Microsoft help results in a scam...??

[Tabvla]

Under the W8 Forum I (and others) have been assisting a Member who has apparently been scammed.

What I fail to understand is how this Member ended up on a scam website which resulted in a ruined system which needs to be completely rebuilt.

The Member contacted Microsoft (with a relatively minor problem relating to the MS Store) on what the Member describes as a valid and verified contact. I looked at that contact and agree that it certainly appears to be a valid MS contact. During the conversation with "Microsoft" the Member was given a link to an "engineer" - and this is where things went wrong. I resolved that link and found that it linked to a known Malware and Scam site.

My question is "where has this gone wrong.... ...."

It is IMPORTANT to note that this is NOT the typical Microsoft Support Desk scam. This is quite different but ends up with the same result.

The Thread can be found at the link below. Scroll down to Post #11 and then read the 6 Posts from #11 to #16.

http://forums.techguy.org/windows-8/1141536-2hrs-microsoft-tech-couldnt-fix.html

T.

 

[Cookiegal]

The t.co site is merely a link service that belongs to Twitter to shorten links in tweets so users don't go beyond their character limit by posting long links. Therefore the link hxxp://t.co/JZwitAcuUF actually resolves to hxxp://helps.ms/vyVWdb and not the other way around.

See this article from Twitter about it:

https://support.twitter.com/entries/109623-about-twitter-s-link-service-http-t-co

Links are automatically shortened to 22 characters even if the original link is actually shorter.

https://support.twitter.com/articles/78124-how-to-shorten-links-urls

However, link shortening services are risky because users don't always know where the link may take them and are often used by hackers and such which is why they get bad safety ratings.

 

[Tabvla]

Cookiegal, thanks for your reply and the information provided.

I would be grateful if you could explain a little further. If the User clicks on the link provided by Twitter then the User ends up at the Malware site as per the Securi.net notification - see link in the Thread.

In this case what the user saw was the Microsoft.helps link. If you place your Mouse over that link the address that is resolved by the Browser is the Malware site. My understanding has always been that the information provided in the "Address" bar of a Browser is not to be trusted and that the address as resolved by the Browser is actually the real address to which you will be directed.

What am I missing here...?

As you may have guessed by now, Security is not my strongest area of expertise... ....

T.

 

[Cookiegal]

If the User clicks on the link provided by Twitter then the User ends up at the Malware site as per the Securi.net notification - see link in the Thread.

Actually no, it's the other way around. What is actually offered for you to click on and what you actually see, in this case is "helps.ms/vyVWdb". While it's a link to click on, it's not the actual link, which would be " hxxp://helps.ms/vyVWdb". It's only a name chosen as what is displayed and could have been anything like "MS Chat" for example. This is what we do with our malware logs all the time like when we say the following for instance:

Please go here to download HijackThis.

All you see if the word here in red and underlined but when you hover over it you see the full link which is "http://www.bleepingcomputer.com/download/hijackthis/". OK, I'm sure you knew that and it sounds like what you're saying but if I were using a link shortening service, you would may not see bleepingcomputer.com anywhere. One of those types of services is bit.ly. If you look at this link in an article posted here years back, you will see all the link displays as is hxxp://bit.ly/eXdMkI and if you hover over it it shows "bit.ly/eXdMkI" however if you click on it then it takes you to a site called "themarker.com" so essentially you are taken to an unknown destination. This is why they are seen as very risky and to be followed with caution.

http://forums.techguy.org/7842829-post4091.html

In the case of Twitter though, I see that they display both links when you hover as I see the real link right next to what is displayed and the link shortening service, which is not really a site, at the bottom of my browser. The link shortening service redirects you to the real link.

 

[dvk01]

Any links on twitter including other short links will automatically be converted to the t.co /xxxx links
They are not links to malware sites and you always need to read securi reports carefully & see what blacklists they are on
Phishtank has a high false positive rate and several of us have been trying to get something done for ages about that. The idea behind phishtank is that individuals vote on whether a site is a phishing site or not. Unfortunately there are several bots that vote and they frequently give incorrect votes, normally legit sites get voted as bad, based on an automatic algorithm.
Part of the problem in this case is that securi take a domain and don't look at individual links. They assume ( wrongly) that if one link or page on the site is a phishing site or has malware then the whole site is flagged as a phishing or malware site. You cannot do that with short url sites or ISP sites which get frequently wrongly flagged by securi