Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

MS Tech Support phone scam victim

  1. Jan 24, 2015 #1

    DaveC426913

    User Avatar
    Gold Member

    All my sphincters are in lockdown.

    Normally my mother is extremely suspicious of strangers calling, but for some reason, this slipped by her. She apparently spent quite a bit of time the other day on the phone with someone "trying to help her fix technical problems with her Microsoft" system. She obviously gave them access to her system, since she said that they were manipulating her cursor and accessing various places on her computer.

    She's away for a few days, so I dropped by to check out the damage. As far as I can tell, there are no obvious lasting effects. No software installed that I can see. I ran a virus check, turned on the Windows Firewall, and searched the drive to what has been installed during the time in-question. Still nothing.

    I am highly dubious that they would put their grubby paws all over her system, yet not install anything. Maybe there's something on there that's invisible, or simply looks innocuous to my eye.

    Does anyone have any suggestions for a deeper search?
     
  2. jcsd
  3. Jan 24, 2015 #2

    Borg

    User Avatar
    Science Advisor
    Gold Member

    Assuming that she doesn't have a firewall, I would install one. That should let you know pretty quickly if there is something that's communicating with the outside world. There are other things to check but that would be my first.
     
  4. Jan 24, 2015 #3

    DaveC426913

    User Avatar
    Gold Member

    Right. Yes, I turned on the standard Windows firewall.

    I didn't stick around very long to see if it was doing anything though. And I shut the system down when I left.
     
  5. Jan 24, 2015 #4

    Borg

    User Avatar
    Science Advisor
    Gold Member

    Sorry, that didn't register in my brain for some reason. :redface: Glad to see that you shut it down before you left. For now, you have to keep it that way and do not connect it to the internet until you can verify the integrity of the system.

    Personally, I don't trust the Windows firewall. I wouldn't be surprised if they installed a rootkit or some back door that the Windows firewall wouldn't see. I like and use the free version of ZoneAlarm. The damn thing installs a toolbar on your browser these days but a quick Google search can show you how to get rid of it. Unlike Windows, ZA is a default-deny firewall where the Microsoft firewall tends to allow Microsoft OS processes access by default.

    Coincidently, I just passed Security + certification this week. It may take some time to fully inspect the machine but, I'll be happy to help as much as I can.
     
  6. Jan 24, 2015 #5

    Borg

    User Avatar
    Science Advisor
    Gold Member

    For the uninitiated - How the Microsoft tech support scam works.
     
  7. Jan 24, 2015 #6

    DaveC426913

    User Avatar
    Gold Member

    Interesting. I did notice a couple of TeamViewer log files (we use TeamViewer at my work). But as far as I could tell, TeamViewer was no installed on the system. All I saw were two log files, one from TV9 and one from TV10.
     
  8. Jan 24, 2015 #7

    Borg

    User Avatar
    Science Advisor
    Gold Member

    We can look into whether it's still there later. For now, I just consider it a means to their ends.

    I haven't dealt with fixing a phone scam like this but I see two main possibilities for the phone scam - install malware that allows them to use the machine as part of a botnet or to install key loggers to obtain financial information.

    Some questions:

    Did she give them any financial information? You may have to ask this a couple of ways because of the social engineering that occurs in a case like this. They're very skillful in getting people to release information that the person doesn't realize that they've given.

    Before you shut it down, had the computer been shut down and restarted after "tech support" had their hands on it? The reason I ask is that there could be a virus that activates when the system is restarted. If it's already been restarted once, then we can eliminate that danger.

    How does the system connect to the internet? Wireless or direct cable? At some point, it may be necessary to turn it back on but you don't want it connecting to the internet when you do. Disconnecting the LAN cable is easy but many people have their wireless set up to autoconnect so you have to make sure that it can't by turning it off at the router.

    What browser does she mainly use? I'm more knowledgible in Firefox but many non-technical people just use IE. I ask this because if she lets the browser save passwords, you may have to get them all changed.

    What is the OS version?

    BTW, if we get too far into the specifics of her system, I'm OK with discussing it through a conversation or personal email.
     
  9. Jan 24, 2015 #8

    DaveC426913

    User Avatar
    Gold Member

    Before I started it up, I physically disconnected the network cable from the modem.

    I do not know what information she gave them. I will ask when she comes back. (I doubt she gave them any financial information. She is normally pretty savvy/suspicious.) I noticed when I started it up the first time, that it went to the restart menu, which indicates that the last time it was shut off, she did a hard power-down. It is conceivable that she simply got frustrated with the caller and powered off her computer. :fingers crossed:

    It's Windows 7. It is connected via a modem to Bell. I used Chrome.
    I think she is not sophisticated enough to use websites that require passwords, let alone have the browser store them.
     
  10. Jan 24, 2015 #9

    Mark44

    Staff: Mentor

    I've received two or three calls from some outfit telling me that they have discovered security errors on my computer. The first couple of times I just hung up. The last time, about a week ago, I said, "No, I don't have any problems with my computer. What makes you think I have problems?" He hung up.
     
  11. Jan 24, 2015 #10

    Borg

    User Avatar
    Science Advisor
    Gold Member

    More information - what to do if you've been hit.
    If she uses the computer for any kind of banking or financial stuff, these will have to be done. If so, she should immeadiately contact her bank(s). I would also place a fraud alert with the three credit bureaus. I assume that it works generally the same in Canada.
     
  12. Jan 25, 2015 #11

    OCR

    User Avatar

    Keeping Remote Assistance unchecked might help some, I'm not sure...

    I keep it unchecked on my computer, anyway..
    Remote Assistance  - Copy.JPG
     
    Last edited: Jan 25, 2015
  13. Jan 25, 2015 #12
    You won't like this but if a machine is compromised the only way to be safe is format it and reinstall.

    There are things such as rootkits that can render themselves undetectable to the operating system. For example - and this is a gross simplification that will make security engineers cringe - they can add a file to the machine and patch the operating system (Windows itself) to simply never report that file's existance. Unless you scan that drive using a trusted installation of the operating system (i.e. a different computer), you'll never see it.

    http://en.wikipedia.org/wiki/Rootkit
     
  14. Feb 3, 2015 #13
    One of the best ways to find out if there's anything malicious program sending out data or listening for inbound connections is to use the netstat utility
    https://technet.microsoft.com/en-us/library/ff961504.aspx

    From within her account, close all the programs that you recognize (even in the system tray)
    open up a command prompt
    then run the netstat command with arguments -n -a
    This will show you all the active connections as well as all the ports that are listening. From another system, run a whois for all the IP addresses you find and see if anything is out of the ordinary

    This will ONLY show stuff that's currently running (open TCP/UDP or listening TCP/UDP) If the malware runs on a schedule, this won't see it.
     
  15. Feb 3, 2015 #14

    SixNein

    User Avatar
    Gold Member

    I would reformat the computer because there is no telling if some 0day has been used that hasn't been picked up by anti-virus software. Formatting the computer will get rid of it if it exists. It may be annoying to reinstall windows and related software, but it wont be as annoying as someone stealing identity or other information.
     
  16. Feb 3, 2015 #15

    DaveC426913

    User Avatar
    Gold Member

    I was over there again the other day and noticed something new to me.

    The ability to transfer control to an external user is built right in to Windows 7. You can configure it to let a user take control when you're troubleshooting something (for example, I was troubleshooting her printer). This is obviously what OCR was referencing in post 11 - the significance of which went right over my head at the time.

    I have always assumed that, in order for someone to take control of your computer, you had to explicitly install and run a program. That's the way it was Back in the Day.

    This is why I was so puzzled that someone could have been manipulated her system, yet I could find no trace of an installed program. (The caller must have told her how to go and tick that box.)

    Thanks MS, for making it so convenient for someone to destroy my mother's computer.
     
  17. Feb 3, 2015 #16

    Borg

    User Avatar
    Science Advisor
    Gold Member

    I think that box is checked by default. You have to actually turn it off if you don't want that 'feature'.
     
  18. Feb 3, 2015 #17
    When that box is checked, the system will respond to remote assistance requests, but it still requires the user at the system to accept the connection. An external user cannot simply connect using the Remote Assistance application unsolicited.
     
  19. Feb 3, 2015 #18

    DaveC426913

    User Avatar
    Gold Member

    Yes, but in my day, it didn't come so ... innocently - you had to actually download and install the app, giving a user plenty of signals that this is a MAJOR change to their system.
     
  20. Feb 3, 2015 #19
    It's surprisingly difficult to talk the user through installing remote access, especially if they don't have the installation media or there's something up with their internet connection, or they aren't an administrator (e.g. office machine, locked down by in-house IT) or there's an issue with the operating system and system library that causes an error on the install, and there's the time added to all your support calls.

    Even if installing was a 'red flag' then in this case the user believes the caller is legitimate so no amount of red flag is going to save them.

    I have a friend who works for a game studio and he says about 1/3 of their users have outdated drivers, and these are generally computer literate gamers who trend towards the geek side of the spectrum. The answer he gives as to why is simply, the installers just don't always work or they're on the office laptop.
     
  21. Feb 3, 2015 #20

    DaveC426913

    User Avatar
    Gold Member

    Fortunately, 'Here's what you owe us...' was red flag enough for my mother to hang up on them, bless her heart.
     
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook




Similar Discussions: MS Tech Support phone scam victim
  1. I phone (Replies: 17)

  2. Phones ringing (Replies: 6)

Loading...