Weird one. Customer just had a remote access support scam, cold call, the usual. She didn't grant them remote control, her common sense kicked in. But - when they did the eventvwr bit, they had her scroll to the bottom of one of eventvwr's views and there was, at the bottom of the list, an entry with what was clearly some of their scam flavour text on it. As an added detail to lend credence to the scam, this impressed me, but on a technical level, I'm not sure how it was achieved. Can a browser popup generate an event log with tailored text? Or does it mean that they did, in fact, access her machine in some other way? She's adamant they never took control, and they had to talk her through the eventvwr steps, as usual.
My understanding is its difficult to do os stuff from executing javascript in the browser. Maybe they ran something that could force an error in the browser itself, rather than the javascript engine(unpatched bug / vulnerability) which in turn could trigger an error event that ends up in event viewer. It seems unlikely though. Nothing is impossible I suppose, but scammers tend not to be that sophisticated and it's more likely your customer ran something to cause the event
As usual, turns out the customer was simply mistaken. She did let them take control. Pity, thought I'd found something exotic and interesting. Speaking of scammers not being very sophisticated, they installed some Russian freeware called "lock my pc", which is so ancient the unlock code is readily available in search results. Classy.
