An Analysis of an Attacker’s Attempt to Control my Windows Machine

(Note: This blog post was originally published on September 30, 2014)

This morning, I received a call from a Short Code phone number (609773). The number looked strange (I don’t think I’ve ever received a phone call from a Short Code phone number before), but I decided to answer. What transpired is an analysis of the conversation I had with someone who was trying to hack into my Windows PC.

The man with a thick accent said that he was calling to inform me my computer had not been updated in quite a while, and asked if I was aware of this. He said that this could lead to system files becoming “outdated or corrupted.”

I quickly decided that this was a perfect opportunity to speak with a black-hat hacker and learn about some of his methods. (Note that I put am emphasis on “black-hat” because hackers in-and-of themselves are not necessarily evil people. You might have cousins, family members, or friends who are “programmers” for a living. If they are a programmer, they are a hacker. Again, let me emphasize: A “hacker” is not necessarily a bad person!)

I said “no, I wasn’t. How do I fix it?”

He first had me open up msconfig, a Microsoft Windows utility for editing and troubleshooting programs that run when the computer is first turned on. He had me click on the “Services” tab and then double click on the Services tab underneath. He asked me to tell him how many services were in a “Stopped” status.

I said “several.”

Now let me pause here by saying that nothing he had asked me to do (so far) was harmful to my computer. Msconfig is a legitimate program, and it is safe to use. I am assuming that he directed me to see all of these “stopped” services so that I would be more concerned and hopeful that he could “fix” these services so that they would all start when the computer started (which is actually not at all necessary).

The man on the other end of the phone then directed me to go to a website (supremocontrol [dot] com) and then directed me to click on the Download button, and then to download the software from that download page.

Update: According to some research I’ve performed, Supremo Control seems to be legitimate software. Scammers commonly want to gain remote access to your PC, and they will use valid tools to do this. Supremo Control software is not the problem in this case. The scammers who are using the software ARE the problem.

That said… I can’t find a whole lot of information about Supremo as a company. Google “Supremo” by itself, and you get results for the company. Google “Supremo Scam” and you get a whole lot of results about people complaining about the scam. I wish there were more articles, or even a Wikipedia article, that would help legitimize Supremo as a company.

While he continued to give me instructions, I was already logged into my local CentOS 7 test machine, and so got a copy of the homepage and of the “Download” page of this malicious website.

At this point, I stopped following his instructions, as I didn’t have a safe Virtual Machine of Windows running at the time with which I could test without getting my primary Windows install infected.

After directing me to “run” the downloaded file, he asked for a 9-digit number (which would identify my machine to him so that he could login remotely, and then a 4-digit “password” that the program supposedly was supposed to provide.

After telling him repeatedly what these numbers were (even though I made them up out of thin air), I could tell he was very confused because he couldn’t connect to my system! After a few seconds of silence while he tried to figure out what was going on, I hung up on him.

In summary, let this be a reminder and a lesson for ANYONE to never trust a computer “technician” who calls you out of the blue and tells you that your computer is infected. You should always ensure that the person you talk to on the phone regarding the security of your computer is someone you know and someone you trust.

In the future, I will hopefully be able to analyze the file, but I don’t have the resources to do it (safely) right now. If I had an operational VirtualBox of Windows, I would have loved to have continued our conversation through the very bitter end, so that I could learn more about his tactics!

Questions or comments? Let me know!


Addendum (posted in December, 2015): Due to the number of comments requesting assistance, here are a few resources.

  • Develop CENTSMy Company, Develop CENTS, provides IT consulting, technical support, web hosting and more. I’ve written several blog posts on security-related issues, all of which are accessible at that I run this business for a living, so if you contact me directly, I will only be able to provide some general guidance. For more in-depth support, I will ask you to pay my standard hourly rate.
  • Malwarebytes: If you are concerned that your computer may be infected by a virus, then one of the programs I typically recommend is Malwarebytes. Note that the free version can only legally be used by individuals on non-commercial computer equipment (i.e. if you use a computer for business functions, then you should get the paid version)
  • Spybot Search & Destroy: Spybot is another good antivirus / antimalware program. Make sure to read and understand the licensing. For example, if you’re a business, you should not use the free version.

90 thoughts on “An Analysis of an Attacker’s Attempt to Control my Windows Machine

  1. Rahim

    I received a call from the number 404-602-9519 yesterday. They asked me to download supremo software and connected to my PC. But when they asked me to pay money to remove malicious software, I did hung up. They will try in all the possible ways to scare you and make you pay. Please make a note of this number.

    1. David Post author

      Hi Rahim,
      Thanks for your comment. One thing to note is that it is incredibly easy for these scammers to “spoof” a phone number, which essentially makes it look like a phone call came from a particular phone number, when in fact, it came from a different number. It is also very easy to reserve a phone number temporarily, and then stop using it. I would say chances are very, very good that this was a temporary phone number and could be unused soon after it was used by these scammers.

  2. Choni

    Hi there,
    Yes like others here, when I open my
    Pc today I got a pop up message to call and I rang them. I was responded by an acccent man. I didn’t know he was looking for remote if. But I gave that number and he can access my computer. I think I am scammed. At the moment I plug out all my pc. Will they be able to take my infos. I am dead worried. Help help help!!!! What can I do to protect now. Ohh …. My days just gone mad…

  3. Lee

    Hi Guys

    I had a call from one of these scammers today. Lied and told him my internet connection isn’t working at the moment and he is calling back later.

    What information can I get out of him to be able to get something that I can report to police and shut them down?

    1. David Post author

      Hi Lee,
      Unfortunately, it’s incredibly difficult to investigate and prosecute these types of scams, because most of the times, the scammers are based outside of the police’s jurisdiction (I’m not sure where you live, but they are almost certainly not based in the United States, for example). It is also very easy to “spoof” the phone number that the scammers call from, so they make it look like they are calling from a particular phone number, but they are in fact calling from a completely different phone number & location.

      That said, the best information that you can give the police (actually, the FBI in the United States are the best people to go to) is the phone number as it appears on your phone when the scammers call you, and the exact time that they called. Again, it’s easy for the scammers to “fake” the phone number, but this is at least a start!

  4. Greg

    I had A caller yesterday from supremo and they wanted to refund money to me. It seemed weird as I did have tech support once but from a company with a different name but I was disappointed with them after awhile as sometimes they would not fix everything properly anyway I asked for a refund and got back every cent from them after being with them for a year. So when I received the call from this guy wanting to return 90 US it just didn’t seem right especially when he said that all I had to do is fill out a form and he could refund my money. In a way that seemed to me OK but he said go to my browser and type in WWW. Supremo CONTROL and soon as he said control alarm bells in my head that were already ringing got louder. But here is the thing, he had my name address and G mail street name post code and suburb and off course my phone number all correct, I don’t know maybe there was $90 usd still owing but I just could nor would not take the chance just in case. Though if they had all that why did they need to take control of my PC ??? Any thoughts. What do you think. To late now anyway cause I told them the supremo was a scam and that they could keep the money. He seemed very upset as If I hurt his feelings. A scammer with feelings or someone fair-dinkum trying to return money, maybe pigs do fly backwards sometimes!

    1. Texan 66

      For anyone who comes on this old post via a search: definitely attempted fraud. The “refund” trick: they ask you to log into your bank account to “process the refund”. Typically they might then blank your screen with some pretext, while having access to your account. Even of you have two-factor authentication, they’re in. Often happens to me (my number is on their lists of mugs); I let them play with a VM.

  5. Lila

    Same thing happened to me just now. I hung up after reading a message on the supremo pup-up saying no Microsoft employee would ever ask you to get access. So did not give them an ID / password – but did download and run Supremo. I’ve done a bit of research and it looks like that in itself isn’t a big deal and that the software is clean. Any thoughts? Am I safe or do I have to change all my passwords?
    PS As I was on the phone with them,I asked them where they were located and they gave me an address in London, Cardinal Ct Victoria Street. I googled it and asked where they went for lunch and then asked them how they found the places in the area. The first guy completely blocked that question. The second clearly also googled it the address and then named some of the places around… the whole thing was really fishy but they did keep me interested long enough to almost believe it was legit… anyone know if I need to take any action since I downloaded and ran supremo?

    1. Texan 66

      Supremo, TeamViewer, and LetMeIn are safe in themselves. Once you’ve let somebody use them to have access to your computer, anything can happen, just as if you’d invited a stranger, probably a thief, to use your computer.

  6. Wm Stanley

    Thank you for writing out what I have tried in vain to handle. The BS is as you describe – these *&#%! foreign hired thugs try to use up you time, destroy your cpu operation, and generally make life difficult. The callers are criminals or stupid and usually hired by unscrupulous US Agencies to make calls supplied to them by government agencies unknowingly. I can say this because the only time I give this number out has been to state licence bureaus or similar organizations. I am on a Do-Not_ Call registry. When this number is contacted I know at once it is either a wrong number or a criminal.

    There are devices (wish I could find one) that blast the ears of an unwanted caller. We need to fight back!!!

  7. Pingback: Beware: Supremo Call Center Scam - Lazy Man and Money

  8. karen

    This is still around. Just got off the phone with someone with an indian accent. Did the run thing but when trpied the iexplore gg.gg20207 two windows popped up and there was no run on the front window. while that was happening I looked up and found this site. Thanks for having it online.

  9. K. Smith

    I received a phone call today from a “Microsoft” scammer. In all, I wasted roughly 25 minutes of their time.

    He requested that I open MSConfig, and directed me to download Gotoassist, to which I replied there was a certificate error (there was not, I wanted to see how he would respond.). He then directed me to download SupremoControl. I told him there was a DNS server error and he hung up.

  10. Z. Swain

    Just got off the phone with “Computer Life” which tried to tell me hackers were on my laptop.. Asked me to open the run bar and type in CMD and run it. He told me he was going to cancel my laptop license and the hackers were using the laptop for illegal things. He then told me to download supremo control and i asked why and he kept making up things to scare me. He had a thick indian accent which i couldn’t understand and when i said i couldnt understand, he was getting mad at me and then i just hung up the phone. tried to 0141 the number but it was gone/deleted. I also googled “computer life” and it came up as a place in Greece which looked dodgy.

  11. lala D

    I just got off of the phone, again, with a blocked number. I can confirm that they do change numbers. I have received calls from this same group of guys (always thick Indian accent) and always from “Microsoft support”. I have had quite a good time with them, playing pranks each time. 🙂 I am open to new ideas for keeping them on the line as long as possible (when I have the time, of course).
    I have had calls come in from Florida, NY, CA, Blocked number, and TX.
    It is incredibly annoying, but if I actually do answer, I just have fun with them, or hang up. I had one guy call back and actually yell at me. I was being cordial, but just giving him the run around, then hanging up.

  12. Felix Gonzalez

    I had a phone call from someone claiming that they where from “Microsoft Support” and that hackers have taken over my machine. They had me download the supremocontrol program.

    However, this computer I am using is technically a work/business computer which doesn’t have admin privilege or access. The man hung up as soon as I mentioned that it was “more or less a work computer”.
    I tried to find the programs that were installed but they are nowhere to be found on the uninstall list.

    1. Texan 66

      “I tried to find the programs that were installed but they are nowhere to be found on the uninstall list.” They weren’t installed, just downloaded and available to run by clicking them. Just delete the program files (e.g. supremo.exe) and they’re gone.

  13. Judy

    Received a call today from one of our Indian-accented charlatans. Offered to “refund” $199.99 due to (some excuse I didn’t understand). Click on the Windows button+r. Enter I had such a hard time understanding the man, just to get the login address, that he finally passed his phone to another person who could speak better English. He told me to press the “download” button, and I told him NO WAY. He argued with me for a while, then I hung up. He called back, and I just let ‘er ring. Caller ID: “Private Name, Private Number.” I hate these idiots.

  14. Eugene Stein

    Unfortunately, these crooks, thieves, scoundrels, (those are the nice words) obviously prey on the elderly and disabled. I receive one or two calls a week from persons with heavily accented voices, always during the day, always from what look like real phone numbers, always from “Windows Support,” “Your Windows Support Team,” “Your Windows Monitoring Service.” Note that they always are from Windows – which I guess unlike Microsoft, is not copyrighted or trademarked. Over the years (yes, years), they have told me that my computer “is leaking information,” “has out of date virus software,” and now are telling me that they want to give me $200.00 as a refund for software that i purchased that is defective in a way that they will show me if i will only “hit the button that has a picture of the windows symbol and the “r” key, and enter into the box that pops up (the run)”
    I once got playful with them and asked the fellow who called, where he was calling from, after repeating several times that he was calling from the windows blah, blah, I said no, I mean where is the phone located that you are calling from, what city, state, town, country is the desk that you sitting at located in – he responded that he was located in Las Vegas, NV. Where upon, i asked about the weather there, I stated that I was surprised that there is such a large population on Asians there, that it was such a hub of computer companies, whereupon he hung up.
    However, this stuff is in no way funny – like one of your other commentators I am on the various do no call lists, i am able to block all suspicious phone numbers, i have complained to my state attorney general – all for nothing – they are able to somehow completely get around the do not call registries, no matter what number i block, they come up with more, if i hang up on them , they have the nerve to call back almost immediately from another number. They call during the hours that they can reach the less computer literate, ( and plenty of people who should know better) and can wipe out an elderly persons live savings, gain access to the disabled SSI checks, bank accounts, SOCIAL SECURITY NUMBERS and more.
    I do not know what the solution to this problem is, but hopefully, some Senator, or congresspersons’ elderly mother or grand parent will be called and the estate that the Senator was waiting to inherit, winds up in an untouchable off-shore account – then, perhaps, some real steps will be taken to end these bottom feeders from further damage.

  15. Roger Wilco

    Just got a call , on my cell, when hitting the answer button it rang phone number +1 (202) 454-2524, after a ring or two a man with Indian accent told me that he worked on my computer a little while back and did I remember him ( I played along for a while, (I’ve been a computer tech type for 25+ years and fix the very stuff these guys leave in their wake) , just long enough to get this tactic).
    He tried to get me to login to 1234c*mputer.c*m and download s*premo.exe. I stopped short of executing this download because I was getting really ticked off at this guy. I quickly told him i knew it was a scam and he should be ashamed of himself. The whole time I could hear 10-20 people in the background with Indian accents scamming a lot of innocent people. FLIPPING DISGUSTING!!!

  16. Catherine Ousselin

    So my 13 year nephew answered the phone while he was alone at home. He gave them full access. They have remote access to her computer. So, where do we go from here? She has closed down her bank/credit accounts, unplugged the ethernet/wifi. Any help would be appreciated. Poor kid. He is sick with anxiety.

    1. Iris Diaz

      Change passwords for everything ( bank accts, email, etc) on a different computer.
      Can you restore the pc to a previous time before these scammers got into it?

  17. Iris Diaz

    This happened to me today. The twist on the story is that they were calling me to give me a refund on a software I purchased (mind you no detail on what it was I purchased) and in order to start the process I would need to be in front of my computer. Same man with thick accent directed me to press Windows Key +R to bring up my command prompt and asked me to type iexplore
    Needless to say I did not do this. He tried to get me to give him my email address to send me the form with link however I told him that he should have it with my personal information they have for the purchase they claimed they were refunding me. He had several old email addresses for me but I just hung up.
    Beware of this and don’t let them fool you.

  18. Linda

    Yes I had the same issues also. I was looking for tech support for my HP computer and apparently I got a wrong number instead got the scammers. Anyway before I realized what was going on they convinced me to take control over my computer. They did owe me a refund and the only way they said they could do it was to deposit it back into my bank account. I do not do internet banking but they thought I did and somehow they were able to bring up a window for my bank for me to fill out so that they could deposit the money into my account. I went as far as typing in my bank account number. They claimed that they could not see me typing out the numbers but instead just the stars. That was probably a lie also. I did change my bank account so it’s safe that way.

  19. Derek Biddle

    Why do the remote control program providers like Supremo control fail to put a warning on their web site before downloading to tell potential users not to do so if they have been called or emailed by someone they do not absolutely know, they should go no further.

    Not doing so is irresponsible, even if their products is the best thing since sliced bread.

    And the only user that could ask for data would be the scammer.

    I had a call today, and would never have gone all the way. But by sounding unsure, I kept them on the phone for over 20 minutes – making it less likely that they would succeed elsewhere.


Leave a Reply

Your email address will not be published. Required fields are marked *