topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • November 14, 2018, 09:44 AM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Need some (security/virus-related) advice.  (Read 1795 times)

ayryq

  • Supporting Member
  • Joined in 2009
  • **
  • Points: 101
  • Posts: 277
    • View Profile
    • Donate to Member
Need some (security/virus-related) advice.
« on: December 11, 2017, 07:15 AM »
Hi everyone.
I was visiting my parents house last week and noticed an icon for "Teamviewer" on my dad's desktop. I asked him about it and he said that he had called support after his computer froze a few months ago, and they had him install it so they could fix his computer. Did he call Lenovo? I asked, and he said no, he thought it was Microsoft. What number did he call? the number that came up on the screen when it froze. He was dismissive (embarrassed?) and said not to worry about it.

But I'm still worried about it. My hunch is that his "locked up" computer was really just a full-screen website and he was taken in by somebody. I didn't ask if he gave anyone money for this...

My question for you: if I have the opportunity to check out his computer, what should I check for? This is Windows 10 and additionally he has Malwarebytes installed. What might someone have done while having complete access to his computer (via teamviewer) and how can I find it?

Nervously,
Eric

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,245
  • Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #1 on: December 11, 2017, 09:28 AM »
Sounds like a classic phishing hack to me. They tend to proliferate on "dubious" - i.e., not family-friendly, or X-rated websites. My kids have inadvertently stumbled on such websites and got the "phone this support number to fix the problem" display, so I raised the security bar to block them out. I have also had to fix these "phone this support number to fix the problem" scams on a couple of friends' computers.

There have been some arrests recently of Indian-based hacker teams where they hack these faux "alerts" on your PC when you visit their websites, or randomly and systematically call phone numbers in another country, claiming to be Microsoft support, and say they "noticed a problem on your computer". There are many more of these scam operators not yet discovered/arrested and still operating their scams.

This scam happened to a friend of mine a few weeks back and I advised him to string them along until they gave up - which he did, and enjoyed it too. I later got a call from a similar scam outfit on my mobile phone, so I carefully probed and established that they didn't know I had a laptop:
  • Me: "Oh you mean my desktop PC? It's a really good DELL 2020 [made that up] computer - thankyou for calling, I didn't realise that it had a problem."
  • Scammer (in a thick Indian accent): Yes sir, that is it. It is a good computer. The error report shows it has a disk error that may be virus (sic) and needs to be fixed urgently."

They did not know my name so I told them it was "Frank" and figured it had to be a random phone call, or they had found the number from hacking someone's email account or mobile phone, where they happened to have my number in their unnamed contacts list.

However, if your Dad has already succumbed to the scam - and it looks as though he has, if they have already installed Teamviewer - then they will probably have Admin rights and absolute control and full access, so they could have done anything by this belated stage, including inhibiting Malwarebytes.
So, you probably should rather urgently isolate his PC from the Internet, and treat the hard drive forensically with Malwarebytes. Attach the PC's drive as an external hard drive to another computer which is already installed and running Malwarebytes, including their anti-ransomware software.
You will also have to identify and expunge all traces of their software/data footprint on the disk.
If he has his bank account or credit card details in clear (i.e., not encrypted) somewhere in a file on the disk, then advise the banks concerned ASAP and get them to temporarily block/change the accounts whilst the passwords/PINs are being changed.

If they also had access to his social security ID information, then they potentially could have committed identity theft, in which case, be prepared for a great deal of pain to restore ownership.

Good luck.

ayryq

  • Supporting Member
  • Joined in 2009
  • **
  • Points: 101
  • Posts: 277
    • View Profile
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #2 on: December 11, 2017, 10:15 AM »
Just talked to Dad, expressed my concerns. He's still not worried - it's been a few months and nothing bad has happened -- no weird charges or anything. He did pay $100 to get his computer "fixed" and he didn't recognize the company that showed up on his credit card bill. I asked if he could recall what happened while the scammer was logged in to teamviewer and he couldn't remember anything other than "it took awhile".

Dad kept all his passwords for things in a file probably called passwords.doc or something. So the scammer definitely has his credit card, name, phone number, and might have his login info for literally every account he has (though not his SSN unless they got it through a keylogger or something)

I told him to print the passwords file, delete it, and then change his passwords, but I won't be able to look at his PC until Wednesday.

Hopefully the $100 was all they were after - although I'd really like to know what they were doing in teamviewer for "awhile"

And I can't get Dad to feel any sort of concern about this! It's "no big deal," ancient history, no problem.

My brother suggested he put some recipes in his passwords.doc file. Maybe save his passwords in recipes.doc. That'll foil them!

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 38,952
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #3 on: December 11, 2017, 10:28 AM »
If I had to guess, I'd say the odds are good that he paid $100 to a company that used teamviewer to remote connect in and (at least tried) to fix his computer, and that everything is fine and nothing was taken, and that you should simply ensure that teamviewer password is changed or teamviewer uninstalled, etc. and backup everything in a safe place as always, and keep a careful eye on bank and credit cards for the next 6-12 months.

That's not to say that there isn't a risk that everything else was taken -- just a reminder that most of the time things aren't as bad as we fear.

ayryq

  • Supporting Member
  • Joined in 2009
  • **
  • Points: 101
  • Posts: 277
    • View Profile
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #4 on: December 11, 2017, 10:33 AM »
Hope you're right, Jesse.

Eric

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 9,812
    • View Profile
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #5 on: December 11, 2017, 11:34 AM »
If I had to guess, I'd say the odds are good that he paid $100 to a company that used teamviewer to remote connect in and (at least tried) to fix his computer, and that everything is fine and nothing was taken, and that you should simply ensure that teamviewer password is changed or teamviewer uninstalled, etc. and backup everything in a safe place as always, and keep a careful eye on bank and credit cards for the next 6-12 months.

That's not to say that there isn't a risk that everything else was taken -- just a reminder that most of the time things aren't as bad as we fear.

That was my first thought.  If he doesn't recognize the company, he could also reverse the charges, and change the card because of fraud.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,245
  • Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #6 on: December 11, 2017, 11:46 AM »
@ayryq: Hmm. Sounds fairly typical, and your Dad sounds like a typical unsuspecting potential victim. If they were claiming to be "Microsoft Support" or something, then that was probably a lie and thus probably a fraud was being committed. Classic.

Regardless, as well as the forensics, I would suggest subsequent file encryption for the (changed) passwords in the Password file, at least.

There are a couple of potential avenues I could suggest for this, findable via the DC Forum discussions/threads:
1. Frog Tea: (@f0dder seems to think this proprietary software is insecure; see below notes)
FrogTea (DCF discussion)
« on: 2012-10-06, 23:16:55 »
Quote
What is FrogTea? FrogTea is a free, Windows based, encryption utility which allows you to create a secure*, stand alone, self-decrypting HTML archive which may contain either html or plain text content. These self-decrypting archives may be decrypted on any device which has a javascript capable browser.
Copied from: FrogTea - DonationCoder.com - <https://www.donationcoder.com/forum/index.php?topic=32466.0>

However, @f0dder finds Frog Tea to be flawed as any kind of a properly secure approach and makes the point about this:
f0dder (DCF comment)
The reasons I listed against using FrogTea are pretty sound. If anything is absurd, it's that insistance that there's some merit in using an unmaintained, closed-source program with problematic encryption - while not philosophically untrue, it's about as ridiculous as insisting that it's better to wear a pajamas in a blizzard than being naked.
Copied from: FrogTea - DonationCoder.com - <https://www.donationcoder.com/forum/index.php?topic=32466.0>

2.  fSekrit: (@f0dder's own proprietary software using AES encryption)
LATEST VERSION: fSekrit 1.40 shrinkwrapped!
http://www.donationc....msg186778#msg186778
_____________________________________________________
fSekrit v1.40 change log:
http://f0dder.dcmemb...sekrit/changelog.txt
________________________________
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** Release History:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
version 1.40 - December 3, 2009 - 90kb/45.5kb
- fixed:  long-standing bug where failing to save changes when closing fSekrit
  with a modified document would cause fSekrit to exit, rather than notifying of
  error and let user attempt to save again.
- fixed:  saves are *finally* done properly, by saving to a temporary file and
  replacing the current file only when all the file writing business is done.
- added:  font selection dialog, no longer do you need to much around with the
  registry to set another default font. The font is still not stored in your
  document, though, and is single global per-user registry setting.
- added: "portable" mode, which (for now) means it will not use %TEMP% to store
  it's temporary editor executable, but instead store it in the same folder as
  the opened document. Registry is still used for font selection, though!
  To enabel this feature, create a file called "fSekrit.portable" in the same
  folder as the document you want to function in portable mode.
- added: URLs are now recognized and turned into hyperlinks.
- fixed: Read-only notes should be a lot more sane - changed from confusing
  "make read-only" that half-worked to "Save As Read-only" that works :)
- fixed: Win9x and NT4 support has been broken since version 1.35. Release builds
  are now done with an older compiler toolchain, and 9x/NT4 support is back :)
----------
version 1.35 - December 23, 2007 - 100kb/50.5kb
- fixed:  file->export appends ".txt" instead of ".exe" if no extension given.
- fixed:  file->new now clears passphrase and read-only state.
- fixed:  menu items are now properly enabled/disabled depending on read-only
  state and whether text field is empty or not.
- added:  drag&drop support: you can now drop a text file onto the fSekrit
  window, and fSekrit will load the dropped file.
- added:  right-click popup menu with edit actions
- added:  redo support
- added:  unicode text support (only the note text, not filenames yet)
- added:  now everything sensitive is always wiped from memory after use,
  as far as it's possible (with the exception of the RichEdit control).
----------
version 1.3 - November 18, 2007 - 99.5kb/50.5kb
- added:  read-only notes, finally :)
- bugfix: changing key on unsaved document would crash
- bugfix: saving an empty document would crash
- bugfix: running fSekrit.exe (w/o embedded note) from a CD was unable to
  Save As because read-only file attribute wasn't cleared on destination.

This release was actually meant to be released on 15th October 2006, but
due to the phase of the moon and real-life work, got postponed for over a
year. Sorry.
----------
version 1.2 - September 15, 2006 - 98.5kb/50.0kb
- improved security a bit (randomized IV)
- fSekrit now saves without "flickering in and out of existance"!
- you can now specify a custom font. I haven't added a GUI setting for this,
  but it's tweakable from regedit. You can create fontface:string and
  fontsize:dword values under HKEY_CURRENT_USER\Software\flork.dk\fSekrit .
- import and export plain text
- win9x: now handles large encrypted notes
----------
version 1.1 - April 11, 2006 - 75.5kb/39.5kb
- bunch of misc. bugfixes
- added menu items for most functions (were already available through keyboard
  shortcuts)
- added edit->find
- internal preparation for unicode support and other goodies

PLANNED: secure file wipe, better process model (slightly safer and more
convenient), drag-and-drop encryption, unicode support, additional encryption
tools, and of course smaller filesize :)
----------
version 1.0 - January 31, 2006 - 76kb/39.0kb
 first public release.

ayryq

  • Supporting Member
  • Joined in 2009
  • **
  • Points: 101
  • Posts: 277
    • View Profile
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #7 on: December 11, 2017, 11:54 AM »
Actually I think he'll be served perfectly well with a notebook with passwords written down. I love KeePass but I don't see my Dad dealing with such a system.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,479
    • View Profile
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #8 on: December 11, 2017, 03:21 PM »
Actually I think he'll be served perfectly well with a notebook with passwords written down. I love KeePass but I don't see my Dad dealing with such a system.

I've long been a fan of the phrase "The old ways are the best" ... Because it does rather frequently seem to prove true. However...

Given the many exploits currently in the wild - many of which have lengthy dormancy periods - it would probably be best to roll his machine back to a restore point prior to the incident before doing a through offline scan to ensure nothing is waiting until the coast is clear...or just quietly monitoring some C&C channel awaiting instructions.

ayryq

  • Supporting Member
  • Joined in 2009
  • **
  • Points: 101
  • Posts: 277
    • View Profile
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #9 on: December 11, 2017, 03:22 PM »
Do you think a windows 10 "refresh" would accomplish this?

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,245
  • Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #10 on: December 11, 2017, 03:39 PM »
Do you think a windows 10 "refresh" would accomplish this?
Interesting. That could be a novel way of dealing with the situation if the PC has been compromised/hacked in some way, but I'm not sure whether it would be a recommended best practice approach.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,006
    • View Profile
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #11 on: December 11, 2017, 05:58 PM »
2.  fSekrit: (@f0dder's own proprietary software using AES encryption)
LATEST VERSION: fSekrit 1.40 shrinkwrapped!

It is open source and available for review on GitHub for the last 22 months, (forum post).

I was visiting my parents house last week and noticed an icon for "Teamviewer" on my dad's desktop.

FWIW, since I'm the de facto computer repair technician for the family both my parents computers have CCleaner Cloud installed on them, I get emails about what software has been installed/updated and, if necessary, remotely uninstall some software, (depends on the software).

Of course, the downside is I also get to remotely fix things while I'm overseas  :-\
« Last Edit: December 11, 2017, 06:09 PM by 4wd »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,562
    • View Profile
    • The Blog of Deozaan
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #12 on: December 11, 2017, 11:37 PM »
If I had to guess, I'd say the odds are good that he paid $100 to a company that used teamviewer to remote connect in and (at least tried) to fix his computer, and that everything is fine and nothing was taken...

If I had to guess, I'd say the odds are good that he paid $100 to a "Nigerian Prince" who used TeamViewer to remote connect in and "scan for and fix problems" (they were probably just running scandisk or defrag or something equally harmless/useless).

But of course it could be a lot worse than that.

Either way, make sure TeamViewer gets uninstalled in case they set it up to allow unattended access.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,245
  • Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Need some (security/virus-related) advice.
« Reply #13 on: December 12, 2017, 03:58 AM »
2.  fSekrit: (@f0dder's own proprietary software using AES encryption)
LATEST VERSION: fSekrit 1.40 shrinkwrapped!
-IainB (2017-12-11, 11:46:13)

It is open source and available for review on GitHub for the last 22 months, (forum post).
Ahh. Thanks @4wd. Hadn't read that - or had forgotten if I had. When I went to the fSekrit website to check on the latest version status, I thought 2009 as the latest date in the changelog looked a bit dated/neglected, but I didn't like to say anything that might seem critical. I didn't  notice any pointers to GitHub.    :-[
I guess it is an open Sekrit now, anyway.