The IT Nerd

Frequent readers of this blog know that I spend a lot of time investigating, and telling you about the scams that I come across. Here’s some of the scams that I have been involved in addressing to show you examples of what ends up on my plate. The reason why I do this is that I know that they are very dangerous and I don’t want people to be taken advantage of. Also, by publicizing them, they become less effective as people will be aware of them. However the people behind these scams are good at evolving these scams which means that your head always has to be on a swivel or bad things will happen to you.

Here’s an example of something really bad that happened to an elderly couple.

I got a phone call last week from a woman who was referred to me by another client of mine. She was hysterical and in a complete panic. Once I was able to calm her down, she explained that she got an email from “Norton” about a subscription to one of their products that she was being charged for. She then called the number that was in the email to dispute the charges. That led to the person on the other end of the line getting access to not only her computer, but her bank account. And if it wasn’t for the people at her local bank branch stepping in, she would have lost $13,000. Beyond that, her computer had been “locked” by the scammer, and she needed my help to fix it.

Now my future self will step in here and tell you about the email that she got. The email that she received was clearly a Norton billing phishing email that I spoke about here. Specially it was the second variant where they attach the “hook” for the phishing attempt in a PDF so that it will evade spam filters. Unfortunately she got hooked and the scam was on from there.

When I arrived at this couple’s home, I found this:

She said that she never had a password on the computer before. But after the scammers had been on it, there was a password. It’s pretty ballsy for the scammer to leave a name as the password hint (which by the way is a fake name as the name Sam Wilson is the real name of the Marvel Comic book/movie superhero The Falcon) and a phone number. But it highlights that the scammer wants to hold the computer hostage to get paid. This is something that is becoming increasingly common where the scammer will take a computer that doesn’t have a password and change it so that in effect, they are holding the computer hostage in exchange for paying them. And it makes sense for a scammer to do because this computer had pictures of the grandkids and the like on it. That’s valuable for seniors and they would likely pay up to get that back.

Now I have come across another instance of this here, and I will copy and paste the advice from that story that will ensure that you aren’t a victim of this for your review:

While I understand that many of you out there want to be able to flip on your computer and bang out that email, you should never, ever compromise your security or it may not end well for you. You should always add a password to the user account that you set up, and you should never set it up to auto login. That way if you come across dirtbags like these, they can’t change your password because they would have to know your password to do it. Which they won’t. You can look at a tutorial like this to walk you through how best to set a password.

I ended up taking the computer to my home office to try and get past that. Fortunately I have access to the Microsoft DaRT toolkit. It contains a utility called “locksmith” which allows you to reset any local account on the computer. Now not anybody can have access to this toolkit as it is part of the Microsoft Desktop Optimization Pack (MDOP), a dynamic solution available to Software Assurance customers that helps reduce software installation costs, enables delivery of applications as services, and helps manage and control enterprise desktop environments. But one of my clients happens to be a part of Software Assurance which is how I got a copy of this toolkit. That means if you are in this situation, you may have to do some legwork to find someone who has this toolkit to assist you.

Using DaRT’s “locksmith” utility, I removed the password. Then I was able to look around the system. The next thing that I noticed was in the list of the installed programs:

The circled program is called AnyDesk which is a help desk application that many scammers use because it has remote access capabilities. That gives the scammer remote access to the computer anytime they want it. Which of course is bad. Thus I removed it. I also note that there was a compromised version of AVG antivirus on the machine. So I removed it and the AVG Secure Browser to be safe. The next thing that I did is that I used multiple antivirus apps to scan the computer for anything else that might have been lurking around. I didn’t find anything. I should note that all of this was done without the computer connected to the Internet. The reason for that was that I didn’t want to introduce the chance that anything else would pop onto the computer, or the scammer could get control again.

My next step was to reconstruct what happened. The reason for that was due to the fact that this couple’s children wanted to know what happened so that they could help their parents not get scammed again. That was made very easy due to the browser history being left intact. Here’s the play by play.

The victim opens the phishing email and reads it. Then calls the number. I know this because the email in question was the last email that was read. The victim gets the scammer on the phone and then the scammer goes to work. First he connects to the computer using a tool called SupRemo which is a zero configuration remote access tool designed for quick remote access. But I didn’t find any trace of this on the computer which makes me guess that they were not successful in installing it. That made the scammer go to AnyDesk and used that to gain control of the computer.

From there, I assume that the victim complained about the email that is telling her that she is supposedly being billed for Norton. That’s where I suspect that the scammer offers to help her to cancel this. Which led to the scammer taking her to this page:

Now this page looks official. But the reality was that it was a Google Docs Form. The big hint was that it says “Sign in to Google” in this picture. I am guessing that the scam involves walking the victim through “cancelling” their service with Norton via filling out this form. I looked at this form and it collects a ton of personal information including the date of birth. That’s makes identity theft a real possibility.

When the victim is done filling out the form, they get this:

This is where I suspect that the scammer convinces the victim to check her bank account for the refund. And that’s what happened here as here’s what happened next:

• The victim is talked into logging into her bank account online.
• At that point the scammer takes control and changes the password and enables two step verification which ensures that they have complete control of the bank account.

From what I understand happened next, the scammer over the next four hours tries to extract $13000 from her bank account from transferring it from the victim’s husband’s account to her account, to the scammer’s account. But clearly that failed which is why she was then directed to go the bank to make this happen. The scammer then printed the bank account numbers in Thailand to send the money to and sent her on her way. Fortunately, the bank was on the ball and put a stop to this. But she left the computer on which allowed the scammer to lock the computer when they did not get their money by changing the password so that they could hold it hostage.

The final thing that the scammers did was to trash the settings in their email program. But with the help of Rogers who truly went above and beyond here in not only sorting out what turned out to be a password issue because Rogers smartly uses app specific passwords, but also helping this couple with tips on how to not get scammed in the future which I will link to here, I was able to get their email setup and working again. And I was able to verify that their email wasn’t being redirected elsewhere. At this point the computer was back to normal. And one follow up a few days later confirmed that. As a precaution, the children set up Equifax credit monitoring due to the fact that so much personal information was shared.

Total time invested, four hours. So job done right?

No. I wanted to find out what how this scam worked. Thus, I decided to phone the number from a phone that has the caller ID blocked to get that understanding. Which by the way you should NEVER EVER DO. I got a person on the line who sounded Asian. Possibly from Thailand which would be consistent with the bank accounts that the victim was supplied with being from Thailand. The person online then asked me for some details from the supposed invoice in PDF form that I got. Here’s an image of the PDF:

He asked me for the Invoice number. And then proceeded to explain to me that I got this invoice because I had Norton 360 installed on my computer when I bought it and it is set to auto renew. He then explained that needed to get access to my computer to turn off an “auto renewal setting” and to walk me through a cancellation form. At this point I am pretty sure that if I decided to play along further, he would have tried to connect via the remote access software that I spoke of earlier and proceeded to do their evil work. But I cut it short and hung up.

Now I can see why this scam would be effective. Someone like me would know that there is no such thing as an “auto renewal setting” in antivirus software. But this person who is the victim here is 85 years old. So they, never mind the average computer user wouldn’t know that. Plus while computers from companies like HP, Dell, and Lenovo do come with antivirus software when you buy them, they are either free for life, or they are free for one year or so and then present you an offer to pay to continue to use it. They will never bill you in the manner of emailing you an invoice and saying that it will auto renew because they don’t have that info. But again, if you’re not aware of that, you might get sucked in.

So, how can you avoid being scammed. Well I have a lot of info on that here along with info on what to do if you have been scammed. But let me sum it up:

• FACT: A legitimate company such as Microsoft, Apple, or Google would never call you to fix your computer. If you get one of those calls, hang up.
• FACT: If you get an invoice from Norton, McAfee, Netflix or any other company that doesn’t have your name on it, it’s fake and you should delete it. And you should not click on any links or attachments. And you should not phone any number that is on the invoice.
• Never, ever give anybody remote access to your computer.

These days you have to be really careful as scammers are becoming increasingly sophisticated. And the second you let your guard down, it can really cost you. In this case, it almost cost an elderly couple $13000. But luckily it didn’t. Thus hopefully this illustrates how dangerous these scams can be so that you can protect yourself accordingly.

This entry was posted on July 1, 2022 at 2:54 pm and is filed under Commentary with tags Scam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.