The Microsoft Support Phone Scam

This is a warning about phone callers who claim to be from Microsoft.  A neighbor recently received a call from Microsoft and documented the experience:

I got a phone call from a female who identified herself as a Microsoft employee.   She had a strong Indian or Pakistani accent.  In the background I heard what seemed to be many other voices, like a phone bank.  That part seemed reasonable to me.  It sounded familiar and help throw me off guard.  

Due to her accent it was difficult to understand her.  She informed me that apparently my computer had been broadcasting some serious viruses. I was stunned and scared into momentary stupidity, so I started to follow her instructions.  First, she directed me to a web site called join.me.  Her instructions were awkward, but I finally got to the website.  At that point it was impossible for me to proceed.  I was unable to download the information necessary to join the "meeting."   I asked politely if there was someone else there who spoke English a little more fluently.  She connected me with another female with a similar heavy accent.  Again I was unable to understand her.  She rerouted me to another website with "anomy..." in the title.  I continued to have trouble with her instructions.  For example, she would ask me to click on a button and, when I replied "Nothing happened!" she said "Tell me the number at the top of the page."  I said "I don't see a number."  She said "Give me the 9 digit number."

Finally I was passed to a "supervisor."  He was able to direct me to connect to the "meeting."  I gave him the 9 digit number that appeared.  

I began to feel nervous- the initial shock had worn off.  He directed me to download another program, which I did.  He asked me to run the program.  However, at the bottom of the screen a message appeared from my security software that said something to the effect- Warning!.  You should only give this to a person you trust.

I thought Yikes!  I don't know this guy from Adam.   Anyway, I said "How do I know you are a Microsoft employee.  He said only Microsoft employees would know my computer ID.  He ast me to open a Word page and he would type it.  He could make the cursor move.  He started typing a number.  I didn't know what "my computer ID" meant, so, at that point, I hung up.   

This is a know and dangerous scam.  The cyber-criminal counts on the initial shock reaction to get to your computer.

I restored the neighbor's computer to an earlier point in time and cleaned out everything.  Since the neighbor used the computer for banking, they called their bank and had their accounts changed.

This scam is documented in several places and takes several related forms.  Here are a few links:

• http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx
• http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/microsoft-call-scam/c5456b2a-4c77-48bd-9714-f3684bdabc06
• http://blog.malwarebytes.org/fraud-scam/2013/04/phone-scammers-call-the-wrong-guy-get-mad-and-trash-pc/
• http://www.youtube.com/watch?v=FDJWixw4TCI

The last one is a Youtube.  It isn't exactly the scenario described by the neighbor, but, it is entertaining.  It is a little long (26 min) so watch it when during your "entertainment hour."

Humor? in enrolling in your medical insurance

Occasionally I will stray into "user experience" scenarios with respect to internet applications.  This is about medical insurance.  I'm an IBM retiree.  In response to the Obamacare law, IBM has "dropped" medical insurance:  it has contracted with an external private exchange for all employees' and retirees' medical insurance.  Given that, in order to receive an IBM contribution to the new HRAs, ie receive any health benefit from IBM, we must enroll in an insurance program offered by that private exchange.  Since we already have all of our doctors in one hospital system, the insurance programs we can select must also match those accepted by the hospital system.  At the time this all happened, there was no overlap between the companies IBM's contracted exchange would accept and the companies our hospital system and doctors would accept.  We either had to drop IBMs contribution to the HRA or drop our doctors.  Essentially, we were one of the uncounted casualties of Obamacare. Fortunately, we were reprieved late in the year when the hospital system and doctors added Humana.  That was one of the insurance companies in the exchange's portfolio.    

Humana requires that we use a certain Humana subsidiary for Rx mail orders.    You have to separately enroll in that. (You can't enroll until after your insurance takes effect; ie Jan 1)  Yesterday, Jan 2, I spent an hour trying to enroll, but it would not accept my information.  It acted as if my information was not correct.  (Other than the system was really down, the real issue is that I had to have an ID#, which apparently has to be provided by this mail order subsidiary, which requires a phone call to them. (Why don't they use Humana's ID number?) Last night, I called the support number and was on hold from 8pm until 10:30.  The battery on my phone was dying and I was too, so I gave up.

I called this morning a little after 8, when they open their support service.  I had to wait only 1/2 hour before I got a real person.  She told me their systems have been down.  (And they had been down... so much for my effort to enroll on line.) She couldn't say when they would be up.  Furthermore, she said the systems were not stable and were likely to go down again.  Would I like to make an appointment for a call back?  I said yes, and asked what times would be available.  She said they only schedule for a 24-48 hour period, not a time... Huh?  That's because they can't predict when the system will be up.  

She offered to take some down some pre-enrollment information and started the process.  She asked for medical conditions for which I was being treated.  I gave them.  Then she asked if I had any medical conditions I had that I was not aware of.  Huh?

So now I have to hope I am near a phone when I am called, sometime in the next 48 hours.  (Hint:  if you have VOIP service, that service often comes with an option to reroute your phone calls to your cell phone when the VOIP service is down.  So, if you are going to be away from your home phone, pull the plug on your VOIP service and the phone call will go to your cell phone.)

I would welcome comments on your unusual experiences with health insurance web sites.  Enter them as comments below.  

Some notes on a technique for protecting your computer from Malware (HIPS)

It is difficult to find a title for this post.  This is an important topic for even a "novice" computer user to get their head around.  But it seems to be an onion in the sense that it takes layers of explanations to get to a common language description of what HIPS means to you; ie, why it is important to you.

HIPS stands for Host Intrusion Prevention System.  That doesn't mean a whole lot to me and I suspect it doesn't mean a whole lot to you.  But it is related to keeping your computer and home network secure; in fact, it is fundamental to maintaining your own security.

I use the term AntiMalware to stand for any computer program that detects and perhaps manages infections on your computer, your network, and the internet.  Programs that are called AntiVirus fall in this category, as well as programs that extend their protection to unwanted programs on your computer or in your browser that perhaps just throw up additional ads while you are surfing the internet, or pop up ads on your computer that are a nuisance.  Malwarebytes falls in this category.

AntiMalware detect malware through two major techniques.  One is by Signature.  They look at each  object's (program module and data file) construction, such as number of bytes, or certain bit/byte patterns within the object, to identify it as a threat.  This is the most common way to determine if an object is malicious.  But there is another way to detect malware:  look at what the program or data file is "doing."  It might change a registry entry in a special way, or it might try to gain access to services on your computer that normal programs shouldn't access.  That is what HIPS-based antimalware do.  That is how they work.

Some antimalware programs do both Signature-based detection and HIPS-based detection.  In fact, that is the main point of this blog entry:  when you are evaluating antimalware for use on your computers, you should be looking in their description for both Signature-based algorithms and HIPS-based algorithms.

An important note:  You don't need to have an antimalware program that does both.  But you need to have both types of protection.   So you might pick a good Signature-based antimalware program and a good HIPS-based program.  Also, you might want more sophisticated protection on a laptop or tablet that sees public wifi networks.  That environment is the most likely source of infection.  (Then you bring the laptop or flash drive home and infect the other computers on your network.)

This discussion was inspired by an article I read on the Malwarebytes blog.  (Click here)   I hope with this introduction you can get something out of that article.

Obamacare and your personal health and financial information

I don't intend to "get into politics" in this blog; however, I do cover security.  Obamacare does have some very major security problems.  There are parts of government regulations that cover health data security/privacy.  You've encountered these regulations when you are asked to fill out a HIPAA for for release of information.  I've been directly involved implementing security in both the private business sector and in the health sector and continue to keep up with those fields.

I agree with most other experts that the Obamacare implementation is a disaster in these areas:

1. Planning and project management
2. Product
3. Workflow associated with the product
4. Security with respect to all of the above.

From time to time I will comment on these issues when they directly impact our communities.  In this particular case, I want to point you to an article on security associated with the flow of personal health  information (PHI) from source- the interview front end of Obamacare- to destination- a doctor's office.  The debate in this case covers what the rules and regulations are for securing your information as it flows from the origin to  the destination.  The article is technical, but you should get from it that this is something the healthcare industry has worked on for a number of years and not settled.  You will see a list at the end of the article of things any organization that touches the data (even in transit) needs to internalize and execute. This is a big deal and supports the claim that Obamacare data are low hanging fruit for the malicious.

The article:   http://it-security.blognotions.com/2013/11/27/hipaa-audit-tips-%E2%80%93-conduit-business-associate-or-something-else/?_m=3l%2e000t%2e21%2egw0akw6ons%2e1eh 

Scorpion Saver... "Infection" is epidemic in our area

I'm encountering a lot of Scorpion Saver infections.  Scorpion Saver is technically not a virus, and it generally doesn't get caught by antivirus programs; however, it is certainly a nuisance, if not incapacitating.  You don't want it on your computer.  So, if you are experiencing a lot of unusual ads popping up, even with the popup setting on your browser set, you may have Scorpion Saver.

It may be my imagination, but this problem seems to be especially prevalent in computers whose users use AOL as their email provider.  You know I am not a fan of AOL; in fact, I am enthusiastic proponent of not using AOL.  This is one reason.

In my opinion,Scorpion Saver is real malware and you need to get rid of it.  A good writeup on how to do it is found here.  Please review that web page, which has a good description of what an infection looks like as well as how to remove it.  

Windows 8 to 8.1 Conversion: My List of Problems and Resolution

Introduction

I've converted some systems from Windows 8 to Windows 8.1 and hit some snags along the way.  In fact, I'm finding new ones all the time.  Rather than create a blog item every time I have a problem, I'm going to make this my on blog entry for all issues.  As I hit an issue, I'll document it here; both issue and resolution.  So return here every so often, or when you actually install Windows 8.1.

Issue:  Office 2010 Freezes

Description:  Office 2010 works for a while but, when I do some kind of action, it freezes.  In my case, I wanted to format a column.  I right clicked on the column number, clicked "format", and the application froze.  

Solution:  There are discussions of this on the internet, but they are conflicting.  My solution is to repair Office.  Go to the Control Panel.Default Programs.  Click on Programs and Features.  Select (left click) the Office version that is has the problem.  A link will appear at the top:  Repair.  Single left click that and let the repair take place.  Restart your computer.  The problem should have resolved itself.  Note:  Each edition of Office has different problems and ways to resolve the problems.  For your situation, google "Office {your version} problem Windows 8.1."

Issue:  MsiExec errors (Have to find in Event Viewer; might not "see" anything as a user except erratic behavior

Description:  Faulting application name: MsiExec.exe, version: 5.0.9600.16384, time stamp: 0x52158c02

Faulting module name: SHELL32.dll, version: 6.3.9600.16456, time stamp: 0x5278fede

Exception code: 0xc0000005

Solution:  See discussion here.  Windows 8.1 is buggy.

Issue:  General Instability

Description:  System is not behaving well.  Programs or printers hanging.  

Solution:  start a cmd window as administrator. (Type cmd on the Start screen.  Right click "Command Prompt" from the search results.  From the drop down, select "run as administrator."   Enter sf /scannow.

Issue:  This message:    The "IWD Bus Enumerator" is disabled.

Description:   This message occurs soon after installation of 8.1.  If you go to the Device Manager, right click on IWD Bus Enumerator and select the "update driver software" option, you get that the latest driver is already installed.  However, in the device manager there are two lines "IWD Bus Enumerator": the first line is normal (i.e., enabled), and the second line shows that error message (yellow triangle).

Solution:  

 I googled it and got:  https://forums.lenovo.com/t5/T400-T500-and-newer-T-series/quot-IWD-Bus-Enumerator-disabled-quot-error-message-in-LSC-after/td-p/1270269.  The tool mentioned in the article is here:  http://supportkb.intel.com/wireless/wireless-display/templates/selfservice/intelwidi/#portal/1026/article/16168.

Dangerous "New" Ransomware Makes Your Files Unrecoverable (Cryptolocker)

There is a new type of Malware that is very difficult to remove.  What it does is encrypt your personal files, which results in your files becoming unreadable.  The files selected include anything in "My Documents".  This Malware can also cloak programs used to run Microsoft.  Once it has done its thing, it asks for a ransom of $100 or more to fix the problem.

In general, I can't do a thing for you.   Your programs and files are lost if you do not pay the ransom.  For details on this nasty stuff, read this.  It will tell you that the way you get infected is to click on a file that is attached to an official looking message that looks like the following.  This message could "look like" a pdf file.  Please read about this in the above link so you know what the malware enticement looks like in order to avoid infection.

Cloud backup services will probably vary in their ability to rescue you when you have an infection that either changes or encrypts files.  Depending on the service and how the service is set up, the encrypted files will begin making their way to your cloud storage.  So your primary storage in the cloud will be corrupted.  The best advice I can give you is to notify your service as soon as you notice something suspicious, which might not be until the ransom message is displayed.  The cloud service support people will have to recover your files to a time before encryption started.  You'll need to figure out when that was; perhaps the support people can help.

Note:  If you use a free cloud service, such as Microsoft's or Google's,  it is going to be more difficult to recover the right backups.  Generally you are on your own to figure out how to get back earlier versions of files.

-----Original Message-----
From: John Doe [mailto:John@mydomain.com]
Sent: Tuesday, October 15, 2013 10:34 AM
To: Jane Doe
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.

Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.