(But not beaten...)
When was the last time you felt foolish?
The other day I innocently opened Google Maps to see if there is a Marshall’s in my new town. I saw the usual Map open in a tab, and a couple of seconds later, I saw that tab turn into a webpage that looked similar to this:
Of course I was immediately alarmed, and wondered if my firewall McAfee knew what was going on. As I studied the screen, it occurred to me that this might be a hoax, so I closed the tab and logged out, and then back in. I started over with my Google Maps search on Chrome, clicking on the first link that appeared in the search result. Probably should have checked the URL to that item more closely because the same thing happened! After a moment, the Google Map page turned into the same Microsoft “Support” page.
Happening twice seemed a bit too coincidental, so I picked up my phone and dialed the 800 numbered provided on the “support” page. An automated voice announced that I had reached Microsoft support and that I was caller number three. Within 15 seconds, a real person, a young man with a thick accent, came on the line and said his name was Kevin and how could he help me?
I told Kevin what had happened and described the screen as best I could. He said that a trojan virus had been attacking PC’s lately and that he would need to get it off my computer. He instructed me to open a new tab in Google and type in ‘UltraViewer.net’. When I clicked ‘enter’, McAfee suddenly joined the party with this message:
I told Kevin about the warning pop-up, and he said to click ‘ok’ and not worry about it…this time. So I did.
Kevin talked me through what I was seeing on the screen as it happened: downloading UltraViewer, installing it, watching it open, and seeing a box like this appear:
Kevin then instructed me to read to him first the ‘Your ID’ number and then the Password, which I did without question. That was dumb, so why did I do it?
Well, I thought the Microsoft warning page was legitimate and that I was talking to someone from Microsoft support. Afterall, there had been a toll-free number to call and an automated answering system. What scammer would be capable of that? (Answer: if legitimate businesses can set up phone lines like this, anyone can.)
But in addition to that, two years ago, I had contacted HP support when my new computer wouldn’t function properly, and the lady tech had guided me through a similar remote-control situation. That was actually the whole reason I didn’t think it odd that Kevin needed access to my computer in order to rid me of the virus.
Thus began an hour and a half of lunacy, which (stupidly) was 85 minutes longer than logic should have dictated.
The first thing Kevin had me do was run the Command Prompt App already contained within Windows; he said this would scan my computer and find the problem. I was reassured because if this app was already inside Microsoft’s Windows operating system, it had to be legit. Right? The trouble with this logic is that I had no idea what the Command Prompt App was for. Apparently, not for scanning my computer for viruses. And yes, at this point, I should have known that McAfee was already continuously doing what Kevin said Command Prompt would do.
After Command Prompt finished flashing its hundreds of lines of DOS-type script on my screen, it finished with a few lines titled “Final Report”. Those lines loaded more slowly, and in retrospect, that could be because Kevin was typing them in as I watched. But I wasn’t thinking about the significance of their loading speed because the words themselves were frightening enough:
Child pornography website accessed: www.pornhub.xxx
Child pornography downloaded
IP address compromised
Phone line hacked
I wish I had taken a screenshot of those final lines, but my head was temporarily not screwed on straight. However, here is an example of what Command Prompt looks like as searched on Google:
Image Credit: Malwarebytes Labs
Kevin then went on to explain what an IP address is, and that mine had been used in four different places in the United States to download child pornography. He would need to file reports to the FCC on my behalf so I wouldn’t face criminal liability. He asked me to provide the customer service numbers from the backs of my bank cards so he could contact them also as part of the process. Here is where my usually-intact logical self should have said, “Whoa!” Instead, I pulled out the cards and recited the numbers to him.
Kevin then pointed my attention to the bottom line of the Command Prompt final report: phone line hacked. He said it was not safe for me to call my banks, using my phone, because the hackers could be listening to our conversation.
What?? I was talking on my cell phone! How could the virus on my computer be affecting my mobile telephone connection?
As my mind slowly churned through this thought, I heard Kevin say he would need to disconnect our call and reconnect through a “secure Microsoft line” so our conversation with my banks wouldn’t be accessible to someone else. Simultaneous to this, a new tab on Google Chrome suddenly opened to a pornographic cartoon website. Gasping, I exclaimed, “Oh, my God, Kevin! A pornographic website just opened on its own!” I’m surprised he was able to control his laughter.
And then it hit me: Kevin had access to my computer and could input commands as well as I could.
“Remember,” Kevin was saying, “your IP address was used in four different cities to download child pornography: Texas, Ohio, New Mexico, and Nevada.”
Those aren’t cities, my left brain said. And Kevin isn’t from Microsoft, her right twin added.
Immediately, I closed the porno tab followed by the UltraViewer box, and pulled the ethernet cord from the back of my desktop’s tower. On the phone, Kevin said, “I think we lost our internet connection. Can you check the taskbar and see?”
With an innocent voice, I said, “Oh, no. The internet is down. I guess we’ll have to try to fix my computer another time.”
Kevin, however, wasn’t ready to give up. “We still need to contact your banks. I’ll dial the number and then you respond to the prompts.”
Ok, I said. I listened as my bank’s automated introduction came on the line, asking me to say either my account number or my social security number. I shuddered as I thought about what giving Kevin my SSN could do to my life.
“Wait,” I said to Kevin. “I think I’m too upset to do this now. I’ll call them later. My computer’s offline for now, so I don’t think I’m in any current danger. Thanks, Kevin, for trying to help. Bye.” Then I disconnected.
Kevin tried to reconnect at least five times. Each time the phone rang, I clicked the reject icon. After a few minutes, the ringing stopped.
I thought about how foolish I had been and wondered why I had trusted Kevin as much as I did, and I realized it had to do with the fact that I had received remote assistance before. Plus, the Command Prompt had seemed so authentic.
But there were red flags, things I chose to ignore for reasons I’m not sure. First, the fake “Microsoft” security breach webpage had contained incongruities in language usage. For instance, in a prominent box near the top, I read,
“Security breach. This computer is blocked by Microsoft.
Kindly stop now call the number below.”
“Kindly stop now?” Since when does Microsoft (or any legitimate English-speaking company) use the word ‘kindly’? Probably never.
My brain also stupidly glossed over the run-on sentence. And...if you examine the fake webpage image back at the start of this article, you can find similar incongruities and errors in the main box:
Never gloss over errors on pages that were supposedly created by name-brand companies. Not capitalizing Microsoft, for instance, is a huge red flag. Additionally, in an attempt to assure me that he was legitimate, Kevin had at one point insisted I write down his first and last name, as well as his Microsoft support badge number in case we got disconnected or I needed more help. I have never had a customer service agent on any phone call give his last name or any kind of ID number. Again…stupid of me not to catch this.
Not knowing how much damage Kevin had been able to inflict, I contacted the Geek Squad at Best Buy. After looking at my computer, they told me that Kevin had not been able to do anything to it, probably because McAfee had been on the job. Additionally, they said, the remote connection afforded by UltraViewer did not give Kevin the ability to do things incognito. If I could not see him opening folders on my screen, then he wasn’t opening folders. Kevin had been smart enough to ask me to do the clicking and just watch what was happening. At one point, he had asked me to minimize my browser and examine my desktop to see if everything “looked fine”. The purpose for this, Geek Squad said, was probably because he was trying to see if I had a shortcut to my banks pasted onto my desktop. I didn’t; I access my banks through tabs saved as favorites in my Chrome browser. I wasn’t sure I saw the difference between the two methods of bank connection, but Geek Squad said mine was preferable.
The thing that puzzles me is why Kevin suddenly opened a porn website on my computer, while I watched! Perhaps he had realized I was getting wise to his scheme and decided to have some fun at my expense. Or maybe it was a last ditch effort at convincing me my computer really was hacked.
Either way, he had already offered multiple inconsistencies throughout his hour of 'support' as a Microsoft tech. For instance, he told me at first I would need to contact my banks as soon as we finished cleaning up my computer, but then he insisted we do it together. He had also told me an IP address is not the computer itself; compromising my IP address meant people with their own computers could use it, but they couldn't use my computer. So why then, had a porn site opened on its own, on my computer? And finally, once Kevin had me run the Command Prompt App, he never did anything else to find out what was going on with my computer; he kept asking to see things on the desktop screen. This is in sharp contrast to the agent at Geek Squad, who had looked at my Chrome history in depth and examined the files loaded onto my computer, talking to me the whole time about what he was doing and what I was seeing.
It boils down to this: why had a fairly intelligent, college-educated teacher allowed herself to be led down this rabbit hole? I think it amounted to a perfect storm of coincidence meeting prior experience punctuated by clever subterfuge and aided by my own lack of computer savvy. For instance, had I understood the Command Prompt App in Windows, I would have had protection against a scammer’s manipulation.
My daughter says it’s more likely that I try to see the good in people. “Just do like I do,” she said later that day when I called her. “Trust no one. Everyone’s a liar, especially online.”
Yeah, I thought. How depressing.
My attitude toward all the checks on identity confirmation with my banking programs and other sensitive sites online used to edge toward annoyance. Now, I am grateful. Even if Kevin had been able to get usernames and passwords off my computer, he wouldn’t have been able to answer the security questions I had previously set up or respond to the One Time Password sent to my phone when these institutions didn’t recognize the computer "I" was supposedly using. Tech-based firewalls and protections do keep us safe if only we let them. In addition, my left and right brains are currently, as I type, conspiring with my common sense on how to keep me from shooting myself in the foot again.