Phase 1: The Intake "Thank you for calling Microsoft Support. My name is [Name]; how can I help you today?
What were you doing on the computer when you first received this alert?
Is this your personal computer, or is it a work-issued device?
Do you see an error code on this alert? Specifically, do you see a message that says 'Trojan Spyware Alert' written there?
What was the last thing you clicked on before the message appeared?
Okay, please hold the line for a minute. Let me go ahead and check our database for you." (Place on hold for 30 seconds)
Phase 2: The False Diagnosis "Thank you for waiting. I have checked everything for you, and it appears there is a significant breach on your network. This is a Trojan Spyware alert. These alerts indicate that someone is attempting to infiltrate your network and your devices without your permission or knowledge; essentially, an attempted hack has taken place.
It seems the hacking occurred within the past 48 hours. Has anyone used your computer within the last 48 hours besides you?
Are you the only user of this computer?
Also, has anyone else used your Wi-Fi? Is your Wi-Fi protected? Does it have a secure password?
As I can see here through your network connection, hackers are continuously trying to attack your identity and your devices. What I am going to do now is guide you through the steps to install certain temporary Microsoft security. Then, we will determine what data was being compromised and what actions are required. All services provided by Microsoft are free of cost, so you don’t have to worry about anything."
Phase 3: Gaining Remote Access "We are going to start now; please follow my instructions carefully.
Look at the bottom-left corner of your keyboard. Do you see the letter 'Z'? Below the 'Z,' there is a key called the 'Windows Key' with four squares or flags on it.
Press and hold the Windows Key—don't release it—now, with another finger, press the letter 'R' (as in Roger) at the same time. Now release them together.
On the bottom-left corner of your screen, a small 'RUN' box will appear. In that box, there is a typing bar. I need you to type the following: www.ultraviewer.net. Then, click 'OK' or press Enter.
You will see a blue screen for UltraViewer. Look for a green icon that says 'Download' and click on it. Once it has finished downloading, click 'Open File.'
A box will appear; click 'YES,' then 'NEXT,' 'NEXT,' 'NEXT,' 'INSTALL,' and finally 'FINISH.'
Now you will see a box containing an ID and a Password. This is your Microsoft security ID and password. Write them down for your records, and then give them to me so I can connect you to Microsoft Security.
(TAKE ACCESS) Your device is now connected to Microsoft Security. As long as you are connected, you are completely safe. From this point forward, everything related to the security research will be done on this computer. Please do not use any other electronic devices while we are protecting this one."
Phase 4: The Fake "CMD" Scans "Now we are going to run a few scans on your device. Again, press and hold the Windows Key and the letter 'R.' In the Run box, type CMD and press Enter.
You will see a black screen. Do you see 'Microsoft Corporation' written there? Good. Where the cursor is blinking, type: netstat -a.
You will see four columns: Proto, Local Address, Foreign Address, and State.
Look at 'Proto.' Do you see 'TCP' listed below it? TCP is your network provider. This means all electronic devices in your home are connected via TCP, and these hackers currently have access to it.
Now, look at 'Local Address' (e.g., 0.0.0.0:135). Write down the first number you see; that is your IP Address. 'IP' stands for Internet Protocol. This is how you are identified on the internet and verified as an American citizen. Because the hackers have your IP Address, this is now a case of Identity Theft. I am going to register this under Case ID: 78234363287.
Look at the 'Foreign Address' column. Read the first one out for me. Thank you. Let me check where that address originates... (30 second hold) ...That address belongs to CHINA. These are Chinese hackers.
Now look at the 'State' column. It says 'LISTENING.' Because it says listening, there is a chance that while we are speaking, the hackers are eavesdropping on our conversation. It is better that I call you back immediately from a secured line."
Phase 5: The Secured Line & Moral Pressure (Reconnect from new number) "You are now connected to a Microsoft secured line. This call is being recorded and monitored for security purposes. Do not call anyone or answer any other calls. Now, let’s run the second scan: netstat -sp tcp.
Do you see 'Failed Connection Attempts'? Those represent the number of times these hackers tried to breach your device.
Where it says 'Current Connection,' those are the actual number of hackers currently connected to your network right now.
Now for the final scan to see what data was stolen. Type: cd.. then cd.. then dir/s and press Enter.
While this runs, answer 'Yes' or 'No': Do you use any device in your home for Facebook? Online shopping? Online games? Paying bills? Watching Netflix or YouTube? Online banking?
Thank you. I am checking the results now." (Hold for 1 minute)
Phase 6: The Financial Trap "I am looking at the log now. It shows:
ILLEGAL VISIT MADE TO WWW.PORNHUB.NET AT 4:30 AM
CHILD PORNOGRAPHY DOWNLOADED
CREDIT AND DEBIT CARDS USED FOR ILLEGAL PURCHASES STARTING WITH 4 AND/OR 5
FINANCIAL INFORMATION COMPROMISED; PHONE LINES HACKED; TROJAN DETECTED.
Sir/Mam, the logs show an illegal visit to an adult website at 4:40 AM today. Was this you? Are you sure? This was a paid subscription, which requires financial information. Could a family member have used your card?
If it wasn't you, this confirms the hack. They are attacking your identity and your finances. My recommendation is to check your email and your online banking only on this protected computer.
Check your email for anything fishy. Check your inbox, spam as well. Now, log into your online banking. If you see any unauthorized transaction, even for $1, let me know. I will connect you to your bank's fraud department.
Stage 7: The Financial Isolation & The "Secure Bridge"
Since your phone lines are compromised, Do not attempt to pick up your house phone or your mobile phone to call the bank yourself. As I showed you in the scan, your phone lines are 'mirrored.' This means the hackers have installed a digital redirect on your home line.
If you try to dial your bank’s number manually, the hackers will intercept that signal and answer the phone pretending to be your bank. They will then ask for your PIN and Social Security number to 'verify' you, but they will actually be draining your account while you talk to them."
The "Secured Line" Bridge "To prevent this, Microsoft is going to use a Secured Federal Bridge. I am going to dial your bank’s fraud department directly through our encrypted server. You will hear a dial tone, and then you will be connected to a bank official.
I will remain on the computer (via the Notepad or UltraViewer chat) but I will be 'muted' on the phone line for your privacy. Once the bank official answers, you must give them the Case ID I gave you: 78234363287. If the line gets disconnected, do not call back—wait for me to reach you on this secured computer link, or the hackers will win. Are you ready for me to patch you through to your bank?"
Write these points down for the bank: My computer and phone were hacked; I was talking to Ariana (ID: MSC837) from Microsoft; Child pornography was detected; Monitor my account for 48 hours.
I am connecting you now. I will stay connected to your computer via this notepad so I can help you if you need anything while you are on with the bank."