If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Sophisticated scam about windows certificate?
|
Ads |
#17
|
|||
|
|||
Sophisticated scam about windows certificate?
In article , Terry Pinnell
wrote: Still baffled how they popped up an apparent TeamViewer window or dialog bottom right corner *before* I'd done anything. That's what held my attention. because you have team viewer installed. all they need to do is hack teamviewer and they have access to millions of people. |
#18
|
|||
|
|||
Sophisticated scam about windows certificate?
"Terry Pinnell" wrote
|A couple of hours ago I was contacted by someone claiming to be from Google Security | Services. Texas based, he said. I get several scam calls a week and handled this in | my usual fashion with a "Not interested, don't call me again" and ended the call. | But unusually this one called straight back and got me listening for a while. At my | insistence he gave me a phone number of 18005321200, which I've not yet tried. He | claimed that my PC had been hacked and he proceeded to demonstrate evidence that he | had access etc. He was using a service called TeamViewer, whose details he popped up | on my screen. (I've since called that company and that point out that anyone can use | their software.) | That's a classic scam. I have a brother who fell for it. Luckily for him, he's a starving artist and doesn't have a charge card. But there is a valuable lesson he Remote desktop has been hacked in the past and is high-risk. If you don't log into your computer from elsewhere you should disable the service. Also disable other remote-functionality services. They're designed mainly for use on a safe, corporate intranet. If the caller had access to your desktop then you might want to also run some scans. Though usually these scammers are not interested in installing trojans or the like. They just want you to pay them money and for you to believe it was legit, so you won't cancel the payment. |
#19
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
He was using a service called TeamViewer You are 100% certainly being targetted by scammers, do not even speak to them if they call back. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx Entry = \Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe Looks like someone (could be you previously legitimately, or someone tricked you or exploited a remote execution) *HAS* run teamviewer on the PC. search that users\terry\appdata folder for teamviewer.exe if you find it, delete it ... download "autoruns" directly from microsoft (not from anywhere else) https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns select the "everything" tab and filter for "team", do you see anything? |
#20
|
|||
|
|||
Sophisticated scam about windows certificate?
Andy Burns wrote:
Terry Pinnell wrote: He was using a service called TeamViewer You are 100% certainly being targetted by scammers, do not even speak to them if they call back. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx Entry = \Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe Looks like someone (could be you previously legitimately, or someone tricked you or exploited a remote execution) *HAS* run teamviewer on the PC. search that users\terry\appdata folder for teamviewer.exe if you find it, delete it ... download "autoruns" directly from microsoft (not from anywhere else) https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns select the "everything" tab and filter for "team", do you see anything? Thanks Andy. You're right. On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call, except for that apparent TeamViewer window appearing at its very start. There are many files in that folder. Although it presumably gets deleted automatically (when?) maybe I should go ahead and do so straight away? No entries in Autoruns. I'm also about to delete the six registry entries I listed earlier. Any idea how to decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the call, but would like to pin it down. Here it is again: Start 0x 1d57e80e49c7d73 (132150856133672307) Stop is strangely identical. I'd have expected a small difference if I'm right about it being a date/time. Terry |
#21
|
|||
|
|||
Sophisticated scam about windows certificate?
"Mayayana" wrote:
"Terry Pinnell" wrote |A couple of hours ago I was contacted by someone claiming to be from Google Security | Services. Texas based, he said. I get several scam calls a week and handled this in | my usual fashion with a "Not interested, don't call me again" and ended the call. | But unusually this one called straight back and got me listening for a while. At my | insistence he gave me a phone number of 18005321200, which I've not yet tried. He | claimed that my PC had been hacked and he proceeded to demonstrate evidence that he | had access etc. He was using a service called TeamViewer, whose details he popped up | on my screen. (I've since called that company and that point out that anyone can use | their software.) | That's a classic scam. I have a brother who fell for it. Luckily for him, he's a starving artist and doesn't have a charge card. But there is a valuable lesson he Remote desktop has been hacked in the past and is high-risk. If you don't log into your computer from elsewhere you should disable the service. Also disable other remote-functionality services. They're designed mainly for use on a safe, corporate intranet. If the caller had access to your desktop then you might want to also run some scans. Though usually these scammers are not interested in installing trojans or the like. They just want you to pay them money and for you to believe it was legit, so you won't cancel the payment. Thanks, I'm thirsty for slightly reassuring messages like that! In a similar vein, Malwarebytes, CCleaner and my permanently installed Defender reported nothing bad. Meanwhile I've requested a Mastercard change, which is a PITA as so much else depends on it. Terry |
#22
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call Did they ask you to visit a web page? or send you an email with a link? I don't have anything under the consentstore registry section (I have most permissions like microphone, camera etc turned off under settings/privacy/permissions) I'd just ignore or delete it. |
#23
|
|||
|
|||
Sophisticated scam about windows certificate?
Andy Burns wrote:
Terry Pinnell wrote: On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call Did they ask you to visit a web page? or send you an email with a link? I don't have anything under the consentstore registry section (I have most permissions like microphone, camera etc turned off under settings/privacy/permissions) I'd just ignore or delete it. Yes, "their company" site, which looks legit but plainly not theirs! I've deleted that entire TeamViewer folder. But I couldn't delete these two registry keys: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004 Both give the message: "Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting key." Any suggestions on how to zap those please? Terry |
#24
|
|||
|
|||
Sophisticated scam about windows certificate?
On Wed, 09 Oct 2019 20:09:03 +0100, Terry Pinnell
wrote: Andy Burns wrote: Terry Pinnell wrote: On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call Did they ask you to visit a web page? or send you an email with a link? I don't have anything under the consentstore registry section (I have most permissions like microphone, camera etc turned off under settings/privacy/permissions) I'd just ignore or delete it. Yes, "their company" site, which looks legit but plainly not theirs! I've deleted that entire TeamViewer folder. But I couldn't delete these two registry keys: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004 Both give the message: "Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting key." Any suggestions on how to zap those please? Terry |
#25
|
|||
|
|||
Sophisticated scam about windows certificate?
On Wed, 09 Oct 2019 20:09:03 +0100, Terry Pinnell
wrote: Andy Burns wrote: Terry Pinnell wrote: On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call Did they ask you to visit a web page? or send you an email with a link? I don't have anything under the consentstore registry section (I have most permissions like microphone, camera etc turned off under settings/privacy/permissions) I'd just ignore or delete it. Yes, "their company" site, which looks legit but plainly not theirs! I've deleted that entire TeamViewer folder. But I couldn't delete these two registry keys: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004 Both give the message: "Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting key." Any suggestions on how to zap those please? Two points: 1. You should never *delete* a program. You should uninstall it. 2. There's no reason to get rid of TeamViewer. It's an excellent program to have. It lets you help other people and it lets you get help from people you know and trust. Just don't give access to it on your computer to scammers who telephone you. I often use TeamViewer to help friends and relatives. |
#26
|
|||
|
|||
Sophisticated scam about windows certificate?
On Wed, 09 Oct 2019 21:09:24 +0100, Terry Pinnell
wrote: Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th Sep) that's definitely today then. Without a timezone it's not possible to pin down the time. I'm guessing it was some point during the call which I think was roughly 10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA, say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first claimed to be in Texas, but I assumed that was to support his claim to be working for 'Google Security Services'!) Does 'Google Security Services' have a presence in Texas? If so, where? To me, if they had volunteered that bit of info, it probably wouldn't have helped them. |
#27
|
|||
|
|||
Sophisticated scam about windows certificate?
On 2019-10-09, Apd wrote:
It was extremely foolish of you to allow access. I keep an old XP virtual machine for those scammers to waste their time and knock around in. It's even better if they're using TeamViewer since that'll run in a Linux VM - watching then stumble around not being able to make anything work is priceless. I figure it's a job well done when they finally realize they've been had and start shouting Indian curses over the phone. -- ----------------------------------------------------------------------------- Roger Blake (Posts from Google Groups killfiled due to excess spam.) NSA sedition and treason -- http://www.DeathToNSAthugs.com Don't talk to cops! -- http://www.DontTalkToCops.com Badges don't grant extra rights -- http://www.CopBlock.org ----------------------------------------------------------------------------- |
#28
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
Andy Burns wrote: Did they ask you to visit a web page? or send you an email with a link? Yes, "their company" site what browser did you use? How up to date are you with windows updates? |
#29
|
|||
|
|||
Sophisticated scam about windows certificate?
Andy Burns wrote:
Terry Pinnell wrote: Andy Burns wrote: Did they ask you to visit a web page? or send you an email with a link? Yes, "their company" site what browser did you use? Waterfox How up to date are you with windows updates? Fully, according to Settings. Currently Version 1903 (OS Build 18362.388) |
#30
|
|||
|
|||
Sophisticated scam about windows certificate?
"Mayayana" wrote:
"Terry Pinnell" wrote |A couple of hours ago I was contacted by someone claiming to be from Google Security | Services. Texas based, he said. I get several scam calls a week and handled this in | my usual fashion with a "Not interested, don't call me again" and ended the call. | But unusually this one called straight back and got me listening for a while. At my | insistence he gave me a phone number of 18005321200, which I've not yet tried. He | claimed that my PC had been hacked and he proceeded to demonstrate evidence that he | had access etc. He was using a service called TeamViewer, whose details he popped up | on my screen. (I've since called that company and that point out that anyone can use | their software.) | That's a classic scam. I have a brother who fell for it. Luckily for him, he's a starving artist and doesn't have a charge card. But there is a valuable lesson he Remote desktop has been hacked in the past and is high-risk. If you don't log into your computer from elsewhere you should disable the service. Also disable other remote-functionality services. They're designed mainly for use on a safe, corporate intranet. If the caller had access to your desktop then you might want to also run some scans. Though usually these scammers are not interested in installing trojans or the like. They just want you to pay them money and for you to believe it was legit, so you won't cancel the payment. Looks like the scam hasn't changed much in three years: https://community.teamviewer.com/t5/...mmers/td-p/682 Terry |
Thread Tools | |
Display Modes | Rate This Thread |
|
|