Microsoft blocked scam

We cracked the password to unlock systems displaying the message Microsoft Blocked! It's united123.

The screen displayed to victims with the words Microsoft Blocker asking for a password
Microsoft Blocked Scam Screen

Over the summer of 2023 IT Security Locksmith helped someone who had been the victim of a cyber security scam with the message "Microsoft Blocked". After assisting them recover it was decided to perform a semi-forensic review of what actually happened for peace of mind. IT Security Locksmith has published this article to help victims understand what happened and assist with recovery.

The background

The cyber attacker called the victim on their home telephone number they said they were from Microsoft and needed to perform some checks on the home computer. Today this is called “Vishing” but it was previously called “social engineering”. They convinced the victim to install the remote access application and boom its game over.

But what just happened?

After taking a forensic image using Autopsy (https://www.autopsy.com/) to perform static analysis IT Security Locksmith discovered there were at least two routes to monetization and the remote access software installed was identified as Anydesk (a legitimate remote access package).

The actual sting

The primary objective of the attack was a straight-forward sting for money. The attacker asked for a small fee of only £5 payable via credit card. This failed not because of any cyber security controls but because of the bank's anti-fraud detection system. The bank cancelled the card with immediate effect and issued a new one immediately – now that’s impressive!

The laundering

The second was not that obvious but they had acquired access to gmail through the browser and registered multiple accounts with three fund transfer companies. These were found in the email trash and had been deleted to hide their steps. All three of the companies are registered in the UK with the Financial Conduct Authority. It’s interesting to note that there does not appear to be any Know Your Client (KYC) or Anti-money laundering (AML) checks performed so fully fledged financial accounts should not have been created.

But why did Microsoft Block the computer?

They didn’t. Following further analysis the password on the main account was reset and had the hash value 13ac352fedb066185576d5609ac34244. After performing cryptanalysis, the password was determined to be united123. They also changed the full name on the account of the last person to login to “Microsoft Blocked” – simple but very effective.

The attacker even left a password tip that read “contact kelvin tam”.

Overall Assessment

This was a low-tech social engineering attack. It’s simple but effective and technical security controls are of little use when the user can be tricked. IT Security Locksmith suspect there are hundreds if not thousands of victims to this scam and not only in the UK.

On the system reviewed there did not appear to be any malware installed, no trip wires and no logic bombs for future reacquisition and persistence. But the attackers may adapt and this change.

Recovery steps

Action Fraud graphic
Action Fraud graphic

1. The first thing to do is report the scam to the police – in the UK it’s https://www.actionfraud.police.uk/reportscam

This was straightforward and the chat facility was great with the person putting us at ease and helping us each step of the way.

2. You can see if the password united123 works for you but IT Security Locksmith still wouldn’t trust the device and would recommend you rebuild it!

a. If you choose not to rebuild you may want to run (as administrator) the following command from the command line.

Dism /Online /Cleanup-Image /RestoreHealth/

This will replace any corrupt or non-Microsoft files with the correct version to improve system integrity. For more information see
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/repair-a-windows-image?view=windows-11

3. It is very important that you reset your email passwords first and then any other passwords you stored in your browser.

4. Rebuild your computer.

In this instance the only the browser was used to access on-line services. To make it more difficult for attackers in future IT Security Locksmith agreed to install Ubuntu desktop instead.

5. Restore your data from a last known good backup (assuming you have one).

6. Perform a credit check to ensure no financial account have been created using your credentials.

Conclusion

If you don’t use a password manager yet IT Security Locksmith would highly recommend you get one and stop storing passwords in your browser. This is a trade-off with useability but the impact when you get hit will be significantly reduced.

I hope you found this article helpful.

About IT Security Locksmith

IT Security Locksmith are a cybersecurity company that specialises in board level training and consultancy.

To find out more about our capabilities please click here.

Our services page showcases the types of services we offer.

Click here to contact us for a no obligation initial consultation.