Main Area and Open Discussion > General Software Discussion

Need some (security/virus-related) advice.

(1/3) > >>

ayryq:
Hi everyone.
I was visiting my parents house last week and noticed an icon for "Teamviewer" on my dad's desktop. I asked him about it and he said that he had called support after his computer froze a few months ago, and they had him install it so they could fix his computer. Did he call Lenovo? I asked, and he said no, he thought it was Microsoft. What number did he call? the number that came up on the screen when it froze. He was dismissive (embarrassed?) and said not to worry about it.

But I'm still worried about it. My hunch is that his "locked up" computer was really just a full-screen website and he was taken in by somebody. I didn't ask if he gave anyone money for this...

My question for you: if I have the opportunity to check out his computer, what should I check for? This is Windows 10 and additionally he has Malwarebytes installed. What might someone have done while having complete access to his computer (via teamviewer) and how can I find it?

Nervously,
Eric

IainB:
Sounds like a classic phishing hack to me. They tend to proliferate on "dubious" - i.e., not family-friendly, or X-rated websites. My kids have inadvertently stumbled on such websites and got the "phone this support number to fix the problem" display, so I raised the security bar to block them out. I have also had to fix these "phone this support number to fix the problem" scams on a couple of friends' computers.

There have been some arrests recently of Indian-based hacker teams where they hack these faux "alerts" on your PC when you visit their websites, or randomly and systematically call phone numbers in another country, claiming to be Microsoft support, and say they "noticed a problem on your computer". There are many more of these scam operators not yet discovered/arrested and still operating their scams.

This scam happened to a friend of mine a few weeks back and I advised him to string them along until they gave up - which he did, and enjoyed it too. I later got a call from a similar scam outfit on my mobile phone, so I carefully probed and established that they didn't know I had a laptop:

* Me: "Oh you mean my desktop PC? It's a really good DELL 2020 [made that up] computer - thankyou for calling, I didn't realise that it had a problem."
* Scammer (in a thick Indian accent): Yes sir, that is it. It is a good computer. The error report shows it has a disk error that may be virus (sic) and needs to be fixed urgently."
They did not know my name so I told them it was "Frank" and figured it had to be a random phone call, or they had found the number from hacking someone's email account or mobile phone, where they happened to have my number in their unnamed contacts list.

However, if your Dad has already succumbed to the scam - and it looks as though he has, if they have already installed Teamviewer - then they will probably have Admin rights and absolute control and full access, so they could have done anything by this belated stage, including inhibiting Malwarebytes.
So, you probably should rather urgently isolate his PC from the Internet, and treat the hard drive forensically with Malwarebytes. Attach the PC's drive as an external hard drive to another computer which is already installed and running Malwarebytes, including their anti-ransomware software.
You will also have to identify and expunge all traces of their software/data footprint on the disk.
If he has his bank account or credit card details in clear (i.e., not encrypted) somewhere in a file on the disk, then advise the banks concerned ASAP and get them to temporarily block/change the accounts whilst the passwords/PINs are being changed.

If they also had access to his social security ID information, then they potentially could have committed identity theft, in which case, be prepared for a great deal of pain to restore ownership.

Good luck.

ayryq:
Just talked to Dad, expressed my concerns. He's still not worried - it's been a few months and nothing bad has happened -- no weird charges or anything. He did pay $100 to get his computer "fixed" and he didn't recognize the company that showed up on his credit card bill. I asked if he could recall what happened while the scammer was logged in to teamviewer and he couldn't remember anything other than "it took awhile".

Dad kept all his passwords for things in a file probably called passwords.doc or something. So the scammer definitely has his credit card, name, phone number, and might have his login info for literally every account he has (though not his SSN unless they got it through a keylogger or something)

I told him to print the passwords file, delete it, and then change his passwords, but I won't be able to look at his PC until Wednesday.

Hopefully the $100 was all they were after - although I'd really like to know what they were doing in teamviewer for "awhile"

And I can't get Dad to feel any sort of concern about this! It's "no big deal," ancient history, no problem.

My brother suggested he put some recipes in his passwords.doc file. Maybe save his passwords in recipes.doc. That'll foil them!

mouser:
If I had to guess, I'd say the odds are good that he paid $100 to a company that used teamviewer to remote connect in and (at least tried) to fix his computer, and that everything is fine and nothing was taken, and that you should simply ensure that teamviewer password is changed or teamviewer uninstalled, etc. and backup everything in a safe place as always, and keep a careful eye on bank and credit cards for the next 6-12 months.

That's not to say that there isn't a risk that everything else was taken -- just a reminder that most of the time things aren't as bad as we fear.

ayryq:
Hope you're right, Jesse.

Eric

Navigation

[0] Message Index

[#] Next page