As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Securing a PC after strangers have been snooping
emnmnme
Registered User regular
Registered User regular
This must be hubris. A few months back I was making fun of people who were scammed by a phone call where the caller, in a thick foreign accent, claimed to be from Microsoft. They have detected oodles of viruses on your PC but don't worry; if you give this trustworthy Microsoft representative your credit card information, they can proceed to clean your hard drive. My Mom fell for this trick yesterday. She told me that two men called her up and told her her PC was in danger. She gave them remote access using a program called Supremo and may or may not have installed other things, she wasn't sure. Luckily she didn't give them personal information or a credit card number. I walked her through the steps for reformatting Windows 10 Home, had her update Windows Defender and run Malwarebytes, and she called the FTC to report the phone number for good measure. With half an hour of access, I assume they could see some permanent information like the PC's serial number. Is there anything else to do?
0
Posts
serial numbers and all that are meaningless
1 - Scammer calls, says they're from Microsoft/"Windows"/Dell/Geek Squad/whoever, and convinces them that there is a virus.
2 - The victim goes to a site and downloads software, Supremo in this case. Supremo gives the victim an ID and password. Once these are handed over, the scammer is given access. Teamviewer and Ammyy I believe work the same way, while LogMeIn generates a unique download executable for each user.
3 - The scammer will usually say "hey, you have these viruses and shit, I'm gonna work on fixing them." There are two paths this goes down after this, one far worse than the other:
3a - Sometimes the scammer will say "pay me money and I'll clean you up." The worst case here is often a string of curses and insults before you kick them out of your system.
3b - The scammer might say "I'm going to work on cleaning these up." When you let them get to work, you're fucked. Usually the first thing they do is throw a Syskey password on your machine. This thing shouldn't exist anymore, but it does, so yay for you. Once Syskey is set, the scammer will start demanding money and inform you that they've encrypted your computer (which is true, since the SAM passwords are now encrypted). Good scammers will also torch your shadow copies, so you can't restore anymore.
Now, if they're not good, I've found the password is something remarkably dumb. Common ones have been password, 12345, 123456, abcde, and the like. They usually don't care about setting a strong password, just getting some cash out of someone who is shocked.
Thankfully they had a gut feeling something was up and called my wife, who told them to shut down their laptop, turn off the modem, and then call Microsoft directly for help. In their case, MS was actually very helpful and got them secured again. I was pleasantly surprised to hear they were actually helpful.
I'd see if you can log into it, verify any valid settings (remote admin, port forwarding, dns settings, etc) then reset the password to be doubly sure. If things look amiss, try and factory reset it and ensure any unwanted settings are actually gone.
This is what I would worry about: could they snoop and, say, get some bank routing info because you had login credentials stored in the browser, so they were able to get into a banking site or something.
It may be unusual, but isn't unheard of. Often companies that get hold of personal information from large groups like this wind up selling it in bulk to someone else. So while it's a good chance nothing would happen, it's best to make sure. Clean out (preferably wipe/reload) the system, check/reset the router, change any important passwords to things like banking if any of that had even a chance of being saved on the system, and then just keep an eye on your finances for a few months. If someone tries to use a CC number of yours, or use your information to secure loans and the like in your name, it should start to show up before too long.
So what happens if the scammers installed this "Syskey" and started demanding money? Can you turn the computer off and take it to an expert to have it fixed or will it be permanently locked? Are all your files lost if it is possible to reinstall everything in order to remove the malware?
This is probably bound to happen to my folks at one point so good to know what can be done if worst case scenario happens.
It really depends. If they just encrypted the password (syskey) then yes, it's recoverable without too much hassle (although it may be beyond your parents). You could just install the OS back again on top or mount the drive as a secondary and pull the information off of it.
If they threw on some kind of full disk encryption and it was able to run long enough to actually encrypt their drive (Hours at a minimum, like a full day+ for larger drives) then... maybe. But chances are it would be damned expensive to recover from unless someone's doing a charity to help people out with it.
In either case I'd likely just try and save off the files (non executables) then nuke the machine... you can't be sure what else they might have put on there, and if they are using utilities they didn't make, they could have actually put things on there even they don't know about.
Don't forget to check the router for rogue DNS entries as well. You don't have to have malware on your system to still be redirected to a proxy that grabs information while you use otherwise legitimate sites.
Syskey is already present on your system, just not active. Most of the time it's as easy as replacing the system hives with shadow copies. But if the asshole has had extended time, he'll have deleted the shadow copies and things get rough, which means you may be looking at a full refresh if you can't guess the password. I've been able to recover these systems by replacing the SAM, SECURITY, SOFTWARE, SYSTEM, and DEFAULT hives. IF the computer hasn't been rebooted, you'll usually find a clean set in the regback directory. If it has, the clean files may or may not exist, so turn it off and don't touch it.
Remember, Syskey is not malware. It's a windows function that these pricks are turning on to extort money. It's no different than setting a normal login password on your computer, except that you can't use a program like SAMurai to remove it.
So unless all people are aware of this method of scam, there is no other way to protect yourself from it happening? Is there no software out there that would not allow the installation of such software exploits? As long as they manage to convince the user to install the software and hand over the ID and Password there's no secondary level of protection available?
But, if you thought UAC was annoying, let me tell you about whitelisting software.
On the other hand, it wouldn't be the worst idea for securing the systems of those family members who rely on you for IT support. Unfortunately, I can't recommend any free non-enterprise solutions, but they would work thusly:
They try to install something (or access a dll) that isn't pre-approved: it gets stopped cold. You get a message to approve it or reject it, if you approve it, they have to run it again.
Which doesn't really stop these kinds of attacks, only make them a little more of a hassle.
Well ideally you would be mom's approving authority, so she'd have to tell you 'Microsoft' wants her to install a thing, and you'd say "call the FBI".
Her telling them she would need to get it approved by her more computer savvy progeny, and please call back, would probably spike the deal well enough.
Readingrainbow.jpg
Steam: pazython
Ah, I see. So there are some forms of software out there, though paid only, that would constantly ask for your permission (computer owner's?) whenever the scammers would try to install something fishy without you knowing?
Yeah, so they would become impatient or worried that they will get caught, which hopefully might lead them to abort their mission?
Can you explain the meaning of whitelisting software? Do you install a specific software on your computer that always checks with a kind of database that only lists software that are deemed "safe"?
Unless the file you try to install is not on this "safe" list, the computer owner is asked to give it permission to install? How and who gives it permission?
If the user can approve their own software, it defeats the point (see UAC) in this situation. I googled a bit and found some references to a Kaspersky product, but I'm not sure how (or IF) it works as a single user product, as anything that allows the user to create their own exception would not be effective. You would need a thirdy party to authorize, which would in theory need a database they can both access.
Edit: And that may be why I'm not seeing any clear options for home users; in that the system requires at least two people to be effective.
Newer Windows versions have the ability to set software permissions built in (used in corporate environments a lot). But there is software out there that can do the same on any version of windows that software supports.
Whitelisting is just telling the system what software it is allowed to install. This can range from "anything from this list of software companies", through "these specific programs", all the way to the most restrictive "Only these specific versions of programs".
Blacklisting is the opposite. Instead of saying what is allowed on the system, you say what is not allowed. White lists are much easier to maintain in general since the list of mal/adware and variants grows by leaps and bounds pretty much every day.
As for permissions, that varies according to the software used and how it's set. It could just flat out deny it, with either a message, or just simply kill it. Nothing would happen when it tried to run.
Or it could as you to contact someone to install it for you.
That process can be automated, but I've never seen that in a home product, that's enterprise stuff where a mail would go out to the IT support staff to review and approve/deny.
Or it can be self approved like UAC, and it's simply a nag screen to let you know what the software is doing and force you to accept or reject the action.
And pretty much all software can be bypassed if the attacker is good enough... so even the most restrictive settings and security software isn't a guarantee of safety. It's generally better to be more aware of the risks and consequences of your actions than to try and make your system an impenetrable fortress while being ignorant to what can go wrong.
In short, yes, it's usually a money scam. If they didn't get any information out of the parent, they usually install other programs that give them remote persistence into the computer, where they can snoop and catch private information being typed. I've also seen bitcoin miners, click fraud viruses, and other things uploaded to people who fall for these scams. It's also entirely possible for a ransomware infection as well, though usually those are delivered via exploit kits for 1:1 interactions.
As others have said, format the computer thoroughly - and if it's on a network of other computers, do some initial forensic analysis to see if they were pivoted too (check application/security logs). Make sure firewalls are on and active (Windows FW or other), AV signatures are up to date, and that all the computers are up to date with their Windows OS patches.
This is a great resource for this kind of stuff:
http://blog.talosintel.com/2015/11/tech-support-scammers.html
Thanks, EclecticGroove. Your whole reply really answered it down to detail. With regards to your final quote above, I came to think about another potential victim rather than just my parents.
I have a younger sister that is heavily into blogging and a cousin that sells her own little knitting creations online. Is there a possibility that scammers would also include them as great targets, not directly cause of money exploits there and then, but to install some form of software or plugins that would affect their blogs or online shop? I read a little further online and discovered that it can be dangerous to even visit blogs and shops that you would normally trust, because there is always a chance that the site could be infected in some way. Is this possible for scammers to implement through “Fake” tech support calls?
Great resource you posted. Will mention this further. Are any of the methods you posted in the quote above similar to an exploit that could infect someone's social media site?
Software wise it's a different story. It's very unlikely either will be targeted by someone looking to specifically get into her stuff.
But it's not uncommon for people to do scans for vulnerable software, default accounts, weak passwords, etc. Assuming they have got a storefront/blog on some major hosting company most of that stuff is out of their control aside from having their own login/password on whatever site(s) they use. They just need to make sure whoever they are using is keeping on top of that stuff and then just make sure they aren't using weak and/or easy to guess passwords.
If they host their own stuff, or are responsible for maintaining any of the software/plugins used on it, then they have a much bigger risk, especially if they don't know what they are doing.
Honestly, I haven't seen much of it. Keep in mind this is a quick bad guy make-money scheme, and like every business they'll try and 'turn you over' as a product, and then move on. These scam sites typically are short lived, as they'll get take down notices and blacklisted once a security firm finds them.
The only thing you need to sweat, post clean-up, is residuals. They've found a live one, they may attempt a scam or similar scam again. Ever vigilant.
Some AV's will catch bad programs before they install and will stop the installation. Ultimately, it comes down to the user. Never click on banner ads and popups. Use task manager to close popups within the browser since you can't trust the close button is really a "close" button.
Since you said you formatted your hard drive, the viruses are gone. Just make sure you change all of your online passwords asap!
If you're worried about your IP, call your ISP and see if they can give you a new public IP. Although any website you go to will be able to see your public IP so it isn't exactly a secret.
Also, with windows 10, it looks like the Edge browser doesn't ask for a prompt before starting a download? (I've only briefly used 10).
Get an actual AV software too. I've had some good results with Symantec.
Don't turn off/down UAC either. The prompts are annoying but let you know stuff is happening.
Ok, so while I was on vacation, I thought about the forum discussion a little further with regards to my sister's blog or security on blogging sites in general. She currently has a blog that is on its own domain, rather than previously where she used Blogspot. Does this mean she hosts her own stuff? Although there is hopefully a big chance that she manages to avoid being exploited by fake tech support calls, I did learn by reading some more on various sites that it is crucial to make sure your blog does not get infected by "malicous scripts". Apparently, if you are not careful when using a variety of applications together with your blog, hackers may install something referred to as XSS or "Cross-Site Scripting"?
https://www.1and1.com/digitalguide/hosting/technical-matters/how-to-protect-your-website-from-malware/
The above guide for instance lists similar exploits that are done through the "fake" tech support routine, like demanding a ransom for removing the malware or steal important information like passwords or bank details etc.
It also claims that it can be dangerous to visit a blog that has been infected, because a visiting computer may "catch" the virus through clicking on supposedly fake URLs if not mindful. The guide refers to suggestions on preventing malware on your website but I wonder if bloggers may also be vulnerable through "fake" tech support calls?
My cousin uses a ecommerce portal called Sassel? or something similar, so I assume she is safe as long as the provider is staying on top of things. I sent her a guide on creating strong passwords but she already was aware of that
Yeah, understand what you mean. I am still baffled that the culprit behind the scam from your videolink is himself a highly educated IT professional. Perhaps it makes sense?
1) You pay someone (person or company) to do pretty much everything. You may write the text on it, piece together the layout, etc. But you don't do anything more technical than maybe a tiny bit of HTML (like inserting an image or URL).
2) You do everything. You go get a DNS name for the website you want (like www.thisismysite.com). You have one or more servers you patch and keep running that have the software you need installed on it. You configure all of this to get the site up and running, and you also maintain it all. If you don't keep on top of patches and vulnerabilities your site, or the server(s) it sits on will eventually be easy to exploit.
And the third option is a hybrid. You maintain certain aspects of the site, and a company does the rest. This can range from you needing to buy a DNS name, to you needing to do everything but maintain the server itself.
As far as your sister goes, I'd imagine the only thing she had to do was pay for the domain name. I'd imagine the rest is up to someone else. But if she doesn't know, then she should check to make sure. She should have documentation somewhere saying what she is responsible for, or what is being paid for. If she has to install the plug ins and the like that she uses on the site, then she's responsible for a lot more than just writing some content.
Yeah, sounds like the third method would assumably be what my sister is using. So if that is the case, then she should not have to worry about her site getting infected and distributing malware to visitors.
Anyway, will post more if I have any more questions. Thanks again.
I'm not surprised at all. Truth be told, the state of the state as it relates to these types of scams are fairly fucking dismal. Crimes, federal crimes, are being committed, and for the most part, these scumbags attack with practical immunity. I have no idea why, or how, but that's how it is.
Case in point, the FTC is the federal body you report the scams too - and they aren't a law enforcement organization, so they can't assess criminal penalties. Even when they do take scammers to civil court, the fines assessed are often waived because they can't pay the millions they owe. I am not joking. I'm no lawyer, but the computer fraud and abuse act seems highly applicable to the scammers. And yet, who do you complain too? The Feds? The local police? Do you think they even care you got scammed? They're not rolling a platoon of agents to arrest the guy, unless it's worth their time (it usually isn't).
If you're a scammer, it's a truly great time to be alive.