Preying on the elderly #2 – SCAM ALERT

Reading time 10

Preying on the elderly #2 – SCAM ALERT

We have a customer that has been with us for the past 15-plus years. They are an elderly couple and they just got scammed. I got a call from Roger (the names have been changed) telling me that he thinks he was just scammed. I grabbed my tools and headed to his house and sure enough, he was just scammed. He told me that he was on his laptop and that he was surfing the internet and his computer started talking and a banner appeared telling him that his computer has been blocked, with a phone number to call. He called that number and the person on the other end answered as he was from Microsoft and he can assist. Basically, they had him go to a website and download an app and install it. Once he installs the app and launches it they connect to his computer using this app. While he was doing this they had him provide a credit card number so they can charge him for this service call to clean up his computer. This is a tactic to keep him busy so he doesn’t have time to think or stop them from doing what they are doing in the background.

What they were doing was connecting to his computer they were installing software in the background so they could reconnect and control his computer at will, anytime they wanted. They kept him on the phone asking questions, showing him log files, and things like that, so they can run up his credit card. He got wise after about 15 minutes, hung up, closed the lid on his laptop, and called me.

When I got there, he told me this story about how he clicked on an ad on YouTube. This ad took him to a fake page that urged him to call Microsoft. His computer started to talk to him stating something like “Critical alert from Microsoft, your computer has alerted us that it is infected with a virus and spyware. This virus is sending your credit card details, Facebook login, and personal emails to hackers remotely. Please call us immediately at the toll-free number listed, so that our support engineers walk through the removal process over the phone. If you close this page before calling us, we will be forced to disable your computer to prevent further to our network….” (see a screenshot below)

Let me stop right here and explain this part before I go back to the story. I have seen this fake “virus warning” before, I have even had it on my computer a few times (intentionally trolling for it, so research purposes). It is nothing more than a web page, with a pop-up banner and a voice track playing in the background. There is absolutely no damage to your computer, there is no virus and there is no Microsoft contacting you. Microsoft does NOT monitor any virus activity and they do NOT monitor your computer activity. The whole purpose of this page is to get you to call the number listed and fall for their scam. If you call the number listed, they will answer as though they are supported by Microsoft and they will be more than willing to help you in any way they can. They will act very sympathetic to your concerns as that is what they are paid to do, and most likely they are from India and let me tell you they have some patient people in that country.

Alright back to this customer’s story, Roger went on to tell me that he called the number listed and talked with a Microsoft support person for about 15 minutes. The conversation with Tim (the “Microsoft Support Engineer”), started with Tim ensuring Roger that he can fix this, with no problem. He asked Roger to go to https://goto.com/ and download and install GoTo Opener and GoTo Assist Customer (which is a legitimate company and legitimate software). Once Roger had done that Tim was now allowed full control over Roger’s computer.

Tim kept Roger on the phone for 23 minutes, until Roger got wise and disconnected the call. Tim called Roger back several times but Roger wasn’t answering and the laptop was now off (or so Roger thought). This is about the time that Roger called me and I got involved.

When I arrived, I quickly discovered that, even though Roger closed the lid on his laptop, the laptop was still up and running and Tim was still connected in fact Roger clicked the ad at 1:14 p.m. and Tim was disconnected by me at 14:42 p.m.

My investigation revealed that the first thing Tim did was start a program that ran in the background that was looking for passwords. This was running while Tim, played around in both Google Chrome and Microsoft Edge. Tim wasn’t actually doing anything, he was just closing the window that had the fake virus alert in it and keeping Tim busy while the scripts did what they needed them to do. While I was investigating, I had Roger connect a tablet that he hadn’t used in a while to his cell phone hotspot and start changing his passwords. I suggest that he make a list, systematically go down the list and make sure he writes down the new passwords.

I was able to find out that they had exfiltrated his Windows Live email, his AOL email, and his OneDrive account. They set up a OneDrive account which a long string of characters for the username (7b0c175fdd48fb5d) and a very long generated password, which is where they uploaded the results from the exfiltration and that I changed the password to and replaced the data with bogus data. I also was able to access the recovery phone number which I gave to the police, but without a country code, I couldn’t play much more.

I was able to determine that they tried to access Skype while they were on the phone with him, but Roger remembered my teaching from years ago and had his laptop’s built-in webcam covered. They also got his wireless router password and his Dropbox login credentials. I found a total of 26 accounts on his laptop that they likely would have been able to exfiltrate, but didn’t show up on the data file in the OneDrive for some reason.

Now it was time to clean up the damage, since I was going to take the laptop home with me to clean up, my first priority was to evaluate what type of damage they could do with his Wi-Fi password. I logged on to the admin page for their wireless router and took inventory of the devices connected. I then went around the house and we identified the devices. First up was their smart TVs, I needed to see if they had cameras as the bad guys could be watching us right now. A few clicks on Google and none of the three TVs had built-in cameras and none had a method for a password, so I moved on. Next up was their alarm system, which I have to err on the side of caution and assume has been compromised. They called the company to reset the password, panic code, and secret passphrase and then called the local police to assist. Next up were the smart devices around the house, like the washer and dryer and the refrigerator. I explained that the bad guys have been kicked out of the system, but they could, though unlikely, had time to mess with things like their refrigerator, so they need to be aware of that and pay attention to it for the next 24 hours. We then made sure all the devices were able to connect to the network with the new password. During my search, I was able to find that their next-door neighbor had been jacking their Internet for a very long time, not anymore on my watch.

The last step was to block the scammer from calling Roger back, at least from the same number.

The police arrived as we were leaving and Roger later told me that they were impressed at how thorough I was with my assessment, investigation, and clean-up.