Sophisticated scam about windows certificate?

wrote:

On Wed, 09 Oct 2019 13:19:40 +0100, Terry Pinnell
wrote:

He was using a service called TeamViewer, whose details he popped up
on my screen. (I've since called that company and that point out that anyone can use
their software.)

It is a scam.

To see stuff on your computer is one thing. To be able to enter
commands is different.

I worked with Teamviewer some years ago and they shut down a licensed
user in that area (Asia/India/Pak) as a result.

Teamviewer remote access software is free for client use. Itrequires
one side (your side) to grant permission for the other side to access
your computer with Teamviewer software over the Internet. You must
both be running the Teamviewer client software. You give them the
temporary code the Teamviewer software gives you and they can gain
access to your computer. This code generated by the Teamviewer server,
not the client software you and they run. Key point: They also have a
temporary code that the Teamviewer server gave them. You need *their*
Teamviewer license number--then they can be shut down. Simply tell
them your Teamviewer client software requires *their* license number
to allow them to be able to access your computer. Of course, you say
this is a security feature by Teamviewer to catch and stop scammers
g. Invalid license = no access. Thus, you need their license number
in order to enter it into the Teamviewer security software system. Key
point: You are NOT accessing their computer, so they do not need your
license number. Also, give them a made-up code and not the real
Teamviewer temporary pass code from the Teamviewer server. Of course,
you never give them your Teamview license number.

Thanks Jerry, that's helpful background info.

Still baffled how they popped up an apparent TeamViewer window or dialog bottom
right corner *before* I'd done anything. That's what held my attention.

But I may well have then made matters worse, hard to say. Most of the time was
used by the caller to convince me of his legitimacy and that of Ridhima Enterprise.
But obviously I wonder if he or his background software could have been scanning and
recording stuff which right now is being sifted through for nefarious purposes!

Is there any forensic work you or others can suggest other than the more obvious
stuff please. Neither Defender, Malwarebytes or CCleaner report anything of
interest. I found no *obvious* trace of TeamViewer being installed (not in list of
installed progs; no C:\Program Files\ or C:\Program Files (x86)\ folder or entry in
Services. BUT intriguingly Regedit gave these six hits:

1. Key = HKEY_CURRENT_USER\Software\TeamViewer
Entry = Default (value not set)

2. Key =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\CapabilityAccessManager\ConsentStore\mi
crophone\NonPackaged\C:#Users#terry#AppData#Local# Temp#TeamViewer#TeamViewer.exe
Entry = Start 0x 1d57e80e49c7d73 (132150856133672307)
(Second entry Stop is identical)
If that's a date/time, I couldn't decode it with Excel for instance.

3. Key = HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
Entry = SRPPasswordMachineIdentifier with a 'REG_BINARY' entry and a string of pairs

4. Key =
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx
Entry =
\Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe

5. Key =
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004
Entry = Same as #4

6. Key =
HKEY_USERS\S-1-5-21-1643601740-1098315019-3821599572-1004\Software\TeamViewer
Entry = Default (value not set)

Terry

In article , Terry Pinnell
wrote:

Still baffled how they popped up an apparent TeamViewer window or dialog
bottom
right corner *before* I'd done anything. That's what held my attention.

because you have team viewer installed.

all they need to do is hack teamviewer and they have access to millions
of people.

"Terry Pinnell" wrote
|A couple of hours ago I was contacted by someone claiming to be from Google
Security
| Services. Texas based, he said. I get several scam calls a week and
handled this in
| my usual fashion with a "Not interested, don't call me again" and ended
the call.
| But unusually this one called straight back and got me listening for a
while. At my
| insistence he gave me a phone number of 18005321200, which I've not yet
tried. He
| claimed that my PC had been hacked and he proceeded to demonstrate
evidence that he
| had access etc. He was using a service called TeamViewer, whose details he
popped up
| on my screen. (I've since called that company and that point out that
anyone can use
| their software.)
|

That's a classic scam. I have a brother who fell for it.
Luckily for him, he's a starving artist and doesn't have
a charge card.

But there is a valuable lesson he Remote desktop has
been hacked in the past and is high-risk. If you don't log
into your computer from elsewhere you should disable
the service. Also disable other remote-functionality services.
They're designed mainly for use on a safe, corporate
intranet.

If the caller had access to your desktop then you might
want to also run some scans. Though usually these scammers
are not interested in installing trojans or the like. They just want
you to pay them money and for you to believe it was legit, so
you won't cancel the payment.

Terry Pinnell wrote:

He was using a service called TeamViewer

You are 100% certainly being targetted by scammers, do not even speak to
them if they call back.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx
Entry =
\Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe

Looks like someone (could be you previously legitimately, or someone
tricked you or exploited a remote execution) *HAS* run teamviewer on the PC.

search that users\terry\appdata folder for teamviewer.exe

if you find it, delete it ...

download "autoruns" directly from microsoft (not from anywhere else)

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

select the "everything" tab and filter for "team", do you see anything?

Andy Burns wrote:

Terry Pinnell wrote:

He was using a service called TeamViewer

You are 100% certainly being targetted by scammers, do not even speak to
them if they call back.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx
Entry =
\Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe

Looks like someone (could be you previously legitimately, or someone
tricked you or exploited a remote execution) *HAS* run teamviewer on the PC.

search that users\terry\appdata folder for teamviewer.exe

if you find it, delete it ...

download "autoruns" directly from microsoft (not from anywhere else)

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

select the "everything" tab and filter for "team", do you see anything?



Thanks Andy. You're right. On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call, except for that apparent
TeamViewer window appearing at its very start.

There are many files in that folder. Although it presumably gets deleted
automatically (when?) maybe I should go ahead and do so straight away?

No entries in Autoruns.

I'm also about to delete the six registry entries I listed earlier. Any idea how to
decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the
call, but would like to pin it down. Here it is again:
Start 0x 1d57e80e49c7d73 (132150856133672307)
Stop is strangely identical. I'd have expected a small difference if I'm right about
it being a date/time.


Terry

"Mayayana" wrote:

"Terry Pinnell" wrote
|A couple of hours ago I was contacted by someone claiming to be from Google
Security
| Services. Texas based, he said. I get several scam calls a week and
handled this in
| my usual fashion with a "Not interested, don't call me again" and ended
the call.
| But unusually this one called straight back and got me listening for a
while. At my
| insistence he gave me a phone number of 18005321200, which I've not yet
tried. He
| claimed that my PC had been hacked and he proceeded to demonstrate
evidence that he
| had access etc. He was using a service called TeamViewer, whose details he
popped up
| on my screen. (I've since called that company and that point out that
anyone can use
| their software.)
|

That's a classic scam. I have a brother who fell for it.
Luckily for him, he's a starving artist and doesn't have
a charge card.

But there is a valuable lesson he Remote desktop has
been hacked in the past and is high-risk. If you don't log
into your computer from elsewhere you should disable
the service. Also disable other remote-functionality services.
They're designed mainly for use on a safe, corporate
intranet.

If the caller had access to your desktop then you might
want to also run some scans. Though usually these scammers
are not interested in installing trojans or the like. They just want
you to pay them money and for you to believe it was legit, so
you won't cancel the payment.

Thanks, I'm thirsty for slightly reassuring messages like that!

In a similar vein, Malwarebytes, CCleaner and my permanently installed Defender
reported nothing bad.

Meanwhile I've requested a Mastercard change, which is a PITA as so much else
depends on it.

Terry

Terry Pinnell wrote:

On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call

Did they ask you to visit a web page? or send you an email with a link?

I don't have anything under the consentstore registry section (I have
most permissions like microphone, camera etc turned off under
settings/privacy/permissions) I'd just ignore or delete it.

Andy Burns wrote:

Terry Pinnell wrote:

On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call

Did they ask you to visit a web page? or send you an email with a link?

I don't have anything under the consentstore registry section (I have
most permissions like microphone, camera etc turned off under
settings/privacy/permissions) I'd just ignore or delete it.


Yes, "their company" site, which looks legit but plainly not theirs!

I've deleted that entire TeamViewer folder.

But I couldn't delete these two registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004

Both give the message:
"Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting
key."

Any suggestions on how to zap those please?

Terry

On Wed, 09 Oct 2019 20:09:03 +0100, Terry Pinnell
wrote:

Andy Burns wrote:

Terry Pinnell wrote:

On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call

Did they ask you to visit a web page? or send you an email with a link?

I don't have anything under the consentstore registry section (I have
most permissions like microphone, camera etc turned off under
settings/privacy/permissions) I'd just ignore or delete it.


Yes, "their company" site, which looks legit but plainly not theirs!

I've deleted that entire TeamViewer folder.

But I couldn't delete these two registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004

Both give the message:
"Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting
key."

Any suggestions on how to zap those please?

Terry

On Wed, 09 Oct 2019 20:09:03 +0100, Terry Pinnell
wrote:

Andy Burns wrote:

Terry Pinnell wrote:

On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call

Did they ask you to visit a web page? or send you an email with a link?

I don't have anything under the consentstore registry section (I have
most permissions like microphone, camera etc turned off under
settings/privacy/permissions) I'd just ignore or delete it.


Yes, "their company" site, which looks legit but plainly not theirs!

I've deleted that entire TeamViewer folder.

But I couldn't delete these two registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\bam\State\UserSettings\S-1-5-21-1643601740-1098315019-3821599572-1004

Both give the message:
"Cannot delete 5-1-5-21-1643601740-1098315019-3821599572-1004: Error while deleting
key."

Any suggestions on how to zap those please?



Two points:

1. You should never *delete* a program. You should uninstall it.

2. There's no reason to get rid of TeamViewer. It's an excellent
program to have. It lets you help other people and it lets you get
help from people you know and trust. Just don't give access to it on
your computer to scammers who telephone you.

I often use TeamViewer to help friends and relatives.

On Wed, 09 Oct 2019 21:09:24 +0100, Terry Pinnell
wrote:

Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th
Sep) that's definitely today then. Without a timezone it's not possible to pin down
the time. I'm guessing it was some point during the call which I think was roughly
10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA,
say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first
claimed to be in Texas, but I assumed that was to support his claim to be working
for 'Google Security Services'!)

Does 'Google Security Services' have a presence in Texas? If so, where? To
me, if they had volunteered that bit of info, it probably wouldn't have
helped them.

On 2019-10-09, Apd wrote:
It was extremely foolish of you to allow access.

I keep an old XP virtual machine for those scammers to waste their
time and knock around in. It's even better if they're using TeamViewer
since that'll run in a Linux VM - watching then stumble around not
being able to make anything work is priceless.

I figure it's a job well done when they finally realize they've
been had and start shouting Indian curses over the phone.

--
-----------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
Don't talk to cops! -- http://www.DontTalkToCops.com
Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------

Terry Pinnell wrote:

Andy Burns wrote:

Did they ask you to visit a web page? or send you an email with a link?

Yes, "their company" site

what browser did you use?

How up to date are you with windows updates?

Andy Burns wrote:

Terry Pinnell wrote:

Andy Burns wrote:

Did they ask you to visit a web page? or send you an email with a link?

Yes, "their company" site

what browser did you use?

Waterfox

How up to date are you with windows updates?

Fully, according to Settings. Currently Version 1903 (OS Build 18362.388)

"Mayayana" wrote:

"Terry Pinnell" wrote
|A couple of hours ago I was contacted by someone claiming to be from Google
Security
| Services. Texas based, he said. I get several scam calls a week and
handled this in
| my usual fashion with a "Not interested, don't call me again" and ended
the call.
| But unusually this one called straight back and got me listening for a
while. At my
| insistence he gave me a phone number of 18005321200, which I've not yet
tried. He
| claimed that my PC had been hacked and he proceeded to demonstrate
evidence that he
| had access etc. He was using a service called TeamViewer, whose details he
popped up
| on my screen. (I've since called that company and that point out that
anyone can use
| their software.)
|

That's a classic scam. I have a brother who fell for it.
Luckily for him, he's a starving artist and doesn't have
a charge card.

But there is a valuable lesson he Remote desktop has
been hacked in the past and is high-risk. If you don't log
into your computer from elsewhere you should disable
the service. Also disable other remote-functionality services.
They're designed mainly for use on a safe, corporate
intranet.

If the caller had access to your desktop then you might
want to also run some scans. Though usually these scammers
are not interested in installing trojans or the like. They just want
you to pay them money and for you to believe it was legit, so
you won't cancel the payment.


Looks like the scam hasn't changed much in three years:

https://community.teamviewer.com/t5/...mmers/td-p/682

Terry