 Okay, so how do I know the next speaker? Well, it's a little bit creepy, but he started stalking me about two years ago on the internet. I guess this is the effect of stalking me on the internet. Yeah, you get to speak in the village eventually. Now, Matthias, he's from Sweden, and he works for a global company and also does his own freelance security consulting. He's a social engineering enthusiast, and he has a pretty interesting topic today about scam calls. So if you would join me in welcoming Matthias Borg. Thank you, Chris. Oh, geez. My name is Matthias Borg, and I'm from Sweden. So is anyone else here outside the States? So we're from Europe, or... All right, awesome. So my topic here is scam calls. Everyone is aware of them. Hi, I'm Colin from Microsoft. You have a virus and so on. And we've seen them a lot for the past number of years. Yeah, but there. I actually added some URLs for you to download B-CAP files, and I will get back to them later. And I can also bring back this picture. I realized it should have been in the end of the presentation. But during my journey here, this is my first time at DEF CON. Yeah, thanks. And I have my manager in New York. And when I got the acceptance from Chris this summer, I thought, well, maybe I can get the company to pay for it by visiting my manager. And so I asked this traveling book system to arrange all the flights and the hotels and so on. And I said, well, we found this very cheap hotel in New York, very low standard. And I thought, well, that's all right. I'm just going to sleep with it. So I thought, well, this is all right. At least I have the toilet, so I turn around and yeah, nothing there. I also went out on the streets during the night. I mean, it was my second time in the States. And I went to Times Square and this rap artist came up to me. Oh, I'm this rap artist. I'm selling my CD and I was, oh, this is a bit fishy. So, all right. Yeah, you need to buy this. I was thinking, well, I'm a social engineer. I'd never fall for that. So we actually have these ones that I will throw up for comments or questions or something like that. They were very expensive. So we started to receive a lot of calls. I mean, in a huge company I have the number in, like number range, if one receive it, I mean, they add from zero one to zero two to zero three and keep calling people. I never received that call. I was a bit disappointed. So when I finally received the call, I was all shaky. Basically, I am right now. And I didn't know what to do. And I said, well, I'm not at my desk. Can you call me back within an hour? And he was like, oh, yeah, yeah, I will. I will definitely help you with your computer. And yeah, this is for sure. So I thought, well, that's proactive. And I mean, all of us should be proactive. I mean, offering that kind of service, helping anyone with infection, that's amazing. He also mentioned, well, I'm calling from Microsoft. I'm in their headquarters in London with a call ID that explained that he actually called from Sri Lanka. All right, that might be true. So I was thinking, oh, well, that will give me some time to set up a virtual machine and do some smart things. At least I thought at the time. And he was like, oh, I really got this guy, something like this, poor creature. How did that really happen? Sorry, Chris, I added that late. Yeah. So we were waiting at this very coffee break. I prepared everything. I actually installed a new virtual machine. I installed Y-Shark. I installed, well, added process monitor and thought, oh, well, maybe they will see that Y-Shark is running. So I actually renamed the executable, which doesn't take any effect at all. And that's one of the things that I realized, oh, that's something you don't have to do. But after a while, the phone was ringing and we were, yay! Now we're about to frame this guy. And, oh, so he started to tell me the commands I was about to run and it was press Windows and R. Yeah, all right. Type W as in Washington, all right. W as in Washington, right. W, all right. Come on. S as in Sweden. So I just started to wait and see. After half the support, I realized, all right, it's support and then I was just waiting. Dade and me. All right, so I was redirected to this log mean session. And this is interesting, because Microsoft is actually using this for the support calls. One of my colleagues was actually waiting for a support call at the time. And when he finally called, they said, he said, I'm not falling for this and he hung up the phone. And then he had to create an extra support ticket. After a while, this screen popped up, like, oh, we need some permissions and so on. And I said, well, he's about to help me with my virus problem. And yeah, I go for that. And this guy, Jan Erik Haag, is about to help me. All right, yeah, a Swedish name at least. The first thing he did was opening the web browser and went to Team Uber, because it happened to need two different remote tools. All right, yeah, I'll go for that. And he asked me to, can you bring a piece of paper and a pen? Yeah, yeah, sure, what do you want me to write? Yeah, you start typing, just some random bull shit, basically. Yes, to keep my eyes away from the monitor. All right, I can do it. I can look at the screen recording later. Doesn't matter. So what he did was adding a stupid password. And he also asked me to write down the customer license security ID number. It's good that there's no piracy, because that would be illegal. CLS ID, I thought he meant something else, but yeah, that's a new thing. And he also showed me some proof that I was infected. Because there are no errors in the event view, never seen it. And especially if it's a new, very quickly installed virtual machine and you started to make some quick changes that your thought would help. That's usually how my event view looks, but all right. And I mean, you should have noticed that there's something going on with this machine, because there are no logs back one hour back and it's totally empty. And this is the service hacking. He actually told me that, oh, this is the hackers. They've been hacking your services, all right? And he, I mean, he was talking about that for a long time. After a while, he moved on and opened command prompts. I thought all the hardcore Windows guy was using PowerShell at this time. And I noticed during this that it says the association for P-CAP files is wire shark and I was, oh, well, hopefully he won't notice and well, he didn't. And I mean, he was clearly, he mentioned the word cyber a lot. He was a cyber master hacky security professional. Yeah, who wouldn't be that? And I will go to the next screen, but this is how it looked in the command prompt. I mean, everything is red, that must be very bad. Because it's impossible to just change the text color and text size and so on. And this is what it said. The computer is affected because the warranty is not active. Windows firewall licensing certificates are not valid. System is hacked to 98.5%. Or the other one and a half percent. Well, that's just amazing. So in order to active the warranty and to validate the Windows firewall licensing certificates, register Microsoft Corporation and make the computer and internet connection secure because we know that things can be secure. This is a new buzzword. Have you heard about cyber certificates? He actually told me that your cyber certificates has been hacked. I was a bit confused at that time. What it did, at this time, it wanted to get some money for the service. And I mean, I got this once. So what it did was connecting to another hacked machine. Open the web browser and, because I could see this, it was just a team review session running from my machine. And in the open this forum and gave me access to the keyboard and the mouse. So, oh, now I have the chance to take this guy. I didn't thought that, oh, this is another hacked computer. So what it did was just slamming the Windows key just to get, it was Windows 10 box. And I happened to see this Xbox Live account. And that user name was, it was easy to find it. And in Sweden, it's very easy to find people. Ridiculous, easy. I mean, our social security numbers is available on the internet. That's a totally different story. So I actually, I was able to track this Swedish citizen down and got his phone number. And I tried to give him a phone call and he answered the phone. And I realized, all right, this is not the same guy. And he really wondered what I was calling him. And I said, well, have you had a virus? And he was, yeah, yeah, someone called me about it. Right, I'll help you with this. I wasn't that mean, but I explained to him, well, you've been, these guys, they scammed you. And I mean, you probably should contact your bank and so on. But the guy that was talking to me previously, when I thought that, well, this might be the time for me to introduce myself. I'm not that very high technical. I know some things, but I mean, you guys are like very hardcore at everything. I've seen some sessions and it's just amazing. And he told me that, he realized that I was playing around with him. And he told me that he would make love to my whole family. That's kind of cute actually. I mean, I'm a geek. So I had to ask him, does that include me? What, why do you ask? Well, I'm a geek and a navigate lead. We hang out the phone and I realized, well, this guy actually failed at his call, but it's very easy for them to actually be successful in these attacks. And I guess at the time we had about 100,000 citizens in Sweden getting these phone calls. And I know about one guy that actually fought for this. And he, it was accepting everything they wanted to do and he lost his bank account information so they were able to log on. And, but the problem is that they used his account to loan him some money. And so they transferred, I guess in dollar it would be five grand to his account and the bank stopped the access to that account. And the problem is that they couldn't access their money. They actually lost five grand. They weren't that happy about it so they actually called him again and threatened him and that's sort of a sad story. But sometimes it can go wrong for the scammer as well. And I've seen other guys doing similar things. I tried to record what they're doing and so on. And my idea with this talk is to have a discussion see how we can make this better for the next time. So everyone is aware of what they should do when they receive the call. Maybe publish everything using hashtag or something so we can collect all the things and improve this framing even further. I'm not sure how we would do it and I mean if you have any ideas I have some CDs for you. Mr. Manhattan, DJ, dish soap. Yeah. They sign as well, might be worth some money. So what's the next step in phoning the scam callers? Do you have any ideas, any thoughts? Come on, you've been laughing all the time. Yes, sir. Yeah, from Logmin and TeamUrber. I reported everything to TeamUrber and Logmin and they said, oh, this is probably a scam. Yeah. Yeah. But I think that's worth the CD. I mean, the first question. Come on. Action on the track on it, so be careful. The PQF file is available and I will share the URL later and hopefully if someone's very good at reading PQF files, I'm not. You can get something out of it. I also have the process monitor log available and it's sort of interesting, you can see when they're dropping the files and so on. So what, how do we protect the end user from our normal citizens so they don't fall for this kind of scam? Security awareness training is necessary as everyone in this village has been explaining all the talks. You will not be more secure than the common sense. I mean, there's no appliance box to protect against social engineering, even if people think that appliance box can help them with most of the things. And we need to sort of patch the human being to human 2.0 to increase the common sense. That's the end of the slides I had. I guess we have, where's the time thing? We have some, still have some time. I could go into the identity security in Sweden. That's hilarious. Any questions?