The IT Nerd

Frequent readers of this blog know that I spend a lot of time investigating, and telling you about the scams that I come across. Here’s some of the scams that I have been involved in addressing to show you examples of what ends up on my plate. The reason why I do this is that I know that they are very dangerous and I don’t want people to be taken advantage of. Also, by publicizing them, they become less effective as people will be aware of them. However the people behind these scams are good at evolving these scams which means that your head always has to be on a swivel or bad things will happen to you.

Here’s an example of something really bad that happened to an elderly couple.

I got a phone call last week from a woman who was referred to me by another client of mine. She was hysterical and in a complete panic. Once I was able to calm her down, she explained that she got an email from “Norton” about a subscription to one of their products that she was being charged for. She then called the number that was in the email to dispute the charges. That led to the person on the other end of the line getting access to not only her computer, but her bank account. And if it wasn’t for the people at her local bank branch stepping in, she would have lost $13,000. Beyond that, her computer had been “locked” by the scammer, and she needed my help to fix it.

Now my future self will step in here and tell you about the email that she got. The email that she received was clearly a Norton billing phishing email that I spoke about here. Specially it was the second variant where they attach the “hook” for the phishing attempt in a PDF so that it will evade spam filters. Unfortunately she got hooked and the scam was on from there.

When I arrived at this couple’s home, I found this:

She said that she never had a password on the computer before. But after the scammers had been on it, there was a password. It’s pretty ballsy for the scammer to leave a name as the password hint (which by the way is a fake name as the name Sam Wilson is the real name of the Marvel Comic book/movie superhero The Falcon) and a phone number. But it highlights that the scammer wants to hold the computer hostage to get paid. This is something that is becoming increasingly common where the scammer will take a computer that doesn’t have a password and change it so that in effect, they are holding the computer hostage in exchange for paying them. And it makes sense for a scammer to do because this computer had pictures of the grandkids and the like on it. That’s valuable for seniors and they would likely pay up to get that back.

Now I have come across another instance of this here, and I will copy and paste the advice from that story that will ensure that you aren’t a victim of this for your review:

While I understand that many of you out there want to be able to flip on your computer and bang out that email, you should never, ever compromise your security or it may not end well for you. You should always add a password to the user account that you set up, and you should never set it up to auto login. That way if you come across dirtbags like these, they can’t change your password because they would have to know your password to do it. Which they won’t. You can look at a tutorial like this to walk you through how best to set a password.

I ended up taking the computer to my home office to try and get past that. Fortunately I have access to the Microsoft DaRT toolkit. It contains a utility called “locksmith” which allows you to reset any local account on the computer. Now not anybody can have access to this toolkit as it is part of the Microsoft Desktop Optimization Pack (MDOP), a dynamic solution available to Software Assurance customers that helps reduce software installation costs, enables delivery of applications as services, and helps manage and control enterprise desktop environments. But one of my clients happens to be a part of Software Assurance which is how I got a copy of this toolkit. That means if you are in this situation, you may have to do some legwork to find someone who has this toolkit to assist you.

Using DaRT’s “locksmith” utility, I removed the password. Then I was able to look around the system. The next thing that I noticed was in the list of the installed programs:

The circled program is called AnyDesk which is a help desk application that many scammers use because it has remote access capabilities. That gives the scammer remote access to the computer anytime they want it. Which of course is bad. Thus I removed it. I also note that there was a compromised version of AVG antivirus on the machine. So I removed it and the AVG Secure Browser to be safe. The next thing that I did is that I used multiple antivirus apps to scan the computer for anything else that might have been lurking around. I didn’t find anything. I should note that all of this was done without the computer connected to the Internet. The reason for that was that I didn’t want to introduce the chance that anything else would pop onto the computer, or the scammer could get control again.

My next step was to reconstruct what happened. The reason for that was due to the fact that this couple’s children wanted to know what happened so that they could help their parents not get scammed again. That was made very easy due to the browser history being left intact. Here’s the play by play.

The victim opens the phishing email and reads it. Then calls the number. I know this because the email in question was the last email that was read. The victim gets the scammer on the phone and then the scammer goes to work. First he connects to the computer using a tool called SupRemo which is a zero configuration remote access tool designed for quick remote access. But I didn’t find any trace of this on the computer which makes me guess that they were not successful in installing it. That made the scammer go to AnyDesk and used that to gain control of the computer.

From there, I assume that the victim complained about the email that is telling her that she is supposedly being billed for Norton. That’s where I suspect that the scammer offers to help her to cancel this. Which led to the scammer taking her to this page:

Now this page looks official. But the reality was that it was a Google Docs Form. The big hint was that it says “Sign in to Google” in this picture. I am guessing that the scam involves walking the victim through “cancelling” their service with Norton via filling out this form. I looked at this form and it collects a ton of personal information including the date of birth. That’s makes identity theft a real possibility.

When the victim is done filling out the form, they get this:

This is where I suspect that the scammer convinces the victim to check her bank account for the refund. And that’s what happened here as here’s what happened next:

• The victim is talked into logging into her bank account online.
• At that point the scammer takes control and changes the password and enables two step verification which ensures that they have complete control of the bank account.

From what I understand happened next, the scammer over the next four hours tries to extract $13000 from her bank account from transferring it from the victim’s husband’s account to her account, to the scammer’s account. But clearly that failed which is why she was then directed to go the bank to make this happen. The scammer then printed the bank account numbers in Thailand to send the money to and sent her on her way. Fortunately, the bank was on the ball and put a stop to this. But she left the computer on which allowed the scammer to lock the computer when they did not get their money by changing the password so that they could hold it hostage.

The final thing that the scammers did was to trash the settings in their email program. But with the help of Rogers who truly went above and beyond here in not only sorting out what turned out to be a password issue because Rogers smartly uses app specific passwords, but also helping this couple with tips on how to not get scammed in the future which I will link to here, I was able to get their email setup and working again. And I was able to verify that their email wasn’t being redirected elsewhere. At this point the computer was back to normal. And one follow up a few days later confirmed that. As a precaution, the children set up Equifax credit monitoring due to the fact that so much personal information was shared.

Total time invested, four hours. So job done right?

No. I wanted to find out what how this scam worked. Thus, I decided to phone the number from a phone that has the caller ID blocked to get that understanding. Which by the way you should NEVER EVER DO. I got a person on the line who sounded Asian. Possibly from Thailand which would be consistent with the bank accounts that the victim was supplied with being from Thailand. The person online then asked me for some details from the supposed invoice in PDF form that I got. Here’s an image of the PDF:

He asked me for the Invoice number. And then proceeded to explain to me that I got this invoice because I had Norton 360 installed on my computer when I bought it and it is set to auto renew. He then explained that needed to get access to my computer to turn off an “auto renewal setting” and to walk me through a cancellation form. At this point I am pretty sure that if I decided to play along further, he would have tried to connect via the remote access software that I spoke of earlier and proceeded to do their evil work. But I cut it short and hung up.

Now I can see why this scam would be effective. Someone like me would know that there is no such thing as an “auto renewal setting” in antivirus software. But this person who is the victim here is 85 years old. So they, never mind the average computer user wouldn’t know that. Plus while computers from companies like HP, Dell, and Lenovo do come with antivirus software when you buy them, they are either free for life, or they are free for one year or so and then present you an offer to pay to continue to use it. They will never bill you in the manner of emailing you an invoice and saying that it will auto renew because they don’t have that info. But again, if you’re not aware of that, you might get sucked in.

So, how can you avoid being scammed. Well I have a lot of info on that here along with info on what to do if you have been scammed. But let me sum it up:

• FACT: A legitimate company such as Microsoft, Apple, or Google would never call you to fix your computer. If you get one of those calls, hang up.
• FACT: If you get an invoice from Norton, McAfee, Netflix or any other company that doesn’t have your name on it, it’s fake and you should delete it. And you should not click on any links or attachments. And you should not phone any number that is on the invoice.
• Never, ever give anybody remote access to your computer.

These days you have to be really careful as scammers are becoming increasingly sophisticated. And the second you let your guard down, it can really cost you. In this case, it almost cost an elderly couple $13000. But luckily it didn’t. Thus hopefully this illustrates how dangerous these scams can be so that you can protect yourself accordingly.

Another day, another scam. This one involves the CRA or Canada Revenue Agency. It is delivered via text message and looks like this when it hits your phone:

I left the phone number in place so that you can compare it to this screenshot if you get a text like this. Some comments about this text:

• The CRA will never contact you in this manner. For more details about how the CRA might contact you, this link will help you with that.
• I replied HELP and a web link immediately appeared. That implies that this is an automated scam and suggests a high degree of skill from the scammers.
• The phone number originates from Central Michigan based on the 989 area code. Which should make you think that this is a scam.

If you click on the web link, you see this:

There was actually a captcha present. I am guessing that this is here to add to the impression that this website is legit. Another sign that these scammers have some skill. Next up is this:

You’re prompted for your social insurance number. And the website that you’re sent to looks very much like the actual CRA website. Thus I can see how people might be fooled by this. But if you look at the URL at the top of screen, it’s clearly not a Government of Canada web site. Here’s a closer look:

This is clearly a scam based on this URL. But I wanted to dig into this more, so I entered a bogus number that was nine digits in length. That’s important as social insurance numbers are nine digits long and this is what I got:

The spinning wheel that you see here is the same behaviour as the actual CRA website. Again, this suggests a high level of skill from the scammers. Though I do note that it doesn’t seem that they are validating the number that is entered. That implies that grabbing social insurance numbers is not the scammers end game.

You are then take to this page:

Clearly this is the end game for the scammer which is to steal your banking details. I picked my bank which is CIBC and got this:

Another sign that this scam is run by people who have a high degree of skill is that this website looks just like the CIBC website. Though that falls down a bit because the URL at the top has not changed. You would think that it would go to something with “CIBC” in it. But it doesn’t. #FAIL.

The skill of the scammers is highlighted by this when I tried to enter a bogus card number:

This website actually checks for the validity of the card number. I have to give it to whomever who is behind this scam. Unlike most of these scams where they don’t do any of this, these guys are trying to get accurate info so that they don’t waste their time capturing bogus card numbers and passwords. That way they are more likely to score in terms of being able to drain bank accounts. If they also get a valid social insurance number, that’s a bonus.

Because of this, I wasn’t able to go any further to investigate this scam. But it shows that these scams are getting better and better. Which means that you need to really have to have your head in the right place to avoid getting scammed. Thus consider yourself warned.

The scumbags that want to use nefarious means to separate you from your money clearly aren’t taking this Mother’s Day off. I say that because I just got this text message on my iPhone:

I have left the phone number in so that if you get this text, you can compare it to my picture. Though the scammers may change this at any time. In any case, it claims to be from Scotiabank, but it’s not really from Scotiabank as the website that the text is asking you to go to is “myscotia-mobilealerts.com” which isn’t a domain that Scotiabank would ever use. In fact, if you do a Whois lookup on the domain, you get this:

The scammer has used a service called Privacy Guardian to hide their identity. Scotiabank (or any other bank, company, etc) would ever do that. That’s a big hint that this domain isn’t legitimate. Also if you look at the creation date, it was created a few days ago. Another big hint that this website isn’t legitimate as companies have domains for years and not days.

Because I like to go down the rabbit hole in order to educate my readers on how to avoid these scams, I clicked on the link, which is something that you should never do, and got this:

This has phishing scam written all over it. As in you put your bank login details into this website and the scammer then uses them to steal everything out of your bank accounts. The questionable grammar is the next big hint that this isn’t legitimate as companies take the time and effort to get that right, and scammers don’t. Take this for example:

Sent to [you]? #Fail.

Going further down the rabbit hole I get this when I click on “Verify Account”:

This is a very, very good replication of the actual Scotiabank login page. You can compare the picture above to the actual Scotiabank login page by clicking here. Clearly this is where the scammers invested their time and effort.

I didn’t go any further as it is clear that this is a phishing scam. As usual, I’ll be alerting Scotiabank to this so that they can take action against the scammers however they can. In the meantime, this is proof positive that you need to have your head in the came by constantly being on the look out for scams like these. Because they can literally come from anywhere and if you’re not careful, it could cost you a pile of money.

I use Apple Pay a lot either via my iPhone or my Apple Watch as I feel more secure about using it versus using my physical debit or credit card. But apparently this is a great way for scammers to go to town as Vice is reporting. And this doesn’t just cover Apple Pay, but Google Pay, and Samsung Pay as well:

Recently criminals have started using bots that automatically place phone calls to victims and trick people into handing over their multi-factor authentication codes. Now, various fraudsters selling access to these underground bots are highlighting a particular money making scheme: using the bots to link stolen credit cards to contactless payment systems like Apple, Samsung, and Google Pay and then buying items at the victim’s expense. 

And:

The Telegram posts don’t explain explicitly why fraudsters may see Apple Pay as a preferred option when using multi-factor authentication bypass bots. But when a scammer adds a debit card to Apple Pay, perhaps using stolen card details they’ve purchased online, the scammer does not require the card’s PIN or the physical card itself to start spending the victim’s money. The contactless payment system, in a way, bypasses the need for the PIN or the physical card by creating another avenue to use the stolen card details. When using Apple Pay, a cashier does not see the name that would be present on the physical card and doesn’t ask for identification from the buyer.

Coincidentally, Kevin Costain got a call from someone at “Amazon” who wanted to get remote access to his phone. He decided to record it and Tweeted about it:

A little more detail:
– I dropped the call. I couldn't keep it together.
– 4 Calls came from 416-920-xxxx (presumably spoofed and meant to look as close to my number as possible)
– No caller ID, but also line numbers were visible
– Lots of talking in the background, call center?

— Kevin Costain (@cwlco) April 21, 2022

This makes we wonder if this is part of the same scam.

Chris Olson, CEO of The Media Trust has this comment:

“Malicious actors have a tough time using the credit card numbers they steal through Web and mobile attacks; the usual way is to sell those numbers in bulk through DarkNet markets or use them to acquire gift cards that can be redeemed for goods. Mobile bots like the ones described by Vice provide them with yet another way to use financial information, and it’s not the first-time mobile payment features have been abused – through PayLeak-3PC, hackers were also able to initiate attacks directly through Apple Wallet. Consumers and businesses alike need to be more conscientious of mobile devices as threat surfaces.”

My advice is that neither a bank or “Amazon” will call or text you for a multi factor authentication code, and it shouldn’t be shared with anyone else. Regardless, clearly this is another example as to why you have to be vigilant at all times as clearly the bad guys are out to get you.

Frequent readers of this blog will know that one of the things that I like to do is not only investigate scams, but when possible expose them so that you know what the bad guys are doing, and that the bad guys are less effective at scamming you. Yesterday, something very interesting hit my inbox, and I would like to detail it to you. It all started with this email:

Now right off the the top, this screamed scam to me. And my first thought about the Word document at the bottom right is that it was booby trapped with some sort of malware. But in the interest of science, I started poking around. First there was the email address it was sent from:

I Googled that and it came back as a legitimate address related to the New Delhi Police and their cybercrime unit. Here’s an example of what I found:

Thank you for contacting #DilKiPolice. Please lodge your grievances at https://t.co/UX8RcXyvXF or e-mail us on acp-cybercell1@delhipolice.gov.in so that needful can be done. Guidance is available on helpline numbers 155260 and 01123469900.

— Delhi Police (@DelhiPolice) May 5, 2021

So at first blush, someone might be taken in by this and think that this was legitimate. But I was pretty sure it wasn’t. So I decided to dig further. I opened the attachment in a virtual machine so that if it had some sort of malware, it wouldn’t affect me. And I found this after determining that this Word document was not booby trapped:

A couple of things on this. First they did not include “our press clipping”. Which if they did, it would have tried to add some legitimacy to this. The second thing is that they say that my “contact details were found in their system” during their raid. If that is true, should they not be referring to me by name seeing as they have my details instead of sending me a very generic letter? That was kind of odd.

Having said that, I decided to go down the rabbit hole further by Googling “Insp. Manoj Kumar”. That actually brings up a real police officer in the Delhi police that works in the cyber crimes group. That was interesting and I’ll get back to Insp. Kumar in a bit. I decided to do some further research and found some news articles like this one that detailed a raid last summer that almost precisely fit the description of what this Word document was talking about. In short, it seems like the Delhi Police took down a pair of call centers that were scamming Americans.

I was beginning to think that this could be real unlike 99% of the things that I look into. And doing a whois lookup on the domain that the email came from yielded some interesting results. It came back as being legitimate as I compared them to other Indian Government organizations, all of which had the same registration details with the same registrar.

So to really get to the bottom of this, I called “Insp. Manoj Kumar” and I got him on his mobile phone to have a brief conversation with him. He claims trying to get to all the victims of the scam call center that the Delhi Police raided. He asked me a few questions without asking for any personal information. And I should note that the phone I called him from wasn’t broadcasting my caller ID. So there would be no way for him to call me back. He acted very professional during our entire conversation.

So what I am left with? It appears that this who episode is legitimate. But I am not 100% convinced of that just yet as I am cynical by default. After all this could just be a really sophisticated scam where the scammers have gone to great lengths to ensure that they can take advantage of as many people as possible. Thus I have reached out to Delhi Police for additional commentary. Hopefully they get back to me quickly so that I can update you on this.

Stay tuned for more.

Today’s scam alert revolves around an email that you might get that claims to be from Shaw:

Now, let’s ignore the fact that I am not a Shaw customer for a second. Which should be the first sign that this is a scam. And let’s ignore that this was sent directly to me, which makes it a targeted scam that concerns me a bit. And finally let’s ignore that the last sentence is grammatically incorrect (“please make payment immediately”) the big hint that this is a scam is this:

When I hover my mouse over one of the links, it comes back with this. Which could be a redirect to a website to steal your credit card details, or a means to download malware of some sort. I don’t know and I don’t care as I am not going to click it to find out. The bottom line is that it is not https://signin.shaw.ca which is Shaw’s account page. So this is a scam. Guaranteed. That means that if you get one of these emails, your best route is to delete it and move on with your life. Oh yeah, don’t click on any links either.

I will be alerting Shaw to this just in case they are not aware of this scam and hopefully they will get the word out to their customer base as they are clearly being used to scam the unsuspecting.

UPDATE: There’s one other sign that this is a scam:

This is the email address that the email came from. That’s not Shaw. Thus it’s a big red flag that should tell you that this is a scam.

UPDATE #2: Shaw replied to this rather quickly with some good advice and a request. First the advice:

Hey there. Thanks for taking the time out to share this with us. Please do not click the link or reply to the email. Shaw will never request for you to confirm your personal information unsolicitied by email. We are aware of a recent influx of phishing emails and appreciate you letting us know. Of course Shaw will never request account or personal details via email.

They also requested that I send the email and the headers to their Internet Abuse department. Hopefully they can use that info to do something about this scam.

Today I had to jump into a situation where one of my clients got this email from someone claiming to be Geek Squad:

She called the number and when they started to ask about the passwords to her Google accounts, her credit card info, and some other personal info, she hung up. Then she phoned me.

Good call as this is a scam. Ignoring the fact that the fonts and the logos are not consistent with the Geek Squad brand, that this seems to clearly come from someone with a South Asian background (based on words like “queries” and phrases like “continue taking our service” and “for the last one year”) as that’s where these scams often originate from, and the lack of use of a toll free number, there’s these other telltale signs:

If you look at the From address, it is sent from a @gmail.com address. Best Buy who owns Geek Squad would never, ever use an @gmail.com address to send anything. The second thing is that this is not addressed to the end customer. Based on the To field, It is addressed to dearcustomer@geeksquad.com. Again Geek Squad would never do this. That implies that this is a phishing attempt. As in they send this email to hundreds or thousands of people hoping that 1% fall for the scam. Because a scam doesn’t have to be successful in volume to be successful. 

Thus if you get one of these emails, ignore it, delete it, and go about your day.

If you’re a customer of Scotiabank, and even if you’re not, there’s a new email scam that is making the rounds. Let me break it down for you:

Let’s start with the email address. Clearly this isn’t a Scotiabank email address as their domain is “scotiabank.com” as far as I know. Thus this alone should say to you that this email is a phishing scam. But let’s go further down the rabbit hole. Reading the email itself shows the typical poor grammar that phishing emails typically have. But ignoring that, it’s just generally not written well. And of course it has the typical threat that if you don’t do what this email says, access to your bank account will become “restricted”.

In the interest of science, I clicked on login from my iPhone and got this:

If you look at the website, this is not Scotiabank as the domain isn’t Scotiabank.com. Again validating that this is a phishing scam. For fun, I typed in a bogus card number and password. It then took me to this page:

Apparently I have to choose some security questions. They have some pre set ones that you have to choose from that I suspect match what Scotiabank does. And you can see that I had some fun with this as I suspect that this is more information gathering on the part of the scumbags behind this scam. When I save this info, it kicks me back to the login page. Presumably because they have all the info that they need to pwn your bank account. Crafty and moderately sophisticated.

I’m passing all this info along to Scotiabank so that they can take action. Hopefully they respond in a manner that protects their customers. Unlike my experience with TD in terms of reporting a scam that involved them. I’ll keep you posted on that.