An Analysis of an Attacker’s Attempt to Control my Windows Machine

(Note: This blog post was originally published on September 30, 2014)

This morning, I received a call from a Short Code phone number (609773). The number looked strange (I don’t think I’ve ever received a phone call from a Short Code phone number before), but I decided to answer. What transpired is an analysis of the conversation I had with someone who was trying to hack into my Windows PC.

The man with a thick accent said that he was calling to inform me my computer had not been updated in quite a while, and asked if I was aware of this. He said that this could lead to system files becoming “outdated or corrupted.”

I quickly decided that this was a perfect opportunity to speak with a black-hat hacker and learn about some of his methods. (Note that I put am emphasis on “black-hat” because hackers in-and-of themselves are not necessarily evil people. You might have cousins, family members, or friends who are “programmers” for a living. If they are a programmer, they are a hacker. Again, let me emphasize: A “hacker” is not necessarily a bad person!)

I said “no, I wasn’t. How do I fix it?”

He first had me open up msconfig, a Microsoft Windows utility for editing and troubleshooting programs that run when the computer is first turned on. He had me click on the “Services” tab and then double click on the Services tab underneath. He asked me to tell him how many services were in a “Stopped” status.

I said “several.”

Now let me pause here by saying that nothing he had asked me to do (so far) was harmful to my computer. Msconfig is a legitimate program, and it is safe to use. I am assuming that he directed me to see all of these “stopped” services so that I would be more concerned and hopeful that he could “fix” these services so that they would all start when the computer started (which is actually not at all necessary).

The man on the other end of the phone then directed me to go to a website (supremocontrol [dot] com) and then directed me to click on the Download button, and then to download the software from that download page.

Update: According to some research I’ve performed, Supremo Control seems to be legitimate software. Scammers commonly want to gain remote access to your PC, and they will use valid tools to do this. Supremo Control software is not the problem in this case. The scammers who are using the software ARE the problem.

That said… I can’t find a whole lot of information about Supremo as a company. Google “Supremo” by itself, and you get results for the company. Google “Supremo Scam” and you get a whole lot of results about people complaining about the scam. I wish there were more articles, or even a Wikipedia article, that would help legitimize Supremo as a company.

While he continued to give me instructions, I was already logged into my local CentOS 7 test machine, and so got a copy of the homepage and of the “Download” page of this malicious website.

At this point, I stopped following his instructions, as I didn’t have a safe Virtual Machine of Windows running at the time with which I could test without getting my primary Windows install infected.

After directing me to “run” the downloaded file, he asked for a 9-digit number (which would identify my machine to him so that he could login remotely, and then a 4-digit “password” that the program supposedly was supposed to provide.

After telling him repeatedly what these numbers were (even though I made them up out of thin air), I could tell he was very confused because he couldn’t connect to my system! After a few seconds of silence while he tried to figure out what was going on, I hung up on him.

In summary, let this be a reminder and a lesson for ANYONE to never trust a computer “technician” who calls you out of the blue and tells you that your computer is infected. You should always ensure that the person you talk to on the phone regarding the security of your computer is someone you know and someone you trust.

In the future, I will hopefully be able to analyze the file, but I don’t have the resources to do it (safely) right now. If I had an operational VirtualBox of Windows, I would have loved to have continued our conversation through the very bitter end, so that I could learn more about his tactics!

Questions or comments? Let me know!

 

Addendum (posted in December, 2015): Due to the number of comments requesting assistance, here are a few resources.

  • Develop CENTSMy Company, Develop CENTS, provides IT consulting, technical support, web hosting and more. I’ve written several blog posts on security-related issues, all of which are accessible at https://developcents.com/blog/Note that I run this business for a living, so if you contact me directly, I will only be able to provide some general guidance. For more in-depth support, I will ask you to pay my standard hourly rate.
  • Malwarebytes: If you are concerned that your computer may be infected by a virus, then one of the programs I typically recommend is Malwarebytes. Note that the free version can only legally be used by individuals on non-commercial computer equipment (i.e. if you use a computer for business functions, then you should get the paid version)
  • Spybot Search & Destroy: Spybot is another good antivirus / antimalware program. Make sure to read and understand the licensing. For example, if you’re a business, you should not use the free version.
Share

76 thoughts on “An Analysis of an Attacker’s Attempt to Control my Windows Machine

  1. Rahim

    I received a call from the number 404-602-9519 yesterday. They asked me to download supremo software and connected to my PC. But when they asked me to pay money to remove malicious software, I did hung up. They will try in all the possible ways to scare you and make you pay. Please make a note of this number.

    Reply
    1. David Post author

      Hi Rahim,
      Thanks for your comment. One thing to note is that it is incredibly easy for these scammers to “spoof” a phone number, which essentially makes it look like a phone call came from a particular phone number, when in fact, it came from a different number. It is also very easy to reserve a phone number temporarily, and then stop using it. I would say chances are very, very good that this was a temporary phone number and could be unused soon after it was used by these scammers.

  2. Choni

    Hi there,
    Yes like others here, when I open my
    Pc today I got a pop up message to call and I rang them. I was responded by an acccent man. I didn’t know he was looking for remote if. But I gave that number and he can access my computer. I think I am scammed. At the moment I plug out all my pc. Will they be able to take my infos. I am dead worried. Help help help!!!! What can I do to protect now. Ohh …. My days just gone mad…

    Reply
  3. Lee

    Hi Guys

    I had a call from one of these scammers today. Lied and told him my internet connection isn’t working at the moment and he is calling back later.

    What information can I get out of him to be able to get something that I can report to police and shut them down?

    Reply
    1. David Post author

      Hi Lee,
      Unfortunately, it’s incredibly difficult to investigate and prosecute these types of scams, because most of the times, the scammers are based outside of the police’s jurisdiction (I’m not sure where you live, but they are almost certainly not based in the United States, for example). It is also very easy to “spoof” the phone number that the scammers call from, so they make it look like they are calling from a particular phone number, but they are in fact calling from a completely different phone number & location.

      That said, the best information that you can give the police (actually, the FBI in the United States are the best people to go to) is the phone number as it appears on your phone when the scammers call you, and the exact time that they called. Again, it’s easy for the scammers to “fake” the phone number, but this is at least a start!

  4. Greg

    I had A caller yesterday from supremo and they wanted to refund money to me. It seemed weird as I did have tech support once but from a company with a different name but I was disappointed with them after awhile as sometimes they would not fix everything properly anyway I asked for a refund and got back every cent from them after being with them for a year. So when I received the call from this guy wanting to return 90 US it just didn’t seem right especially when he said that all I had to do is fill out a form and he could refund my money. In a way that seemed to me OK but he said go to my browser and type in WWW. Supremo CONTROL and soon as he said control alarm bells in my head that were already ringing got louder. But here is the thing, he had my name address and G mail street name post code and suburb and off course my phone number all correct, I don’t know maybe there was $90 usd still owing but I just could nor would not take the chance just in case. Though if they had all that why did they need to take control of my PC ??? Any thoughts. What do you think. To late now anyway cause I told them the supremo was a scam and that they could keep the money. He seemed very upset as If I hurt his feelings. A scammer with feelings or someone fair-dinkum trying to return money, maybe pigs do fly backwards sometimes!

    Reply
  5. Lila

    Same thing happened to me just now. I hung up after reading a message on the supremo pup-up saying no Microsoft employee would ever ask you to get access. So did not give them an ID / password – but did download and run Supremo. I’ve done a bit of research and it looks like that in itself isn’t a big deal and that the software is clean. Any thoughts? Am I safe or do I have to change all my passwords?
    PS As I was on the phone with them,I asked them where they were located and they gave me an address in London, Cardinal Ct Victoria Street. I googled it and asked where they went for lunch and then asked them how they found the places in the area. The first guy completely blocked that question. The second clearly also googled it the address and then named some of the places around… the whole thing was really fishy but they did keep me interested long enough to almost believe it was legit… anyone know if I need to take any action since I downloaded and ran supremo?

    Reply
  6. Wm Stanley

    Thank you for writing out what I have tried in vain to handle. The BS is as you describe – these *&#%! foreign hired thugs try to use up you time, destroy your cpu operation, and generally make life difficult. The callers are criminals or stupid and usually hired by unscrupulous US Agencies to make calls supplied to them by government agencies unknowingly. I can say this because the only time I give this number out has been to state licence bureaus or similar organizations. I am on a Do-Not_ Call registry. When this number is contacted I know at once it is either a wrong number or a criminal.

    There are devices (wish I could find one) that blast the ears of an unwanted caller. We need to fight back!!!

    Reply
  7. Pingback: Beware: Supremo Call Center Scam - Lazy Man and Money

  8. karen

    This is still around. Just got off the phone with someone with an indian accent. Did the run thing but when trpied the iexplore gg.gg20207 two windows popped up and there was no run on the front window. while that was happening I looked up and found this site. Thanks for having it online.

    Reply
  9. K. Smith

    I received a phone call today from a “Microsoft” scammer. In all, I wasted roughly 25 minutes of their time.

    He requested that I open MSConfig, and directed me to download Gotoassist, to which I replied there was a certificate error (there was not, I wanted to see how he would respond.). He then directed me to download SupremoControl. I told him there was a DNS server error and he hung up.

    Reply
  10. Z. Swain

    Just got off the phone with “Computer Life” which tried to tell me hackers were on my laptop.. Asked me to open the run bar and type in CMD and run it. He told me he was going to cancel my laptop license and the hackers were using the laptop for illegal things. He then told me to download supremo control and i asked why and he kept making up things to scare me. He had a thick indian accent which i couldn’t understand and when i said i couldnt understand, he was getting mad at me and then i just hung up the phone. tried to 0141 the number but it was gone/deleted. I also googled “computer life” and it came up as a place in Greece which looked dodgy.

    Reply
  11. lala D

    I just got off of the phone, again, with a blocked number. I can confirm that they do change numbers. I have received calls from this same group of guys (always thick Indian accent) and always from “Microsoft support”. I have had quite a good time with them, playing pranks each time. 🙂 I am open to new ideas for keeping them on the line as long as possible (when I have the time, of course).
    I have had calls come in from Florida, NY, CA, Blocked number, and TX.
    It is incredibly annoying, but if I actually do answer, I just have fun with them, or hang up. I had one guy call back and actually yell at me. I was being cordial, but just giving him the run around, then hanging up.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *