The IT Nerd

For the last few years I’ve been telling you about extortion phishing scam emails. If you’re not familiar with them, here’s how this scam works. You get an email from someone who claims to be some sort of elite hacker who has taken control of your PC and they’ve got some sort of incriminating video of you. And to keep the video from getting out to the public, you have to pay them. Pretty simple and straightforward. In this case, the scam takes a bit of a different twist. Let me start with the scam email that I got:

***The driver installation was successful***

The system has been added to the tracking list.

Your device has been successfully attacked by our bot-virus, which, once on the device, spreads to all layers of the device.
These are drivers, cameras, microphone, operating system services.

Your entire device is under our control. We can delete any data on it, write anything on it.

We copied all the data from your device to our server clusters recording dialogs, video from the web camera, from the main camera of the device, as well as everything that happened on the screen.
There is some very interesting nude video.
All your movements with the phone were recorded by GPS data during the entire time.

You have 48 hours to transfer 1100$ US dollars to our Bitcoin wallet [BITCOIN Wallet Address Redacted]

If no money is received after that time, all the data will be on the Internet.
Your social networking friends and phone contacts will especially like it.

As soon as the funds are credited to our account, your data will be deleted from our servers and the virus will be automatically deleted from your device and won’t bother you anymore.

Don’t forget that your device is completely under our control and don’t try anything foolish things.
If any action is suspected of finding a virus, contacting law enforcement, all your friends will be familiar with the fine selection of materials involving you.

***The timer was automatically run after you’ve opened this email.

So let’s unpack this email.

• In this case, the email was sent directly to my email address from what I presume is a “burner” email account. That’s interesting because usually, these scam emails are clearly sent to a mailing list of people. By clearly I mean that it the scam emails that I usually see are not addressed to your email address. I am guessing that this is meant to get your attention.
• This email also says that the so called hacker installed the “bot virus” on your computer. I am assuming that this is a deliberate attempt to circumvent spam filters which would be looking for words like “trojan virus” which is what I often see in scam emails. Or it could be that the threat actor isn’t that bright and is using terminology that they don’t understand.
• Any threat actor who can take complete control of your system (as in drivers, cameras, microphone, operating system services) via a virus wouldn’t be doing this sort of thing. They would instead be working for a nation state doing espionage or something similar.
• The threat actor claims to have gotten access to my phone and is monitoring my movements. Again, ignoring the fact that he started out saying he had control of your computer, someone this skilled would be working for a nation state doing espionage or something similar as opposed to trying to get $1100 from you.
• The threat actor wants you to pay him via Bitcoin. Fact: There’s no way for the scammer to know that you’ve paid him which means that there’s no way for him to delete the data that he allegedly has on you.
• The English used in this email is not that good. 
• It tries to play on your fears of being outed for having a nude video on your computer and goes as far as not to tell your friends or law enforcement.

The bottom line is that this guy has created a scam that isn’t all that good and is likely to convince few people to hand over their cash. And having a look at the Bitcoin wallet in the email, nobody has fallen for it yet. But since the number of people who could fall for this is not zero, I’m putting this out there so that the number gets as close to zero as possible.

It’s been a while since I got a scam email that was either new or different. But I finally have one that I would like to present to you. This one is using the Intuit brand and looks like this:

There’s some things that I would like to highlight about this scam email:

• The email address that it was sent to was in the body of the email. That shows that the threat actors are trying with this scam.
• The threat actors create a sense of urgency by saying things like “The debited amount will be reflected within 24hrs in your banking statement” and “If you didn’t authorize this charge, You have 24hrs.”
• The quality of the English in this scam email is better than normal, but it still highlights the fact that the threat actor that is creating this email does not natively speak English.

Another thing to note is that this email didn’t come from an Intuit email address:

Intuit as a company doesn’t use iCloud to send and receive email. So that should be the big hint that this is a scam and you should delete the email immediately and move on with your life. But seeing I am not most people, I wanted to see what this scam was all about. Though I assume that it’s the usual refund scam which goes like this:

• You get an email in your inbox saying that services that you know that you don’t have are being renewed, and the money has been debited from your bank account. 
• You then call the phone number provided to dispute this.
• The scammer talks you into getting remote access to your computer where they have you fill out some sort of form to get a refund for this purchase that you never made. Fun fact: The form that the scammers will have you fill out will ask for a lot of your personal information which can later be used to steal your identity. 
• The scammer will then have you check your bank account using your bank’s online services to see if you got your refund. But the scammer will use some sleight of hand to make it look like that they massively overpaid you. And then the scammer will blame you for that. 
• You will then be bullied into refunding the overpayment by buying cryptocurrency or gift cards to send to them electronically. Assuming that they just don’t steal your money straight from your bank account themselves, or have you go to your bank to transfer the money to them, or withdraw it in cash and have you send it to an accomplice via a courier. 

So I did what you should never, ever do, which is call the number in the email. However the number was disconnected when I did. It is possible that it was shut down by the threat actors by the time I called, or it got shut down. Either way, they’ll likely pop up with with another number to try and perpetrate this scam. But my best advice to avoid this sort of scam is if you don’t have a product or service from the company that you’re receiving the email from, delete the email and go on with your life.

Picture this scenario: You get a call and you hear a voice that sounds like a relative such as a grandchild in a panic, or perhaps a friend pleading for money. They may say that they are stuck in a foreign country and can’t get home, or they are in jail and need bail money. Whatever the case is, they need help. And they need money.

Now I have heard of a version of this scam many years ago where you get an email from either an email account that has a spoofed email address that belongs to a relative or friend that you recognize, or from a hacked email account that belongs to a relative or friend that you recognize. But AI has taken this scam to the next level. What scammers are now doing is the following:

• The scammer picks a victim.
• The scammer finds a voice from a friend or relative of the victim. The voice can be from a TikTok video for example.
• The scammer uses AI based voice cloning program to clone the voice and give it the ability to say anything.
• The scammer then calls the victim by phone and executes the scam.

This sounds like a science fiction movie plot, but it isn’t. The cost of these AI based voice cloning programs are dropping by the day. That combined with the fact that a simple Google search will help a scammer to find a piece of software that fits their needs means that this is a real problem that you have to be aware of.

So, how do you protect yourself from this new scam? First of all, assume that it is a scam by default by not trusting the voice that you hear. Nor should you trust the phone number that is on your call display. Call the person who supposedly contacted you and verify the story by using a phone number you know is theirs. If you can’t reach your friend or relative that way, try to get in touch with them through another family member or their friends. Also, if they are asking for money via wire transfer, cryptocurrency or via gift cards, this is absolutely a scam and you should hang up immediately.

How prevalent is this scam? I can’t say based on my research of this scam. But if the word gets out about this scam, it is likely that the scammers will move on to something else as this scam will no longer be effective. Thus please share this with your friends and family so they will know how to protect themselves against this scam.

Scammers based in India clearly aren’t even trying to be good at scamming people anymore as this is the worst refund scam email that I have ever seen. This is the email that hit my inbox this morning:

This email is part of executing the classic refund scam. In short the scam goes something like this:

• You get an email like this one in your inbox saying that services that you know that you don’t have are being renewed, and the money has been debited from your bank account.
• You then call the phone number provided to dispute this charge.
• The scammer talks you into getting remote access to their computer where they have you fill out some sort of form to get a refund. Fun fact: The form that they have you fill out will ask for a ton of personal information which can be used for identity theft.
• The scammer will then have you check your bank account using the bank’s online services to see if you got refunded. But the scammer will use some sleight of hand to make it look like that they massively overpaid you. And then they will blame you for that.
• You will then be bullied into refunding the overpayment by buying crypto, gift cards, and the like. Assuming that they just don’t steal your money straight from your bank account.

If you want an example of this, I got involved in helping an elderly couple with this sort of situation which I documented here.

Other scams that I have seen have used Geek Squad logos and the like to try and convince you to call the phone number. This one isn’t even trying to do that. On top of that, it’s clearly from an Indian based scammer as it uses words like “queries” and the quality of the English is borderline acceptable. But on the flip side, scams don’t have to be successful in volume to be successful. So perhaps trying hard isn’t a requirement if the scammers get a big payday.

There’s also the fact that this clearly didn’t come from Geek Squad:

Geek Squad doesn’t use Gmail.com for their corporate communications. They’re part of Best Buy which means that they likely would be emailing you from bestbuy.com in the US or bestbuy.ca in Canada.

Thus my advice is if you get an email like this, delete it and move on with your day.

Normally, this is where this sort of article would end. But because I was in a bit of a mood this morning as I despise scammers with a passion as they ruin lives, I took a different course of action which I do not recommend. I called the number and when I got one of the scammers on the phone, I simply said this and hung up the phone:

“Stop scamming people you benchode!”

Benchode is an Indian insult which you can get the definition of here. I had my number blocked so that he can’t call me back. And what was interesting is that there was a ton of people talking in the background which implies that this is a large scam call centre. Which means that they were very serious about scamming people.

Now again, I do not condone behaviour like this. But seeing as scammers are the scum of the Earth, I personally decided to call up and make a scammer’s day less enjoyable seeing as they make your life and the lives of those you love less enjoyable when they call.

Last week, I got a pair of voice mails from a client who got a notification from “Microsoft” saying that her email had had unusual sign in activity. The first voice mail that she left was saying that she was having issues entering her password. The the second email said that I should disregard the first voice mail as she was able to get everything sorted. I was just getting the mail when this happened, so I called her back. Upon asking her to explain what was going on, I asked her to start a Zoom session with me to allow me to see the email in question.

That turned out to be a good decision. Here’s why.

Now I wasn’t able to get a copy of her email. But this was one of a number of phishing email scams that I am currently tracking. So I had one that was exactly like it at my disposal so that I can show you what it looks like:

From what I can tell, the scam targets Hotmail/Outlook users. And it claims that there has been “Unusual sign-in activity” of some sort from Russia. Now every email looks exactly like this, but the dates and the IP address being referenced are different every time. And I have seen other emails reference Korea and Turkey. But the thing that gets my attention is that it looks like it comes from Microsoft as the email address is “no-reply@microsoft.com”. But the threat actor has spoofed the email address. Meaning that they are pretending to be from Microsoft so that you’re more likely to click on “Report The User” which is not even a grammatically correct phrase. That alone is your first hint that this is a phishing email. Here’s the second one:

What I did is hover my mouse over the “Report The User” button and it seems that this is a means to generate an email for you to send to the threat actor. I can only conclude that this might be their way of confirming that the email account is live. Then I suspect that you’ll receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk from losing control of their account to the threat actors.

Now I mentioned earlier that I have been tracking this phishing email. The first time I became aware of it was last November. And it’s evolved in one significant way since then. For example, the threat actors have corrected the grammar used:

I guess the threat actors clued in that their grammar was limiting the effectiveness of the scam.

So, what should you do if you get one of these emails? Here’s what I ended up doing with this client when she got this email:

1. Don’t click on anything in the email and delete the email.
2. Log into https://account.live.com/activity/ and check to see if there has been any unusual activity on your account. From my research, some people are seeing no suspicious activity and some are. Thus you should confirm which side of the fence you’re on. That way you can determine if you have a problem or not.
3. Out of an abundance of caution, I had my client change her Hotmail/Outlook password to a strong password (a password of eight characters or more with a mix of uppercase, lowercase numbers and special characters). This document from Microsoft will help you with that.
4. For extra security, you might want to back that up with two step verification so that it is harder for threat actors to get into your account. This document from Microsoft will help you to set that up.

Now it appears that Microsoft is aware of this scam as this email is often found in your Hotmail/Outlook junk mail folder. But I say often because sometimes it will evade that and end up in the inbox of the recipient. Which means that it has a chance of fooling someone. As was the case with this woman.

Now admittedly this isn’t at this point a very sophisticated attack, but it does use real world events to try and make it more effective. And it could continue to evolve into something more dangerous. Thus you need to watch out for this if you have a Hotmail/Outlook email account. And the best course of action is to follow the steps above to keep yourself and your email account safe.

Now I cover a lot of these phishing scam emails. But this one that is related to Amazon Prime is pretty crafty and clearly designed to evade detection by spam filters. Let’s have a look at it:

Now at first glance this looks like your typical scam email. Except for one thing:

The entire email is made up of a PDF that has elements, specifically the Sign In button, that can be clicked. This is designed from the ground up to evade detection by spam filters. I’ve only seen this method of attack with a Norton billing scam email before. Which makes me believe that the threat actor is counting on this hitting your Inbox with the ability to preview PDF’s turned on. Also, I assume that the threat actor is counting on the Sign In button being available to click. I say that because I am displaying this in macOS Mail which doesn’t allow you to click the sign in button. So Mac users are somewhat protected from this email. Windows users, not so much depending on what email program you use.

Now other than that, it has the usual hallmarks of a phishing email. Specifically:

• Your Amazon account is on hold, which is meant to get you to pay attention.
• If you don’t act quickly, your orders will be cancelled. Which is to create a sense of urgency.
• They want you to click Sign In so that you can update your details. Or more accurately, the threat actor can steal them.
• The quality of the English is marginal at best. A hallmark of scam emails.

And there’s this:

The domain used in this email doesn’t match @amazon.com or @amazon.ca or whatever.

Now let’s do something that you should never, ever do. I’m going to click on Sign In and see what happens. Since macOS Mail blocks this, I will use Adobe Acrobat to do this:

I have to admit that this is pretty low grade stuff here. But the fact is that a scam doesn’t have to fool everyone. It only has to fool a few people to be successful. And the fact that this is a scam is highlighted by this:

This clearly isn’t Amazon.com. But the threat actors are hoping that you’re not paying attention. And that’s as far as I got as it appears that the fake site was taken out of service as it redirected to the home page of the hosting provider. Perhaps Amazon got wind of this and took action? I am not sure. But the fact that the page above is still operational suggests that the threat actors could easily set up shop someplace else and try this again. Thus if you see an email like this, you know what to do. Delete it and move on with your day.

Yesterday I came across a new phishing email that targets customers of Desjardins which is a financial services group here in Canada. It starts with this email hitting your inbox:

So let’s dissect this a bit. There’s the usual hallmarks of a scam email which is that something that you might use is being disabled or restricted. And there’s a call to action to make you do what the scammers want you to do. In this case you need to act within 24 hours to avoid “full online suspension.” The quality of the English is sketchy, but not not the worst that I have seen in scam emails. However, the key thing that says that this is a scam is this:

This isn’t a Desjardins email address as Desjardins.com is how their emails addresses end.

So what is the scam? It’s a phishing scam to grab your banking credentials along with some other information. Let me illustrate:

If you click on “Verify Now” which by the way you should never ever do, you are presented with a CAPTCHA and the thing is, it works:

I actually spent some time playing with this and if you select anything other than the pictures that it wants you to pick, it won’t let you in. That suggests to me that someone spent a lot of time and effort to make this as convincing as possible. But if you’re paying attention to the URL, this should make you run in the other direction:

Clearly this isn’t a Desjardins website. And like I said, that should make you run in the other direction and close your browser. But since I spend my time writing about these scams, I am going further down the rabbit hole:

You’re next taken to a login page which has you enter your banking credentials. The threat actors behind this part didn’t even try to validate if the credentials are accurate. And you cannot change to English which implies that the threat actors couldn’t be bothered to create an English version of this page, or they are strictly targeting French speaking people as Desjardins is based in Quebec which is a French speaking part of Canada. Once you enter your credentials, you’re presented with this:

So not only do the threat actors want your banking credentials, but they seem to either want your security questions too, or they want to continue to make this phishing website as convincing as possible. The thing is that they don’t stop there:

The threat actors now want to grab your personal information. Perfect for an identity scam or two. But they’re not done yet:

They want to snag your debit or credit card too. I have to admit that the threat actors have put in a lot of work into this. While I wasn’t able to go beyond this point because the threat actors actually try to validate this information, I think you get the point. This is a decently executed phishing scam. But I’ll be informing Desjardins about this and hopefully they can shut this down. In the meantime, if you get this email in your inbox, delete it and move on with your life.

I admit that I had to look this up, but Metmask as defined by Wikipedia as follows:

MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications. MetaMask is developed by ConsenSys Software Inc., a blockchain software company focusing on Ethereum-based tools and infrastructure.

And it seems that there’s a phishing email that is targeting Metamask users that looks like this:

Now unlike most phishing emails that I come across, the English is actually decent and may pull you in. But if you look at the email address that this phishing email, it should make you think twice:

This clearly didn’t come from Metamask as I would expect their email addresses to be from metamask.io. Speaking of which, there’s a link below from metamask.io. That’s legit right? Actually it’s not. It’s hiding another URL which you can see here:

Now this is a technique that’s used by the more sophisticated email phishing operators to fool you into thinking that this email is legitimate. I am guessing that the operator behind this felt that they had to up their game as people who hold crypto are more likely to be tech savvy. Thus they’re less likely to fall for the sort of phishing emails that grab the average person. So you’re given the option of using a secret recovery phrase or a private key to “keep your wallet secure”. Both provide a vector for accessing your blockchain assets. This article describes the differences between the two, but here’s the thing to remember: Nobody can get access to your crypto without one or the other. That’s what this #phishing email is about which is to steal your crypto. I’m going to stop here because it’s pretty clear what the operator’s game is. But I will be warning Metamask about this so that they can keep users of their crypto wallets safe.

If you’re unlucky enough to encounter a telephone scammer who manages to take control of your computer, it is likely that a scammer will try to lock it. The way that this scam works is that scammer will call you claiming to be from Microsoft, Amazon, Google or some other company. They will give you some sort of excuse to get access to your computer via some remote access software. Such as your computer is infected by viruses, or that they want to refund money that was stolen from you. Once they have access to the computer, they will lock it and hold it hostage as only they know the password. This scam is effective because a surprising number of people don’t do backups of their computer, and as a result are more likely to pay to get access to their computer.

So with that out of the way, let’s go down the rabbit hole of how this is done by the scammers. And the first way they do this is by using a little known Windows utility called syskey. This Windows utility used to encrypt system data, such as user account password hashes. But it also functions to prohibit you from booting the system directly to the desktop. Instead the system will ask for a password which is difficult, if not impossible for the average person to bypass. Which is why scammers love to use this method to your to lock a computer. Syskey exists in Windows NT 4, Windows XP, Windows 7 and 8, Windows 10 versions prior to version 1709 which is also known as the Fall Creators Update. After that version, syskey wasn’t included in any version of Windows. But the tool can still be copied to a computer and used by a scammer if they have remote access to said computer.

How to protect yourself: Given that syskey can still be copied and used on any version of Windows that’s currently out there, any sort of proactive protection is impossible to implement. While I have heard of people using the group policy editor on Windows to stop syskey from running, that’s a very rudimentary way of protection as all the scammer has to do is to change the name of the syskey.exe to something like “syskeyscam.exe” to get around that. Plus once a system has had syskey run on it, it’s extremely difficult to recover from that. Often it requires the computer to be reformatted which means you lose your data if you haven’t backed it up.cam

Thus given the fact that this is difficult to remediate after the fact, and that there’s really no way to protect yourself up front, education is the best way to deal with this way of locking your computer. In other words, you understand what as scam looks like so that you don’t fall for it. Making this a non issue. I’ll have some words of wisdom on that front later in this article.

Beyond that as I mentioned earlier, having a backup of the contents of your computer and doing regular backups either manually or automatically via a backup application is another way to deal with this situation. Because if a scammer gets in and locks the computer using syskey, you simply do a Windows reset, reinstall your applications, and restore your files. Or reformat your computer, reinstall Windows and your applications, and restore your files. While there is some work in doing some sort or restore or reinstall of your computer, it’s a far better option than paying a scammer. And having a backup has the bonus of protecting you from other catastrophic events such as hardware failure for example.

A second option that scammers use is to simply change the password of the account that is currently logged into Windows. Unfortunately many people don’t put a password in place to protect themselves when they set up a computer. They do that under the mistaken belief that it is more convenient to run a computer with no password as it’s one less thing to remember. And that combined with setting up the computer to automatically log in allows them to get into the computer faster. But that’s the sort of thing that a scammer will leverage to force you to pay them as they simply can add a password to the account and hold the computer hostage.

How to protect yourself: While I understand that many of you out there want to be able to flip on your computer and bang out that email, you should never, ever compromise your security or it may not end well for you. You should always add a password to the user account that you set up, and you should never set it up to auto login. That way if you come across dirtbags like these, they can’t change your password because they would have to know your password to do it. Which they won’t. You can look at a tutorial like this to walk you through how best to set a password on your computer.

Finally, here’s some words of wisdom to stop you from becoming a victim of a scam of any sort:

• Fact: A legitimate company such as Microsoft, Apple, Amazon, Visa or Google would never call you on the phone saying things like “your computer is infected with viruses” or “you ordered items from Amazon and it looks like fraud”. If you get a call from any company saying things like that, hang up.
• FACT: No company (again, Amazon, Google, Microsoft, Apple to name a few) would call you and require remote access to your computer for any reason. If you get a call from someone asking if they can connect to your computer, hang up. 
• Fact: Companies don’t use call out technology that has robotic sounding voices that don’t reference you directly by name or by some other means of identification. If you get a call from any company using this sort of technology that fits that description, hang up.
• FACT: If you get an invoice from Norton, McAfee, Netflix or any other company that doesn’t have your name on it, it’s fake and you should delete it. And you should not click on any links or attachments. And you should not phone any number that is on the invoice.
• Fact: Companies don’t ask to be paid in gift cards. If you get a call asking you to buy gift cards, hang up. You can copy and paste that for crypto currency as well. 
• Fact: The police don’t call you saying that you’re going to get arrested. If the police wanted to arrest you, they’d just arrest you. So if you get anyone saying that if you don’t co-operate with them, you will be arrested, hang up.

In other words, if you don’t fall for the scam because you spot that it’s a scam up front, you don’t have to worry about getting your computer locked. But if the worst does happen and you do get your computer locked by a scammer, and you don’t have a backup, I would advise that you call a computer professional for assistance. And by computer professional, I mean someone who has experience in dealing with situations related to scams as they are best suited to assist you in this situation. But be advised that there may be nothing that they can do other than erase the computer and set you up from scratch, which is another reason why having a backup is important. But under no circumstances should you pay the scammers to unlock your computer. Scumbags should never be rewarded for doing evil things. Thus paying them should be off the table by default. Not to mention that there is zero guarantee that they will follow through with unlocking your computer even if you do pay them. Plus you’ll still have to get a computer professional to look at your computer as who knows what they did to it.

These days you have to be really careful as scammers are becoming increasingly sophisticated. And the second you let your guard down, it can really come back to bite you. Thus I hope that this article helps you to avoid this specific scam. And if you want other tips on avoiding scams, check out this article which provides advice on how to stop seniors from being scammed.

One of the most common ways that scammers try to get access to your computer to do their evil deeds is to plant the Internet with scam pop ups that will prompt you to call into the scammers.

First of all, let me get this out of the way. If you see any pop up that claims to come from Apple, Microsoft, or anyone else that prompts you to call a number to resolve some sort of virus or security issue, it is fake. No company would do this. And your antivirus software will never prompt you to call a number.

Now, let’s talk about how to spot and deal with these scams:

1. Do not click on the pop-up
2. Look for spelling mistakes and unprofessional images. These scams are filled with this sort of stuff.
3. Do not call the number in the pop-up. Nor should you give out personal details or payment details if for whatever reason you call the number. Which again, you should never, ever do. And you should never give anyone remote access to your computer ever.
4. Try to close your browser to get rid of the pop ups.
5. If that doesn’t work, try to restart your computer.
6. If that doesn’t work, then you should run an antivirus application to try to get rid of the pop ups.
7. If that doesn’t work, see a computer professional for assistance.

In terms of of preventing the possibility of pop up scams hitting your computer, here’s some suggestions:

• Use anti-virus software or a complete internet security solution.
• Keep your anti-virus and internet security software updated
• Keep your browser, software and operating system updated
• Do not click on unverified links in spam emails, messages or unfamiliar websites
• Never open attachments in spam emails

Pro Tip #1: You should block pop-ups in your browser by default. Turn on your browser’s ad blocker and block pop-ups by default. Inspect any website or page that requires you to turn off these features—or better yet, avoid them altogether.

Pro Tip #2: Deleting unusual apps and extensions from your browser. If you find any unusual apps or programs on your device, especially ones you didn’t install. They’re likely infected bad.

Finally, I want to reiterate that Apple, Microsoft, or anyone else that prompts you to call a number to resolve some sort of virus or security issue. So if you see one of these pop ups, please take the advice that I have written above to protect yourself accordingly.