIN764 (9:02 PM): wow MRZ-PC (9:02 PM): jst below tat thr z a writtn , DATA THEFT EMSISOFT-WIN764 (9:02 PM): yes, I see MRZ-PC (9:02 PM): DATA THEFT means they can steal your personal infirmation from ur computer like YOUR USER ACCIOUNT , PASSWRD PHOTOS , YOOUR PERSONAL INFORMATION EMSISOFT-WIN764 (9:03 PM): omg MRZ-PC (9:03 PM): they can steal YOUR CREDIT CARD DETAILS EMSISOFT-WIN764 (9:03 PM): shoot MRZ-PC (9:03 PM): can u see , ther z writtn PAYMNT CARD INFORMATION now i will like to see u EMSISOFT-WIN764 (9:04 PM): yes MRZ-PC (9:04 PM): do u do INTERNET BANKING ? ONLINE SHOPPNG ? PAYNING BILLS? OR SOMETHING LIKE TAT ? R U THR ? ?? EMSISOFT-WIN764 (9:05 PM): sorry yes I sometimes shop online and I think my father does banking MRZ-PC (9:06 PM): hav u read tat thing ? m asking u something? EMSISOFT-WIN764 (9:06 PM): yes MRZ-PC (9:06 PM): i think u hav to stop doing tat things EMSISOFT-WIN764 (9:06 PM): yeah, I’ll definitely stop that MRZ-PC (9:07 PM): you shuld nt do tat things UNTILL N UNLEWSS u do nt remove th TROJAN VIRUS from your COMPUTER . ok EMSISOFT-WIN764 (9:07 PM): yes MRZ-PC (9:07 PM): ok now do u undrstand , wat z TROJAN ? EMSISOFT-WIN764 (9:08 PM): yes

The Truth:

There is a Wikipedia article about Trojans.

The Big Sell

Step 10: Give them a .txt file they can’t refuse

It had now been over an hour on TeamViewer. In all that time, we had learned about warnings and errors, undeletable files, stopped services, ineffective antivirus programs, brain scans, and the dangers of “trozens” by way of Wikipedia and Google. Thanks to Mr. Z, we were now completely misinformed and “desperate” for an answer. Lucky for us, Mr. Z had a solution.

MRZ-PC (9:11 PM): now let me discuss to MY SENIOR TECHNICIAN about your computer EMSISOFT-WIN764 (9:16 PM): ok MRZ-PC (9:17 PM): ok wait m talking to my senoir superwiser about your computer problem what should be the best solution EMSISOFT-WIN764 (9:18 PM): ok thanks MRZ-PC (9:18 PM): pk now m going to write down on the NOTEPAD SOLUTION FOR YOUR COMPUTER OK

A Heartfelt Thank You on Behalf of Bleeping Computer and Emsisoft

Final Step: When they realize it’s a scam, deny everything

By now of course we weren’t even sure if we could still play along. Mr. Z had provided over 2 hours of tech support… and now he was trying to get us to pay for extended service, with poorly written ads pasted into Notepad. In all honesty, this final tactic put us at somewhat of a loss for words, but after some careful consultation with a few of our friends from Bleeping Computer, we eventually developed an adequate response (continuing the conversation in Notepad).

Not to anyone’s surprise, Mr. Z denied all allegations of being a scammer until the very end.

Moral of the story? Some people will do anything to scam strangers on the Internet, even if it’s more work and less pay than getting an actual job. Don’t let them scam you.



Have a great (Mr-Z-free) day!

Your Emsisoft Team.

Protect your device with Emsisoft Anti-Malware. Did your antivirus let you down? We won’t. Download your free trial of Emsisoft Anti-Malware and see for yourself. Did your antivirus let you down? We won’t. Download your free trial of Emsisoft Anti-Malware and see for yourself. Start free trial

* Note: All of “Mr. Z’s” spelling and grammar has been left in its original form. If you can’t understand about half of what he’s saying, don’t worry – neither could we! In general, grammar like this – regardless of language – is a telltale sign that you’re dealing with a fraud.