Preying on the elderly – SCAM ALERT

scam alert
   Reading time 8

Preying on the elderly - SCAM ALERT

We had a customer that ran a small store in town, he was too trusting and this is what got him into trouble. For the purpose of this post, I will call him Thomas. Thomas, who is in his early 90s, got a phone call one day, asking him if he was having computer problems if his computer was running slow if it just wasn’t working correctly. Of course, Thomas said he was having problems and that is where his problems really started.

This scam relies on the elderly person not being very computer savvy and most aren’t. In this case, Thomas wasn’t and he relied on me to fix all of his computer problems, but the guy on the other end of the phone was so convincing and so honest sounding, that Thomas thought that this couldn’t be a scam after all the guy claimed to be a professional from Microsoft. Now, this scam also relies on the elderly person believing that the caller is from a major computer company like Microsoft. Who would turn away free help from Microsoft? He goes on to explain that his computer was flagged by Microsoft for being slow and having a handful of problems and that he would fix them for Thomas for free.

The caller then instructed Thomas to go to a website and download a file and then he steps Thomas through how to install this program. He then has Thomas run the program and click a prompt on the screen. What he just had Thomas do was install a program that would allow the caller to take over Thomas’ computer. He would then while Thomas was watching, open up a few windows and explain in some roundabout way how this file and that file were missing, or not correct, or some BS like that. Then he would click here, click there, and make it look like he was doing something. All the while in the background that Thomas can’t see, he is launching a RAT or a Remote Access Trojan, which is a program that will allow him to control Thomas’ computer anytime he wants.

The whole smoke and mirrors that the caller is doing in front of Thomas are just to sell the whole story and give him time to install his RAT and other programs onto Thomas’ computer. Once that was working, they sold Thomas on a “maintenance plan” where they would clean up his computer whenever he wanted them to. Of course, Thomas fell for this and gave them his credit card number to “subscribe” to their services.

The really sad part about all this is that Thomas didn’t call me for a few more days, because of another problem he was having with his computer, it was then over the phone that he told me about the caller. I immediately knew what had happened and I told him to turn off his cable modem (lucky for both of us, I had instructed Thomas where it was once before).

I arrived at his store about 45 minutes later and Thomas said that his phone had been ringing non-stop. He said that the guy from Microsoft called him seconds after the modem was turned off and that he had called him a dozen times since he got off the phone with me. I told him what was going on and that I needed to take his computer home for the night so I could start digging around to see what they had done. I also told him to ignore the caller claiming to be from Microsoft.

When I got his PC home and started digging, I noticed that they had installed a handful of programs and that they had been digging around on his computer. They had pretty much touched every single file, well they didn’t touch the files, they had downloaded over 9Gb of data from his computer already. I removed the programs, uninstalled and reinstalled his anti-malware. I did a restore point of his computer the day prior to the phone call and then I dug around some more. I scanned it with several well-known anti-malware, anti-root, anti-this, and anti-that programs until I was comfortable with the state of his PC. I then started logging on to all of his accounts that were stored in his browser’s password “vault” (yeah, right “vault”), and in protected storage of the OS. Sure enough, they had logged on to some and had gotten as far as changing the account recovery details, to include their email address in the event of recovery. This is the easiest way for them to keep access to the account. The average person would simply log on, change the password, and move on. But since they changed the account recovery email address to their own, all they would have to do is play the “I forgot my password” game and gain access again.

In his Yahoo! mail account, they actually left receipts for things that they ordered online. I even found that they had his wireless password, which wasn’t in his browser password store. After questioning Thomas further I found out that they had asked him what the stickers on the side of his modem stated. This included the make, model, serial number, and the default username and password to access it. With that information and his IP address, they could connect to his modem anytime they wanted, which gave them immediate “backdoor” access to his network, allowing them around the modem’s built-in firewall as well.  With this new, unrestricted access, they could do whatever they wanted within Thomas’ network. The good thing is that the only thing on the other side of the modem is his single Windows 10 PC and a printer that is connected to the PC via a USB cable.

The first thing I did was log into the modem’s web interface and change the admin username and the admin password. The next thing I did was to release the IP address and then I disconnected the modem for 15 minutes, in the hopes that the DHCP would time out and provide a new IP address. When I turned the modem back on, and logged on to the web interface, sure enough, it had a new IP address, meaning that the “caller” would not be able to locate the infected device again.

Going through my checklist (my checklist will be in a future post) to ensure that I have done everything, it looks good.

Once I had everything cleaned up, the “caller” managed to scrape over $9,000 (USD) from Thomas. Mostly through purchases on his credit card.

The last we heard from Thomas’ family is that a majority of the $9k had been recovered, by the credit card company.

*** This is a true story of a customer of mine. The names and some specifics have been changed to protect the client ***

Average Jow Weekly Logo
Average Joe

Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

Avatar photo

By Average Joe

Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.