This is a slightly unusual post for me, as I can actually discuss an incident in depth without being bound by an NDA. Also unusual as this is a scam affecting domestic users, most of whom don’t have a budget to perform full incident response and therefore I don’t often see, but may provide some insights into the tools, techniques and procedures used in a Microsoft Tech Support Scam.

As a relatively new Mac user, I frustratingly noticed that following a recent update my /etc/ssh_config had been wiped out. I connect to a lot of devices via and unfortunately some of them only support older key exchanges, or I have to use specific SSH keys or unusual usernames to connect that I have no control over.

Following on from a couple of Twitter conversations and as a result of this thread I thought a deeper dive into how this works (at least more than 280 characters, anyway), and how people can protect themselves from this type of scam.

I’m a bit of a closet fan of Draytek Routers/Firewalls. Given a choice of device for a small office at a budget of < £200 they give quite a bit of bang for your buck, with support for IPSEC, SSL VPNs, ingress/egress firewall rules, ability to create groups and objects, IP restricted remote access and remote syslog built in.