It sounds like something out of a comic book: the Supremo scam. An evil genius takes on unwitting computer users.
There is no shortage of computer-based scams. Surely everyone setting eyes on this column has had one or more calls suggesting a problem with their computer, a problem so serious it needs attention then and there, according to the caller.
Today we revisit the so-called Microsoft scam, or at least a variant of it, which hinges on the call recipient having one or more computers using the world’s most popular computer operating system, Windows 10. Random calling to numbers here in Canada is going to make a correct hit about 70 per cent of the time.
Because the scam has been active here since around 2010, there has been adequate time to warn most people, so the actual rate of the scammers making a breakthrough on any particular call is likely to be low.
Today we take a look at the case of B.C. Catholic subscribers Harriet and Henry, both retired. Let’s refer to it as the Supremo case. Here, mostly in “Henry’s” own words, is how the Supremo case played out for this couple.
On the morning of Wednesday, June 16, I received a phone call from a V616 phone number – indicating it is a scam call that is supposed to be blocked under CRTC rules. The caller claimed there was a “growing problem” on my desktop Windows 10 computer. He later identified himself as “David” from an unnamed Microsoft malware protection company. I was intrigued, so I continued for a while with his proposed exploration of this “growing problem.”
First, he said, he wanted me to look in my personal /appdata/local/temp subdirectory. He then guided me to open the computer’s Event Viewer logs by using Windows key-R and keying in eventvwr. Specifically he had me look in Custom Views – Administrative Events. “Do you see recent posts there?” David asked. Yes, many that morning, fast and furious, over 5,000 total! He then had me use Windows key-R again and type in “iexplore www.supremo.**” and told me to click on “Accept” when it appeared.
[Although in some respects it was already too late, Henry wisely had second thoughts at this point. I’m purposely leaving out the top-level domain part of the key step, the web site name, as the scam remains active.—PV]
At this I balked, too fishy by far. I hung up on David and shut the computer down. Within 30 minutes “David’s supervisor” called from a 1-302 number (Delaware, U.S.) and wanted to ‘reassure’ me that this was OK to carry out, but they needed to “take control” of my computer. Never! I hastily used the excuse that we had to go out for an appointment, and Thursday was bad, so “call me back Friday 10:30 a.m.”
At this point I called Peter Vogel and told him what had transpired; we quickly discovered that a batch of subdirectory files had appeared, and that these were “undeletable” (big red flag!). Peter had me try various things, and in the end we decided that a full “factory reset” was needed.
Friday, an hour later than requested (time difference or were they hoping to increase my anxiety?), David called back. I gave him a forceful “thanks, but no thanks” and hung up. No more hassles, though even after the reset with Windows 10 Pro, I’ve continued to carry out multiple checks, and all seems fine.
After the fact I discovered that “Supremo” is short for “Super Remote” control, and as Peter Vogel pointed out, the “.**” extension was a “very suspect” Pacific Island location!
The motto of this tale? Don’t mess around: these scammers are ill-intentioned. Don’t give them an opening!
Supremo is basically a contraction for Super Remote (control), a program that gives remote operators unfettered access to a computer over the internet. Exactly what was deposited on Henry’s computer is still a bit of a mystery. Was it beginning to encrypt files when Henry shut it down and called me? Was it installing a keystroke logger for later action?
More likely is that the scammers would have offered to remove the undeletable files and then demanded payment for service. I’ve previously reported the figure of $300 as a common starting point for this sort of version of the scam.
I should note that Henry tried a roll back using the Windows System Restore Point option right after he suspected that his computer had been breached. However, those undeletable files prevented that action.
Henry’s factory reset, basically reinstalling Windows and keeping no user data, has worked out fine. However, to be completely sure in instances where some form of compromise has occurred, it would be good to run a product called DBAN (Darik’s Boot and Nuke) before reinstalling the Windows operating system. Think of this action as the equivalent of running a shredder; it leaves no trace of the contents that existed on the hard drive before its being wiped, or nuked, by DBAN.
Follow me on Facebook (facebook.com/PeterVogelCA), on Twitter (@PeterVogel), or on Instagram (@plvogel)