Posted in Commentary on September 16, 2023 by itnerd
Last year I posted a story about a scam that was extremely dangerous to an elderly couple. As bad as that was, I recently came across another scam that had some really negative effects on an elderly woman.
This story started just before 7AM on Friday when the woman in question called my office phone repeatedly. I got up in a haze and answered the phone, and encountered someone who was in a full panic. She said that her computer was locked and her usual password would not work and she was desperate. That’s all she said at the time. I made arrangements to pay her a visit later in the day.
When I arrived at her home, more details came out from her. She said that she got her first hint that something was wrong when she noticed that $50K appeared in her bank account. And she was also getting threatening phone calls from someone who wanted the money. I found that weird at the moment. But I pushed that to the side and focused on the computer. Upon examining her computer, I found that it appeared that someone had changed the password. Fortunately I have access to the Microsoft DaRT toolkit. It contains a utility called “locksmith” which allows you to reset any local account on the computer. Now not anybody can have access to this toolkit as it is part of the Microsoft Desktop Optimization Pack (MDOP), a dynamic solution available to Software Assurance customers that helps reduce software installation costs, enables delivery of applications as services, and helps manage and control enterprise desktop environments. But one of my clients happens to be a part of Software Assurance which is how I got a copy of this toolkit. That means if you are in this situation, you may have to do some legwork to find someone who has this toolkit to assist you.
Using DaRT I was able to remove the password to get into her computer and examine it. I found that a threat actor had definitely gotten access to the computer. Initial access was gained by using a remote access tool called Supremo. Then persistence, which is when a threat actor sets up shop on the computer so that they can access it anytime they want it, was done using Screen Connect which is now known as ConnectWise Screen Control. And the way they did it was kind of crafty. They installed it as a service and made sure that it didn’t show up in Window 10’s Programs and Features. Which means that it would transparently run when the computer was started so that the threat actors could get access to the computer. Not only that, the average person wouldn’t be able to remove it.
Now in both cases I had to spend some time to track down where this software was hiding on her computer. In the case of Supremo, it was pretty straight forward to find it as the threat actor hadn’t done all that much to hide it. Thus simply searching the Windows 10 registry pointed me towards where it was so that I could delete the files related to Supremo. ConnectWise Screen Control on the other hand was hard to track down. It became clear to me that the threat actor had done more to hide this. So I hatched a plan to figure out where it was. From interviewing the client, the threat actor had been calling her on a frequent basis over the last 24 hours to get her to send him money. And he said he was holding the computer hostage. That made me think that he was waiting for this computer to come online. Thus I plugged it into the Internet and waited for the threat actor to connect. I assume that once he connected, he’d be surprised that the computer was sitting at the desktop as he had locked it to hold it hostage. That would buy me time to find the location of the services that ConnectWise Screen Control uses as the services would become active in task manner the second the threat actor connected. It took about 15 minutes but the threat actor did connect and started to move stuff around. Within seconds I had the location of the ConnectWise Screen Control services. I then disconnected the threat actor by unplugging the ethernet cable and deleted all the services related to ConnectWise Screen Control. But before doing that, I gathered up several ConnectWise Screen Control logs and was able to determine his location based on the IP address that was in the logs.
I then did something that normally I wouldn’t do. I phoned the threat actor on the number that he had been calling my client from. He answered and initially denied running a scam. Then I told him his IP address and location, you could tell he got very concerned by the fact that he got quiet very quickly and he started to breathe heavy. I am guessing that this scared him as the number that I called him at as well as the number that was scam email that the client received are now unreachable. Now I am not naive. He likely took these phone numbers down because I called him out. And he’ll restart this scam with new phone numbers and the emails related to them. But at the very least, he might be out of business for a few days while he does that.
Continuing to examine the computer, I discovered that the threat actor had deleted all of her files. And to make matters worse, she did not have a backup. Now I did take the computer to my home office and ran several recovery and undelete utilities with no success. This illustrates why you need to always have a backup so that you’re covered in the event of hardware failure or a threat actor doing something like this.
Now the client oddly enough had just ordered a new Dell computer that was due to arrive a few days from when this incident happened. So I asked her to keep her computer off until the new computer arrived. When it arrived, I set it up so that she could do her email, banking and shopping on Amazon, which is all she really cared about. But the question is how did this happen? It took me a couple of hours to extract this info because I am guessing that she was likely embarrassed about all this. So after reverse engineering what happened and gently confronting her with this information piece by piece, I was able to finally get her to give me the details that I was missing. Here’s what I was able to piece together. The customer got this email:
This is your classic refund scam email. With your classic bad English. It also had other usual hallmarks of a scam like the fact that it wasn’t sent by Norton as evidenced by this:
The subject line should have been a big hint that this was a scam. So should have been the fact that the client didn’t subscribe to any Norton products. Thus there was nothing for them to bill. But having said all of that, the client fell for it anyway and called the number. The threat actor then got her to go to a website and download Supremo. That got the threat actor initial access. The threat actor then got persistence by installing ConnectWise Screen Control. From there the threat actor got her to log into her bank account in order to process the “refund.” That’s when then the threat actor took control moved $50K from her line of credit to her saving account. Then the threat actor tried to do a Western Union wire transfer, but it was blocked by her bank which was CIBC. More on the bank in a bit. That’s when the threat actor took the computer hostage and used threats to try and get her to move the money herself. From there, it looks like the threat actor made additional attempts to try and steal her money. But they failed. One thing that the threat actor tried to do that creeped me out was that they went looking for a web cam and tried to turn it on. Now she didn’t have a web cam and I don’t know why they tried to do that, but like I said, that creeped me out. From there, I am guessing that when it became clear that she wasn’t going to pay them, they deleted her files in retaliation. A pretty scumbag level move.
Now in the aftermath of this, I helped her to phone CIBC to report this incident and have them sort everything out with her financial accounts. I have to give a big shoutout to CIBC as they really did a good job of listening to my client and I, routing us to the right people to give us the right advice, and making her feel better. Which was:
The froze her bank accounts.
They cancelled her credit and debit cards.
When she gets her new credit card, there will be a password associated with it.
They sent her to the bank to get a new debit card and the bank would help her to get new bank accounts.
She was told to change her banking password.
CIBC recommended that she set up credit monitoring via Trans Union and Equifax, which she did.
This mostly mirrors the advice that I usually give in terms of what to do if you get scammed, which you can find here. I was impressed by how CIBC handled this situation so kudos to them.
I have provided everything that I have discovered to the authorities. And I will also post any updates that I come across. Even though the phone numbers related to this scam are dead, I would love to see this threat actor get some justice either through the legal system, or through being exposed for being the scumbag that he is. Because this threat actor caused a lot of stress and heartache to this client, and that’s unacceptable in my mind. Thus there’s got to be some payback. And I will do everything possible to serve up that payback.
Here’s ANOTHER Example As To Why #Scams Are So Dangerous
Posted in Commentary on September 16, 2023 by itnerdLast year I posted a story about a scam that was extremely dangerous to an elderly couple. As bad as that was, I recently came across another scam that had some really negative effects on an elderly woman.
This story started just before 7AM on Friday when the woman in question called my office phone repeatedly. I got up in a haze and answered the phone, and encountered someone who was in a full panic. She said that her computer was locked and her usual password would not work and she was desperate. That’s all she said at the time. I made arrangements to pay her a visit later in the day.
When I arrived at her home, more details came out from her. She said that she got her first hint that something was wrong when she noticed that $50K appeared in her bank account. And she was also getting threatening phone calls from someone who wanted the money. I found that weird at the moment. But I pushed that to the side and focused on the computer. Upon examining her computer, I found that it appeared that someone had changed the password. Fortunately I have access to the Microsoft DaRT toolkit. It contains a utility called “locksmith” which allows you to reset any local account on the computer. Now not anybody can have access to this toolkit as it is part of the Microsoft Desktop Optimization Pack (MDOP), a dynamic solution available to Software Assurance customers that helps reduce software installation costs, enables delivery of applications as services, and helps manage and control enterprise desktop environments. But one of my clients happens to be a part of Software Assurance which is how I got a copy of this toolkit. That means if you are in this situation, you may have to do some legwork to find someone who has this toolkit to assist you.
Using DaRT I was able to remove the password to get into her computer and examine it. I found that a threat actor had definitely gotten access to the computer. Initial access was gained by using a remote access tool called Supremo. Then persistence, which is when a threat actor sets up shop on the computer so that they can access it anytime they want it, was done using Screen Connect which is now known as ConnectWise Screen Control. And the way they did it was kind of crafty. They installed it as a service and made sure that it didn’t show up in Window 10’s Programs and Features. Which means that it would transparently run when the computer was started so that the threat actors could get access to the computer. Not only that, the average person wouldn’t be able to remove it.
Now in both cases I had to spend some time to track down where this software was hiding on her computer. In the case of Supremo, it was pretty straight forward to find it as the threat actor hadn’t done all that much to hide it. Thus simply searching the Windows 10 registry pointed me towards where it was so that I could delete the files related to Supremo. ConnectWise Screen Control on the other hand was hard to track down. It became clear to me that the threat actor had done more to hide this. So I hatched a plan to figure out where it was. From interviewing the client, the threat actor had been calling her on a frequent basis over the last 24 hours to get her to send him money. And he said he was holding the computer hostage. That made me think that he was waiting for this computer to come online. Thus I plugged it into the Internet and waited for the threat actor to connect. I assume that once he connected, he’d be surprised that the computer was sitting at the desktop as he had locked it to hold it hostage. That would buy me time to find the location of the services that ConnectWise Screen Control uses as the services would become active in task manner the second the threat actor connected. It took about 15 minutes but the threat actor did connect and started to move stuff around. Within seconds I had the location of the ConnectWise Screen Control services. I then disconnected the threat actor by unplugging the ethernet cable and deleted all the services related to ConnectWise Screen Control. But before doing that, I gathered up several ConnectWise Screen Control logs and was able to determine his location based on the IP address that was in the logs.
I then did something that normally I wouldn’t do. I phoned the threat actor on the number that he had been calling my client from. He answered and initially denied running a scam. Then I told him his IP address and location, you could tell he got very concerned by the fact that he got quiet very quickly and he started to breathe heavy. I am guessing that this scared him as the number that I called him at as well as the number that was scam email that the client received are now unreachable. Now I am not naive. He likely took these phone numbers down because I called him out. And he’ll restart this scam with new phone numbers and the emails related to them. But at the very least, he might be out of business for a few days while he does that.
Continuing to examine the computer, I discovered that the threat actor had deleted all of her files. And to make matters worse, she did not have a backup. Now I did take the computer to my home office and ran several recovery and undelete utilities with no success. This illustrates why you need to always have a backup so that you’re covered in the event of hardware failure or a threat actor doing something like this.
Now the client oddly enough had just ordered a new Dell computer that was due to arrive a few days from when this incident happened. So I asked her to keep her computer off until the new computer arrived. When it arrived, I set it up so that she could do her email, banking and shopping on Amazon, which is all she really cared about. But the question is how did this happen? It took me a couple of hours to extract this info because I am guessing that she was likely embarrassed about all this. So after reverse engineering what happened and gently confronting her with this information piece by piece, I was able to finally get her to give me the details that I was missing. Here’s what I was able to piece together. The customer got this email:
This is your classic refund scam email. With your classic bad English. It also had other usual hallmarks of a scam like the fact that it wasn’t sent by Norton as evidenced by this:
The subject line should have been a big hint that this was a scam. So should have been the fact that the client didn’t subscribe to any Norton products. Thus there was nothing for them to bill. But having said all of that, the client fell for it anyway and called the number. The threat actor then got her to go to a website and download Supremo. That got the threat actor initial access. The threat actor then got persistence by installing ConnectWise Screen Control. From there the threat actor got her to log into her bank account in order to process the “refund.” That’s when then the threat actor took control moved $50K from her line of credit to her saving account. Then the threat actor tried to do a Western Union wire transfer, but it was blocked by her bank which was CIBC. More on the bank in a bit. That’s when the threat actor took the computer hostage and used threats to try and get her to move the money herself. From there, it looks like the threat actor made additional attempts to try and steal her money. But they failed. One thing that the threat actor tried to do that creeped me out was that they went looking for a web cam and tried to turn it on. Now she didn’t have a web cam and I don’t know why they tried to do that, but like I said, that creeped me out. From there, I am guessing that when it became clear that she wasn’t going to pay them, they deleted her files in retaliation. A pretty scumbag level move.
Now in the aftermath of this, I helped her to phone CIBC to report this incident and have them sort everything out with her financial accounts. I have to give a big shoutout to CIBC as they really did a good job of listening to my client and I, routing us to the right people to give us the right advice, and making her feel better. Which was:
This mostly mirrors the advice that I usually give in terms of what to do if you get scammed, which you can find here. I was impressed by how CIBC handled this situation so kudos to them.
I have provided everything that I have discovered to the authorities. And I will also post any updates that I come across. Even though the phone numbers related to this scam are dead, I would love to see this threat actor get some justice either through the legal system, or through being exposed for being the scumbag that he is. Because this threat actor caused a lot of stress and heartache to this client, and that’s unacceptable in my mind. Thus there’s got to be some payback. And I will do everything possible to serve up that payback.
Leave a comment »