An Analysis of an Attacker’s Attempt to Control my Windows Machine

(Note: This blog post was originally published on September 30, 2014)

This morning, I received a call from a Short Code phone number (609773). The number looked strange (I don’t think I’ve ever received a phone call from a Short Code phone number before), but I decided to answer. What transpired is an analysis of the conversation I had with someone who was trying to hack into my Windows PC.

The man with a thick accent said that he was calling to inform me my computer had not been updated in quite a while, and asked if I was aware of this. He said that this could lead to system files becoming “outdated or corrupted.”

I quickly decided that this was a perfect opportunity to speak with a black-hat hacker and learn about some of his methods. (Note that I put am emphasis on “black-hat” because hackers in-and-of themselves are not necessarily evil people. You might have cousins, family members, or friends who are “programmers” for a living. If they are a programmer, they are a hacker. Again, let me emphasize: A “hacker” is not necessarily a bad person!)

I said “no, I wasn’t. How do I fix it?”

He first had me open up msconfig, a Microsoft Windows utility for editing and troubleshooting programs that run when the computer is first turned on. He had me click on the “Services” tab and then double click on the Services tab underneath. He asked me to tell him how many services were in a “Stopped” status.

I said “several.”

Now let me pause here by saying that nothing he had asked me to do (so far) was harmful to my computer. Msconfig is a legitimate program, and it is safe to use. I am assuming that he directed me to see all of these “stopped” services so that I would be more concerned and hopeful that he could “fix” these services so that they would all start when the computer started (which is actually not at all necessary).

The man on the other end of the phone then directed me to go to a website (supremocontrol [dot] com) and then directed me to click on the Download button, and then to download the software from that download page.

Update: According to some research I’ve performed, Supremo Control seems to be legitimate software. Scammers commonly want to gain remote access to your PC, and they will use valid tools to do this. Supremo Control software is not the problem in this case. The scammers who are using the software ARE the problem.

That said… I can’t find a whole lot of information about Supremo as a company. Google “Supremo” by itself, and you get results for the company. Google “Supremo Scam” and you get a whole lot of results about people complaining about the scam. I wish there were more articles, or even a Wikipedia article, that would help legitimize Supremo as a company.

While he continued to give me instructions, I was already logged into my local CentOS 7 test machine, and so got a copy of the homepage and of the “Download” page of this malicious website.

At this point, I stopped following his instructions, as I didn’t have a safe Virtual Machine of Windows running at the time with which I could test without getting my primary Windows install infected.

After directing me to “run” the downloaded file, he asked for a 9-digit number (which would identify my machine to him so that he could login remotely, and then a 4-digit “password” that the program supposedly was supposed to provide.

After telling him repeatedly what these numbers were (even though I made them up out of thin air), I could tell he was very confused because he couldn’t connect to my system! After a few seconds of silence while he tried to figure out what was going on, I hung up on him.

In summary, let this be a reminder and a lesson for ANYONE to never trust a computer “technician” who calls you out of the blue and tells you that your computer is infected. You should always ensure that the person you talk to on the phone regarding the security of your computer is someone you know and someone you trust.

In the future, I will hopefully be able to analyze the file, but I don’t have the resources to do it (safely) right now. If I had an operational VirtualBox of Windows, I would have loved to have continued our conversation through the very bitter end, so that I could learn more about his tactics!

Questions or comments? Let me know!

 

Addendum (posted in December, 2015): Due to the number of comments requesting assistance, here are a few resources.

  • Develop CENTSMy Company, Develop CENTS, provides IT consulting, technical support, web hosting and more. I’ve written several blog posts on security-related issues, all of which are accessible at https://developcents.com/blog/Note that I run this business for a living, so if you contact me directly, I will only be able to provide some general guidance. For more in-depth support, I will ask you to pay my standard hourly rate.
  • Malwarebytes: If you are concerned that your computer may be infected by a virus, then one of the programs I typically recommend is Malwarebytes. Note that the free version can only legally be used by individuals on non-commercial computer equipment (i.e. if you use a computer for business functions, then you should get the paid version)
  • Spybot Search & Destroy: Spybot is another good antivirus / antimalware program. Make sure to read and understand the licensing. For example, if you’re a business, you should not use the free version.
Share

89 thoughts on “An Analysis of an Attacker’s Attempt to Control my Windows Machine

  1. Aidan

    Thank you so much for this article, whilst on the phone to a technician from “windows support team” he told me to input exactly what you have stated. Whilst “waiting for it to load” I quickly checked out what he was wanting me to do. as I have a good knowledge of computers and that the phone call seemed to be dodgy, I wanted to check it out. He didnt seem to know what he was speaking about as he said that all the computers in the house would have been infected as thry’re all connected to th internet. So I researched the website, brought me to this article, I made up a story that my anti virus blocked the website as it was a gateway to scammers onto my computer, he then said to turn off my antivirus. I responded with “if this program let’s scammers onto my computer, why would I block it” he didnt respond and after a minute and a half of me repeating ‘helllo?’ I put the phone down.

    Reply
  2. John

    Feb 4, 2016, 11:26 EST Got the same sort of call, claimed to be calling from “Windows” and “Windows Technical Support”. The scammer wanted me to go to the site showmypc . c om, but to hide it he wanted me to use the WinKey-R key combo to start the Run command and then type in “iexplore showmypc . c om” in order to get directly there. When I gave some trouble I was passed to a higher up tech (a more experienced scammer really) and he wanted to do essentially the same thing, except to run www . supremofree . c om and then download a file. CallerID came up as 646-843-2567 but callerID is highly unreliable these days.

    Reply
  3. Nick Peterson

    I got the same kind of call today, from caller ID: 1-234-567-8901

    Suspicious!

    Young lady with heavy accent on noisy line said she’s calling from Microsoft Technical Support to fix errors on my computer.

    I recognize this as a scam; decided to play along to see where it leads. No worries since I don’t even run Windows.

    Had me go through the same procedure others have described. Run ASSOC to find the long line which she read back to me to convince me she had my individual computer’s Customer License ID or whatever; had me run EVENTVWR (Event Viewer) to see “errors”. Told me they were a sign of a severe virus and that they were going to help me.

    Directed me to a web-site for Supremofree.

    I said that Norton had blocked the website; she transferred me to a young man (also heavy accent, not quite fluent English) who told me my Norton is outdated and to turn it off.

    I excused myself for a bio-break, put him on mute and listened. There was some side-conversation, first in English about my having gone off and then in a language I couldn’t identify. I came back on and told them that I’ve gotten through to the site and he tells me to download it.

    When I asked about it allowing him to take control of my computer, he said it “goes through the Microsoft server” and will enable him to “fix” my computer. [Yeah! I’ll just bet!]

    At that point, I’d had enough. Long story short, I managed to goad him into blurting what I believe was a glimpse of their true motivations:

    “I’m calling from Afghanistan! I hate the United States! You guys sent in your military and f*cked up my country! We can handle the Taliban by ourselves! We don’t need you!”

    These characters aren’t simple thieves; they are trying to crack through and do real damage…

    Reply
  4. Barret Lawrence

    I was also received a call from one of these people. It’s one of several I’ve received. I decided to humor him and follow the directions to a point. (I am quite computer proficient and well aware of what would be safe.) He had me open a run dialog and then pull up the event viewer. After commenting on all the many events displayed, he said that was what was creating many issues on my computer and causing slow downs and hardware damage. After that, he directed me to type in the Supremo Control address. I wasn’t sure how safe the site was, and I didn’t have a virtual machine, so it was at that point I confronted him and proceeded to call him a liar and a fraud. I told him I was reporting his activities to the FBI and that I was blacklisting his website (thanks for the heads up about Supremo Control being legitimate by the way, I’d hate to go after a reputable company for what someone else is doing). After yelling at the guy, calling him a fraud and a liar for a few minutes, I got tired of hearing his feeble protests and hung up. I hate to think that these people are actually successful at times. I wish we could somehow shut them down for good. They don’t seem to have things together, because after several attempts they still keep calling me and I still keep busting them out. Maybe next time, I’ll have a virtual machine ready and waiting. I’m just an enthusiast with little real training, but I do know how to isolate things to a virtual machine and then submit them to an antivirus company.

    Reply
    1. David Post author

      Barret,
      Thanks for sharing your experience! Sounds like you and I are of kindred spirits. As for Supremo being a legitimate company, note that I think they’re legitimate. I don’t know that for sure.

  5. Khush

    Hi actually I got a massage on my desktop that I need to call on the number starting with 1800
    And I called to them and he was asking for id of supremo and pswd I gave it to him and I dnt know what he did with it can you pls tell me what should I need to do

    Reply
    1. David Post author

      Hi Khush,
      I would recommend running a scan with Malwarebytes and/or Spybot Search & Destroy (both of which are linked into at the bottom of this blog post). I can certainly provide remote assistance as well, through Develop CENTS, but I would need to charge for my time. Hope this helps!

  6. MichaelS

    I had the same experience via supremocontrol, but did have a Windows virtual machine to hand. These people are definitely criminals, not just offering an unneeded service. Attacker took me through the usual fake “proofs of malware”. After a while when I was resistant to making a payment he said that Microsoft would refund me £300, and asked for my bank details for the refund. He then made an additional connection via TeamViewer, I think because this allowed him to blank my screen (doesn’t blank a VM screen though). He then looked at various banking files on my computer. When I failed to give bank details he got threatening; as I was running Win XP, which he showed was no longer supported, the police would come and get me. Then he warned I was at risk of losing all my photos and stuff, then (expanding on the idea of photos) that the police would get me because I had porn on my computer (unless I paid him to update it). Then he said he would show me pictures of my daughter, and took me to a porn site. The after this highly professional discussion which would surely have convinced me that he was a Microsoft support person, and after looking at tempting bank details, he switched back to wheedle mode, “unblanking” my screen, bringing up the login page of “my” bank, and saying I had to login so he could protect me from banking fraud. When I didn’t, he started delting icons, trying to delete other stuff, and warning me that my computwer would become unusable. he managed to do something (I don’t know what that crashed both the VM and the host machine, though of course all was well after a reboot.

    Another scammer a while ago “blanked” my screen, then started to make Western Union transfers from a stolen bank card (I pulled the plug just before the actual transfer, and phoned the police with the address the transfer was going to, etc.).

    These people are out-and-out criminals, not just pedlars of a dubious product.

    HTH

    Reply
  7. Bob

    I received a call out of the blue from a man with a thick Indian accent who kindly informed me his tech support company was going out of business and they were going to refund the entire $255 I had paid for support 2 years ago. all I had to do was run http://www.spremocontrol[dot]com.

    Several things made the hairs stand up on the back of my neck about this call.

    First: It was an unsolicited call; always a red flag.
    Second: They were going to refund my entire purchase price; REALLY?!?
    Third: I don’t recall ever paying anyone $255 for technical support.

    He pressed me pretty hard to run the http://www.supremocontrol[dot]com but I refused and told him I don’t run anything I’m not sure of. I told him I would research my records to see if I ever contracted his services at which point the line went dead.

    To me it “walks like a scam” and “talks like a scam” so I figure it’s pretty sure to BE a scam.

    Reply
  8. Will Punch Indian Scammers in the nose

    They just scammed my mother today, I caught it in the 1st hour though and urgently advised her to shutdown all laptops / PCs in the house and keep them offline until the pros came in to reformat and re-install windows. According to her what happened is that she was surfing the web and a pop up came up with a woman’s voice in loop and would not allow her to continue with the pop up still appearing is she attempted to close the window, instead of doing the sensible thing which would have been kill the browser in task manager or shut down and restart the machine she phoned the help number on the pop up and spoke to an Indian Scammer, he had her on the phone around 30 minutes pretending to help and he gained remote access by getting her to install Supremo, he ran a program that looked to be scanning her files (probably greping or FINDing keywords in files for bank account / credit card information which he would download. I got her to call the police on UK 101 number for fraud squad, funny thing is that they told her that they had never head of this before and this was the first case… but I’m sure these have been around for minimum 5-8 years. (I bet the police are next to useless in dealing with this). She gave them the telephone number she called but what good is that if they’re out of their jurisdiction. I think she’s lost her mind to be honest, I was talking to her about Windows .EXE files and the Indian Scammer scanning the hard disk and all I get from her is hysterics and “What is a hard disk ?”, “What is a .EXE file”, and this is a woman in the early 1990s (retired last year) that worked on Windows 2D CAD applications, Word, Excel, Ingres database entry etc. So I dunno, the vunerable are preyed upon.

    Reply
  9. Kevin

    Hi All, I’m a former IT industry Software Technician.
    My Dad just got caught up in this. He was looking up elections news for the Philippines and one of the websites led him to this URL: torjandetected{dot}online It then threw a pop up from told him you’re PC has a suspicious connection trying to access your logins, banking details and tracking your internet activity…etc etc.. and your data may be at risk….blah blah blah. I have screenshots in case you want a copy of the full message. (I later tested that link again and the only way to escape the clutches of the pop up is to force close the entire internet browser using task manager (ctrl+alt+del).

    The Pop-up directed him to call 1-800-875-6182 which he did and an indian-accent man directed him to download the tools listed below under TOOLS USED. LogMeIn (which was a trial version of the software) was successfully started up by my father and he gave the one-time code to the phishers via the phone (he was on the line the whole time). The phishers then proceeded to show him where the “problems” were, which are actually no problem at all. After putting on the “show” of what was wrong with the PC, they said that in order to fix it, my father would have to buy a warranty for $120. They then asked for his info. When they concluded the phone call, he directed my father to leave the PC on so that his “program could finish” – which was a command shell windows my father saw; likely running a script or maybe just another part of the “show” so they could justify asking for his name, address, email, phone number, and debit/credit card. Thankfully, in this case, my Father didn’t give his card #as my mother handles that info.

    I’m not sure if they really did copy any files, but I educated my father on checking his annual credit report in case someone is stealing his identity. Also there is ID theft insurance. Very in-expense, provides you $$$ coverage and the best part of all and which made it worth it to me is that the insurance company does the work of fixing your identity so you don’t have to take up the headache and time away from your life to clean it up.

    He just called back and I got additional info from him by impersonating my dad:
    he says they are based out of New Jersey.
    he says the company he works for is MicroTech (the websites he told me microtech.com or microtek.com) are either bogus or un-releated to his supposed service being sold.
    At this point, I was done talking with him so I asked him, “how much money do you guys make scamming people?” he responded “I’m sorry?” I asked him again. then I told him “you guys are the assholes of the world. Don’t call this number again or I’m calling the police!” in the angriest tone I could muster. Then hung up on him. So far, no calls back 🙂

    Stay safe out there everyone.

    TOOLS USED
    LogMeIn and Supremo.

    Reply
    1. David Post author

      Thanks for sharing your experience, Kevin. My sister once got scammed like this, and immediately after hanging up, had doubts about it and called me up. After she and I talked for a while, she actually called the company back and demanded a refund. Interestingly enough, she got it. I don’t know how she pulled it off, they credited her credit card the $200 that they had initially charged her.

      You bring up a good point here, that ANY legitimate tool can be misused. As I’ve said in previous posts, while Supremo seems to be a common theme, other tools like LogMeIn can also be misused by scammers.

  10. Nick

    Currently on a call – managed 39 minutes so far – they are all so confused why they can’t connect – shame I know IT well enough to act stupid but give them zero access. I’m trying to piss them off for 1 hour.

    Reply
  11. Kevin

    Awesome to find this post at the top of Google. Needless to say I’ve just had a call similar to all of the above but with a new twist. The heavily accented caller claimed to be from BT and informed me that they were going to be cutting off my internet access in 24 hours because I had a problem with my computer that was affecting the network.

    To give you a better perspective, I work with the web and have done since before Google existed and I do like to have fun with these callers. Like one of the previous commenters my thoughts are (if I have the time), if I can keep the scammer busy for half hour or more, it’s one less person who might get hacked.

    This time I said I had a very old computer. Everything he asked me to do or type in caused my computer to turn off. I could hear the glee and anticipation in his voice as he said ‘you have some very real problems that we can help you with. After my computer ‘turning off’ for the third time he even offered to send round a technician with a new computer; it would only cost £3 to arrange the appointment.

    How I wish I could have kept him bust for more than the 43 mins I did before he got wise and the abuse started.

    It’s good to know that supremocontrol is legit and responsive here.

    As always, never trust anyone who calls out of the blue claiming to be from MS or your telephone carrier – especially if they tell you have have PC problems they can fix.

    Reply
  12. Daniel

    To start this off, do not trust cold callers. if they say they are from a company then they will be calling with a legitimate 800 number.

    I had an Indian fellow call me from a blocked number. He said he was from tech service. I told him I did not have a tech service subscription and said sorry about you luck and hung up.

    He called back. I answered and he proceeded to inform me that he was from Microsoft technical support. I asked him why he was calling from a blocked number if he was from Microsoft. He said they did not want the number out there so people keep calling back. I knew that was a lie.

    He then said hackers were remote accessing my computer and stealing my passwords. I recently had one of my credit cards duplicated and someone tried using it, luckily not for much so I kept talking with him.

    He ran me through how to access the error messages that are sent to Windows and had me filter out just the error and warning messages. This i assume is a worth while scare tactic. He had me right click one and asked if there was a delete option. There of coarse was not one. He then explained that was because it was put there by a hacker.

    He then had me open command, or run, prompt box and wanted me to type supremecontrol[dot]com.

    This is when I told him that I know windows and no windows operator or employee would send someone anywhere other than a Windows site and hung up. He called back and I let him go to voicemail. Then he called again. After the second time he stopped calling.

    Reply
  13. paul

    I had a similar experience. Indian accent, hackers are compromising my computer, pay him $199 and he would clean uo my computer I told him I will pay nothing unless he gets my extremely slowed down computer back up to speed…. I told the IT that if this was a scam I would hunt him down and rip his heart out of his chest through his throat…. and told him he would not ever want to meet me in person if he damaged my computer… he giggled …. but got no credit card numbers (which I suspect he was after)………….. I despise these wormy trolls…. may they rot in a hot place forever

    Reply
  14. Gary

    I had two of these calls in the space of three days. I work in IT so wasn’t taken in by the scam but what an earth can we do to stop this practice? Do the police actually do anything or look into it? Is there a way we can use the remote access program against them and get a source IP address and report them to an ISP? There must be something! It saddens me whilst we can waste their time and slow them down, we still seem powerless.

    Reply
  15. Scammer Police

    As a public service, I spent 2 hours on the phone with these guys today. And an hour earlier in the day as well. I kept saying I had something on the stove, or had someone at the door, or whatever. Have to say, the amount of patience they showed was amazing. There were so many times that I almost burst out laughing with all of the very stupid questions I asked. And they transferred me around to various people (Sr Supervisor, Manager, Sr Manager), it is almost entertaining to be messing with them.

    I always figure the more time I can keep them on the line (even if it is wastes my own time), I am saving someone else from becoming a victim. But it goes to show just how much profit is in it for them. At one point I even got the last person I spoke with to provide me a website (wiztech.com) but that website comes up showing “This website is temporarily unavailable, please try again later.” And then he gave me the site mywiztech.com (which is a legitimate site) but told me that number wouldn’t work and that I can’t call them without a code because I am not a customer yet.

    We went back and forth at one point with the guy pleading for me to hang up. Not sure why he couldn’t hang up, but apparently there was some time (maybe 90 minutes) that he was allowed to hang up. He kept telling me he had already submitted the report to shut down my computer because my computer was infected other computers and there was nothing he could do for me now. But then I was promptly called back by someone else. They finally said they would email me paperwork, but I gave them a bogus email address.

    Anyway, they first had me bring up the Run menu (windows key & r key) and enter eventvwr (to get the supposed “warnings”), then iexplore gg.gg/02027 and later iexplore gg.gg/78622 to try to get me to run the Supremo software, and later certmgr.msc to get me to believe the Microsoft Authenticode Root Authority is expired, and also CMD to show me they knew the code for the zfsendtotarget=CLSID as proof they already knew my “security license” expired. They said they could renew my license with a warranty for 1, 2, or 3 years for $199, $249, or $299 respectively.

    I can tell they believed they had a fish on the hook but that I was just wrangling and wrangling against letting them reel me in. These people are scum and I just can’t understand why they continue to find victims.

    Reply
  16. Lawrence Davis

    I have been called by these people just about every week since 2014. Sometimes 4 times a day. Same ole bologna. I got friendly with one of them pretending to do what told me to do. I got him to admit that that he lived in northern India right on the Pakistan border where he worked. These people are not all Indians, but mostly Pakistani, and both Northern India (on the border) and all of Pakistan is Islamic. Yes, they are making money with fraud, but most of it goes to Jihadists causes. Some calls orginate from Saudi Arabia as well. A caller ID will not show this, but my IP provider puts it on the TV screen, and I can see their real phone number. This is how I know by Country Code and City Code. Some sound Indian, but the calls I have been getting are from Pakistan and Saudi Arabia, and therefore a type of Farsi (Arabic) accent. It is more than a scam, its a Jihad, and the police, sheriff, marshal, or the FBI have no jurisdiction. My county sheriff told me they got hit last week with Chinese flags flying. They can only reinstall their system from scratch at taxpayer’s expense. Heads Up! Wise up, or you will lose badly. Think before vote this November. Who took millions from some or all of these countries? And this candidate is in their back pocket.

    Reply
  17. Jennifer

    I got a call from “Supremo” today stating that I was entitled to a refund also. The thick accented “gentleman” told me that I needed to download the app so that he could send me a refund form to complete. I downloaded the app and clicked run. My phone died luckily. Then, I decided to to Google for scams. I came across these posts. I immediately disconnected my laptop from the internet. I’m wondering if the damage has already been done??

    Reply
    1. David Post author

      Hi Jennifer,
      As I’ve tried to indicate in the blog post and in my answers to similar questions here, I don’t think that Supremo is the problem. It is simply a tool that can be used for malicious purposes, but it was (I think) developed for legitimate use. This is similar to other tools such as TeamViewer, Join.me, LogMeIn, etc…

      Regardless, I would recommend uninstalling the Supremo tool, as you don’t need it, and I’m uncertain of its safety. You can use a tool like Malwarebytes to scan for potential malware, but if the person you spoke to never actually connected to your computer through Supremo (i.e. your phone died before completing that step), then I would say there’s probably nothing to worry about.

      Feel free to contact us through https://developcents.com if you need additional assistance. We’d be happy to help, but would need to charge our hourly rate.

  18. Eric

    Thank you all for this blog/post. I too just got a call like this. They gave me a number to call to verify who they are: 209-813-1251. They said their office was at 3340 Ocean Park Blvd, Suite 160 in Santa Monica CA. They said they were a vendor from Windows Technical Dept. I got as far as looking at Supremo and realized I would be giving control of my computer to someone I do not know or trust and I politely declined to proceed further. Thanks for all these posts because had I not seen them, I might have gone further

    Reply
    1. David Post author

      Hi Eric,
      Thanks for sharing your experience. Yes, any legitimate tool like Supremo, TeamViewer, VNC and other remote desktop tools, if used by the wrong people, can be dangerous! I’m glad that you were able to prevent this from happening to you.

  19. LoveLots

    Yikes! Almost happened to me, I got as far as the fff.re website and saw that the application for supremo was on my computer. I’m wondering did the website prompt the download? How did the application for download make it to my computer? I didn’t run the supremo app I hung up. I did have some tech support help from HP but am still wondering if by going through the website the app automatically downloaded; do they have access to my computer?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *