Wolf Richter wolfstreet.com, www.amazon.com/author/wolfrichter
Here’s how I dealt with it, screenshots and all. And now you can have some fun at their expense, literally.
The first time I got this was over a year ago. I just now got it again. So it must be more common than I thought. It was super-scary the first time – fear is what they prey on. This time around, I took screenshots to document it.
You’re looking at a website, perhaps some news site – I was on Caixin Global to read about a bond default by a Chinese company — when suddenly an authoritative, insistent male voice of the type to be expected at a crisis center in the US hammered on me with dire warnings about my computer, while a new browser window popped up that looked like a Microsoft Windows screen with three dialogue boxes (click to enlarge):
The combination of that voice and the page with warnings and dialogue boxes are designed to rattle your nerves and make you do stupid things. In the above screenshot, note the URL in the address bar: It has zero connection to Microsoft. This is a dead-giveaway the page is a filthy scam perpetrated by slimy scum. It’s designed to put you into panic mode.
While you’re trying to read all this, the authoritative, insistent voice keeps hammering on you on endless auto-repeat:
“Critical alert from Microsoft. Your computer has alerted us that it is infected with a virus and spyware. This virus is sending your credit details, Facebook log, and personal emails to hackers remotely. Please call us immediately at the toll-free number listed so that our support engineers can walk you through the removal process over the phone. If you close the page before calling us, we will be forced to disable your computer to prevent further damage to our network.”
While being hammered over and over again on auto-repeat, you’re trying to figure out how to shut up the voice, and what the screen says with its dialogue boxes. Two of them request your username and password. One shows a warning about the dire things about to happen to your computer. And in huge font: “Call Support Team : 1-877-359-5840.”
The URL in the address bar comes with a long tag that contains all kinds of data and code, including my location (San Francisco), my IP address, and at the very end the toll-free number used on the above page. The phone number is in this format (I added the bold for clarity): p_num=1%20877%20359%205840
I pasted this URL into Edge for a different view à la Microsoft. And sure enough, this is what pops up (click to enlarge):
But for crying out loud, DO NOT fill in ANYTHING.
And this is what it looks like in Chrome (click to enlarge):
I do not recommend that you try this, but you can try it (make sure your firewall is on and your antivirus software is updated). You can copy and paste this URL (I took off the long tag)…
d3fth1zzlipf2c.cloudfront.net/assests/eng_ff_auth.html
…into your browser’s address bar, and the scary page will pop up, and then you get to listen to that fear-mongering voice, unless auto-play is turned off in your browser. Because I clipped the long tag that includes the phone number, the page you get shows a blank instead of the phone number.
Then you may have trouble closing the window. This is a scam after all. So here’s a tip that worked for me. To close the window and to shut that guy up, you might have to disconnect your computer from the internet and thenclose the dialogue boxes and the window — otherwise the page might just reload. And clean the cache of your browser afterwards.
In Firefox, the two dialogue boxes that requested “user name” and “password” issue a strong warning, which I underlined in red: “WARNING: Your password will not be sent to the website you are currently visiting!” Neither of the URLs in the dialogue boxes — winsupportteam.club and win-help.online – is a Microsoft site (click to enlarge):
What these two dialogue boxes are saying is that there is a scam in progress, and you’re being targeted.
But in Microsoft Edge, the warning is less clear, and in somewhat garbled form, which I underlined in red: “The server reports that it is from Microsoft has detected suspicious activity from your IP address..”
In all three browsers, you get the same box that screams”:
** YOUR COMPUTER HAS BEEN BLOCKED.**
Here is a closeup of that box. In rough non-Microsoft English – for example, “Information Following are stolen” – it lists all the scary stuff that will befall you unless you call “immediately”:
So what happens when you call this toll-free number?
Kind of like what you’d expect when you call Microsoft tech support: You’re put on hold. A soothing voice says nicely in good American English: “Thank you for calling support. All our service representatives are busy helping other customers…” Etc. This is followed by soothing music while you hold just long enough to where you think this might be real. Then the slimy fraudster comes on line.
When this happened to me the first time, I got a male voice with so-so English and a thick Asian accent. This time, I got a woman with an Asian accent that was hard to understand.
This is where they try to rope you in.
She asked for my name and phone number. I gave her fakes. Then she said: “I need to connect to your computer with our secure server so that I can check what the problem is.” She told me to press the Windows icon key plus the “r” key. This opens a search box at the bottom left of the screen:
She told me to enter into this search box the following phrase, spelling it out carefully and having me repeat it back to her: iexplore www.support.me
This is the exact same procedure the guy over a year ago walked me through. They haven’t changed a thing.
You can google this: scams iexplore www.support.me
I googled it the first time over a year ago, and it brought up a whole bunch of results. I goggled it just now for the second time, and there are a whole bunch of recent results. In other words, these fraudsters just don’t give up.
Note that I’m doing this on a Windows 10 machine, and Internet Explorer (IE) is not installed. I have three browsers open (Firefox, Edge, Chrome), but the page that opened up was an IE setup screen that I clicked away, and then it opened this page in IE – and this is where you get in trouble (click to enlarge):
If you click, you’re cooked.
Note the scammer’s URL: logmeinrescue.com. This is not a Microsoft site. They give you a six-digit code to fill in and then they’ll ask you to click on “Download” which will then download the malware, and you’re cooked.
So this is where I hung up on them. I just didn’t have the gumption to find out what would have happened next if I had clicked, just to report on it.
Anyone can call their toll-free number 1-877-359-5840, and it’s free for the caller. But it’s not toll-free for them. They’re using this number to commit fraud, and they’re paying someone for this toll-free number. So anyone can call them and have some fun with these slimy fraudsters at their expense, and if 10,000 people call them over the next 24 hours before they disconnect the number, maybe they’ll get the message and a juicy phone bill.