Social engineering: supporting the victim

Today I helped an old friend with his Windows Desktop. Nothing special, but then he told me about a call he had the day before with a support clack of Microsoft. At this point my SE alarm started to ring. First I disconnected the PC from the network rebooted the router. But then the telephone rang and my friend toke it. It was another “Microsoft” clack taking about yesterday’s talk. I take over and in a moment of anger I told the guy not to call again and to stop accessing the pc of my friend in any way. On the machine, I tried to find out what happened because my friend couldn’t tell me in detail what the “supporters” did. No processes, but in the history of the browser I found a link to anydesk a remote tool, and a page to determinate the ip address on the desktop was a txt file with the email address of the victim. I didn’t find the client of anydesk on the pc. No auto start tool ether. From the things, my friend told me the attackers toke control to his pc very early after the call stared, he was not sure whether he was involved in it or not. The attacker tried to convince him to pay 500$ what he didn’t do. We changed the password of his mail account and safely deleted the USB sticks he used until the attack. After reattaching the network no network activity could be tracked. I strongly recommended to reinstall the pc, but this advice was ignored. :/ After the whole story I think, I could have reached more by play the game again with the attacker to track all actions and trace the attacker. Maybe the next time. ;)