Fraudulent Tech Support Call
-
I had a user come to me with a parent who fell victim to one of the "your computer is infected" type scams. They called, and let the caller take control of their machine. They did NOT pay any money though.
The user had their parent unplug and change all their passwords.
I was wondering if there was an utility (such as provided in ComboFix) that lists all files installed or modified within X number of days.
Has anyone had this actually happen to someone they knew?
Do these scams actually install malware/etc that would warrant a total reinstall? Or are they just doing a dog and pony show "looking" like they are doing something to get the user to pony up the money?
-
@BRRABill said:
I had a user come to me with a parent who fell victim to one of the "your computer is infected" type scams. They called, and let the caller take control of their machine. They did NOT pay any money though.
The user had their parent unplug and change all their passwords.
I was wondering if there was an utility (such as provided in ComboFix) that lists all files installed or modified within X number of days.
Has anyone had this actually happen to someone they knew?
Do these scams actually install malware/etc that would warrant a total reinstall? Or are they just doing a dog and pony show "looking" like they are doing something to get the user to pony up the money?
Just to be safe, I'd backup all documents and pictures and such, and nuke it from orbit.
-
There is one and one possible thing to do here... you reinstall the computer. Don't even think of anything less. That machine is now taken over and owned by someone else. Don't let it exist another minute without being reinstalled.
-
@BRRABill said:
Do these scams actually install malware/etc that would warrant a total reinstall?
That's the entire point of them. And it isn't malware... it's fully rooted without any need for malware. They totally own the machine.
-
I always thought they were much less "active" ... in that they were just trying to get some money from the user and not actually install anything.
-
@BRRABill said:
I always thought they were much less "active" ... in that they were just trying to get some money from the user and not actually install anything.
In theory, they could be anything. It could be a huge operation out of the far east, or it could be the kid next door pulling a prank. But realistically, it's like wondering if the bank robbers actually robbed the bank or just broke in to try to extort a few hundred dollars.
Once they are in the vault and can just pick up the cash, they are going to just pick up the cash. They might try to extort a few extra dollars as well, but it is purely "as well."
The important thing here is that the machine has been compromised, completely. That much is known. What does someone want to do who has totally compromised a machine? Given that installing something that gives them every key stroke, every encrypted website, every changed password, etc. do you really feel that there is any chance that they didn't do that? Thieves don't break in and steal the $500 television and leave $10K of cash sitting on the coffee table. They take the biggest, easiest hit. Maybe they take everything, but they never leave the easy stuff. Rooting the system is the easy money, extorting a few hundred dollars is just an attempt not to leave anything behind.
-
Or think of it this way.... all of your valuables are in your house. You know a thief broke in, took your keys and had a key replicator and time to replicate the keys without any risk to themselves. Do you change the locks or just assume that they weren't THOSE kinds of thieves?
-
This post is deleted! -
I think that this falls under my theory that every home user should have a PBX and an extension rather than a DID that rings directly to them. Isn't going to stop 100% of this stuff, but it will stop 99.9% of it. And you can add security on top of that, but just stopping the direct dial concept fixes so much. I moved my own home to this long ago and spam & scam calls stopped, 100%.
-
I know we've discussed this before, but what are your feelings on reinstallation for malware/virus/etc infections?
I have never had to do a full reinstall, but every case I have seen have just been searchbars or whatever gone crazy. Not like clicking a fraudulent link.
-
@BRRABill said:
I know we've discussed this before, but what are your feelings on reinstallation for malware/virus/etc infections?
I have never had to do a full reinstall, but every case I have seen have just been searchbars or whatever gone crazy. Not like clicking a fraudulent link.
If you have never done a full install, then all those systems are still compromised. I hope your people like identity fraud.
-
As @dafyre and @scottalanmiller stated,..
Nuke it from Orbit.
save your data, and completely nuke it.
-
@BRRABill said:
I had a user come to me with a parent who fell victim to one of the "your computer is infected" type scams.
-
Not your problem
-
I would recommend a complete wipe and nothing less.
-
-
No, that is definitely the recommendation here for this user.
I am just saying I don't think that needs to be the case on every malware case.
-
@BRRABill said:
I know we've discussed this before, but what are your feelings on reinstallation for malware/virus/etc infections?
My take on it is: reinstall, every time.
-
@IRJ said:
- Not your problem
I know but I am the rare IT person who helps friends, family, and co-workers.
I know I am in the minority.
-
@BRRABill said:
@IRJ said:
- Not your problem
I know but I am the rare IT person who helps friends, family, and co-workers.
I know I am in the minority.
Why? Do they offer to do free labor on your car when it needs maintenance?
People understand mechanics don't work for free, but for some reason they think IT people should
-
@BRRABill said:
I have never had to do a full reinstall, but every case I have seen have just been searchbars or whatever gone crazy.
You mean just bloatware? That's not the same. You can argue, and I'll agree, that bloatware is kind of malicious in a very light way (like how you might maliciously step on someone's toe or bump into them or not let them onto the highway from the ramp - "little" malicious) but it's not malicious in an illegal way and relies on tricking the customer as to what they "want" not as to "what they think they are getting." It's a bit different. It's malicious like a salesman can be malicious - hurting you to the extent of honesty.
But with bloatware itself, you don't need to reinstall, just remove. Some malware hides as bloatware, but malware can hide as anything so that's not a good guideline.
-
@IRJ said:
Why? Do they offer to do free labor on your car when it needs maintenance?
People understand mechanics don't work for free, but for some reason they think IT people should
I have friends that are mechanics that work on my car for free. I give them free IT stuff.
I just know a lot of people who help each other out.
I'm a member of a "Pay It Forward" group, too.
-
@BRRABill said:
I am just saying I don't think that needs to be the case on every malware case.
So where do you draw the line? At which times that someone has almost certainly had their identity and access compromised do you recommend remaining at risk and not taking the most basic precautions? How do you know which times they were just stealing bandwidth and not stealing bank data?