There was a case where amateur spammers logged in to their PC and installed Microsoft Office

BySummer

Cybercrime encountered by Ars Technica, IT-related media encountered in the world as cybercrime such as being hacked by a user's PC and requiring money, etc. is occurring all over the world, Microsoft Office It is a slightly strange case that we require money after properly installing it.

The spammer who logged into my PC and installed Microsoft Office | Ars Technica
http://arstechnica.com/information-technology/2016/05/the-spammer-who-logged-into-my-pc-and-installed-microsoft-office/

The beginning of things is a report from Ars Technica readers that "there are spammers trying to install Microsoft Office 2010". In the screenshot of the text message sent by the reader, the spammer shows the invitation that "You want Microsoft Office 2010? It can be installed on your PC remotely". Spammers will send this message to Yahoo! I sent it from the mail of.


Ars Technica received a report from the reader, when I emailed a spammer named Itman Koool "I received a message from you that you can obtain Microsoft Office 2010 for free, how can I do it?" Conversation proceeded like so,

Itman Koool:It costs $ 30 (about 3300 yen) to install. There is no problem in paying after installation.
Ars:It's cheap. What should I do?
Itman Koool:Please open the PC, go to google.com, search "TeamViewer" and download the software.
Ars:I downloaded TeamViewer. What should I do next?
Itman Koool:Please let me know TeamViewer ID and password.

TeamViewer installed by Itman Koool is software used for PC remote control. Ars installs Windows 7 which was updated to the latest version in the virtual machine in order to not take over the PC by the remote control, and further installs the anti-virus software. With this, even if Itman Koool infects the PC's system with a virus, just erasing the virtual machine and reinstalling Windows 7 will minimize the damage. In addition, we create a folder of "fans" called "passwords" directly under My Documents and make sure that Itman Koool is trying to steal passwords.

All ready, send TeamViewer ID and password to Itman Koool. The following dialogue exchange is as follows.

Ars:What are you doing now?
Itman Koool:I am installing Microsoft Office 2010 from now.
Ars:Are you working at Microsoft?
Itman Koool:No, it is not.
Itman Koool:How much will you pay?
Ars:You said it was 30 dollars, did not you?
Itman Koool:That's right.

In the middle of this conversation, Itman Koool remotely operated the Ars PC to open Chrome, and own Yahoo! Log in to your account. In the mail inbox, there were confirmation e-mails from payment from PayPal and e-mails from users who received spam e-mails such as "Who is this?" "Please stop". Itman Koool opened a mail, opened WeTransfer of the file transfer service from the link in the mail, downloaded the file "OFFICE 2010.zip" of 654 MB.

While downloading the file, Ars asked, "How did you get the phone number of the other party to send?", Itman Koool said, "Only the last 4 digits are generated under the station number and attached." answer. The download of the file finished in a few minutes, Itman Koool opened "office2010proplusfiles" containing two applications "office2010proplussetup" and "office2010proplusactivate" and a document "office2010propluskey". Here, Microsoft Security Essentials has issued a warning "I have found a potential threat that could damage your privacy or PC, access to this file may be suspended until you take action" I will.

Itman Koool, saying "Do not worry about Microsoft Security Essentials warnings", changes the Windows firewall settings to allow the launch of the installer and starts installing "Microsoft Office Professional Plus 2010". At this time, Itman Koool checked the installed program list, and "VMware Tools" indicating that the virtual machine is being used was included in the list, but it seems that it was done without being noticed.

In order to complete the installation of Microsoft Office Professional Plus 2010, copy the temporary license key from the document file "office2010propluskey". After completing the installation, Itman Koool opened "office2010proplusactivate" and used the license key generation program to make Microsoft Office Professional Plus 2010 usable for at least 6 months.


After that, Itman Koool who explained starting up Excel and Word and working properly requests Ars to pay $ 30 through PayPal. Ars thought that "If it did not pay the fee Itman Koool would not be bad on my PC with remote control", refused to pay the fee, left TeamViewer running for 2 hours while refusing to pay fee.

However, no matter what happens if I leave it for 2 hours, nothing happens, even if I quit TeamViewer and search for PC with antivirus software, I can not find any virus. However, the installed Microsoft Office Professional Plus 2010 operated normally. Also, Itman Koool seems to have not looked into the "passwords" folder that was set up by fake.

Ars uninstalled Microsoft Office Professional Plus 2010 immediately. After that, it seems that there was no contact from Itman Koool.

In the article of Ars, a comment that "This spammer is obviously an amateur" has been posted.