If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#31
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
Still no idea how they got in initially. Does your browser download history show anything? how they displayed the initial pop-up window that grabbed my attention is beyond my technical grasp. Pop-up within the browser designed to look like an actual windows dialogue? |
Ads |
#32
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
Paul wrote: Terry Pinnell wrote: Andy Burns wrote: Terry Pinnell wrote: He was using a service called TeamViewer You are 100% certainly being targetted by scammers, do not even speak to them if they call back. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx Entry = \Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe Looks like someone (could be you previously legitimately, or someone tricked you or exploited a remote execution) *HAS* run teamviewer on the PC. search that users\terry\appdata folder for teamviewer.exe if you find it, delete it ... download "autoruns" directly from microsoft (not from anywhere else) https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns select the "everything" tab and filter for "team", do you see anything? Thanks Andy. You're right. On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call, except for that apparent TeamViewer window appearing at its very start. There are many files in that folder. Although it presumably gets deleted automatically (when?) maybe I should go ahead and do so straight away? No entries in Autoruns. I'm also about to delete the six registry entries I listed earlier. Any idea how to decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the call, but would like to pin it down. Here it is again: Start 0x 1d57e80e49c7d73 (132150856133672307) Stop is strangely identical. I'd have expected a small difference if I'm right about it being a date/time. Terry https://support.microsoft.com/en-ca/...rating-systems S-1-5-21 is the start of an Administrator account 500 key like S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzzz-500 ******* 0x 1d57e80e49c7d73 (132150856133672307) I can use filetime.exe on that. There's probably an assumption of an NTFS-style timestamp in this. 1D57E80 E49C7D73 10/09/2019 05:06:53.367 snip Thanks Paul. I'll leave those registry entries then. Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th Sep) that's definitely today then. Without a timezone it's not possible to pin down the time. I'm guessing it was some point during the call which I think was roughly 10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA, say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first claimed to be in Texas, but I assumed that was to support his claim to be working for 'Google Security Services'!) Terry The time is likely to be five hours difference, or 1D57E80 E49C7D73 10/09/2019 10:06:53.367 BST which would be early in your call (seven minutes into the call). I took a look at how difficult it would be to add timezone juggling to my little program, and it's a bit too hard to do in C code. I would have to change languages to make it look easy to do. One other thing you could try, for fun, is to use Agent Ransack to do a file search of C: , enter nothing in the filename box or the "containing text" box, then do a search, then sort by date when it finishes. Then, scroll down to the time in question, to see what file(s) were getting updated at that time. Paul |
#33
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
Andy Burns wrote: Terry Pinnell wrote: Andy Burns wrote: Did they ask you to visit a web page? or send you an email with a link? Yes, "their company" site what browser did you use? Waterfox How up to date are you with windows updates? Fully, according to Settings. Currently Version 1903 (OS Build 18362.388) And after the WU that ran this morning: 1903 (OS Build 18362.418) |
#34
|
|||
|
|||
Sophisticated scam about windows certificate?
Paul wrote:
Terry Pinnell wrote: Paul wrote: Terry Pinnell wrote: Andy Burns wrote: Terry Pinnell wrote: He was using a service called TeamViewer You are 100% certainly being targetted by scammers, do not even speak to them if they call back. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx Entry = \Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe Looks like someone (could be you previously legitimately, or someone tricked you or exploited a remote execution) *HAS* run teamviewer on the PC. search that users\terry\appdata folder for teamviewer.exe if you find it, delete it ... download "autoruns" directly from microsoft (not from anywhere else) https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns select the "everything" tab and filter for "team", do you see anything? Thanks Andy. You're right. On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call, except for that apparent TeamViewer window appearing at its very start. There are many files in that folder. Although it presumably gets deleted automatically (when?) maybe I should go ahead and do so straight away? No entries in Autoruns. I'm also about to delete the six registry entries I listed earlier. Any idea how to decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the call, but would like to pin it down. Here it is again: Start 0x 1d57e80e49c7d73 (132150856133672307) Stop is strangely identical. I'd have expected a small difference if I'm right about it being a date/time. Terry https://support.microsoft.com/en-ca/...rating-systems S-1-5-21 is the start of an Administrator account 500 key like S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzzz-500 ******* 0x 1d57e80e49c7d73 (132150856133672307) I can use filetime.exe on that. There's probably an assumption of an NTFS-style timestamp in this. 1D57E80 E49C7D73 10/09/2019 05:06:53.367 snip Thanks Paul. I'll leave those registry entries then. Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th Sep) that's definitely today then. Without a timezone it's not possible to pin down the time. I'm guessing it was some point during the call which I think was roughly 10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA, say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first claimed to be in Texas, but I assumed that was to support his claim to be working for 'Google Security Services'!) Terry The time is likely to be five hours difference, or 1D57E80 E49C7D73 10/09/2019 10:06:53.367 BST which would be early in your call (seven minutes into the call). I took a look at how difficult it would be to add timezone juggling to my little program, and it's a bit too hard to do in C code. I would have to change languages to make it look easy to do. One other thing you could try, for fun, is to use Agent Ransack to do a file search of C: , enter nothing in the filename box or the "containing text" box, then do a search, then sort by date when it finishes. Then, scroll down to the time in question, to see what file(s) were getting updated at that time. Paul I was thinking of trying something similar with Everything but your Ransack did a great job, thanks a bunch Paul. Not 'fun' though ;-) I got nearly 818k hits (restricted to C much faster than I'd expected. (BTW, assuming you use both tools, do you have a preference?) Here's an overview: https://www.dropbox.com/s/qgb41t917y...kHits.jpg?dl=0 Here's that web page they pulled up. In which I regrettably then allowed the session to continue ;-( are the two obviously relevant files. https://gs29.weebly.com/ And here's the all important TeamViewer log. https://www.dropbox.com/s/cvzrgdy80u...gfile.log?dl=0 But most of the 300 or so hits within the phone call period of approx 10:00-11:15 on 9t October were binaries. The snippets of readable text I could see with my hex editor meant little to me. Some are surely relevant but they are so inaccessible. I have uploaded one arbitrary example and if you think it worthwhile after a cursory look I could upload others. https://www.dropbox.com/s/3x4wvqmcpm...B0312459A?dl=0 Perhaps I'm being over-optimistic. But from the email reply I had this morning (posted here earlier) plus the phone call, I have a feeling that no malicious further hacking was done during the session. The focus was on getting me to buy. That log seems to include a couple of screen grabs but I can't interpret much of the rest. If my optimism about the scammer is justified, it still leaves the question of just how badly hacked my PC is. That was the basis of their attempted scam. I also looked at Event Viewer but that was so daunting I closed it again fairly quickly! Terry |
#35
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
Here's that web page they pulled up. In which I regrettably then allowed the session to continue ;-( Yes, that would explain it. It's not my job to "tell you off" as such, and you've probably wised-up a bit but really you need to see the signs more clearly ... Why would google care whether your machine had been hacked? why would they call you from texas then ask you to speak to india? Have you ever had to pay for a certificate before? No, so why would you need to renew it all of a sudden? would google use a free weebly hosted website with a dodgy hostname? would you trust such an amateurish looking website? You know not to download and run random .exe files, surely? Luckily you stopped short of paying them, the short advice is it's ALWAYS a scam, never stop to consider whether it might be valid, just shout "**** off" at them and hang up ... |
#36
|
|||
|
|||
Sophisticated scam about windows certificate?
"Terry Pinnell" wrote
| Looks like the scam hasn't changed much in three years: | | https://community.teamviewer.com/t5/...mmers/td-p/682 | Yes, but I think there are two issues there. One is the phone call. That happened to the woman I live with, where she saw a convincing popup on a webpage that told her she was infected and gave a phone number to call. My brother was called cold and asked to download a fix, which he did, and that was a remote control program. The caller was telling him he was behind on payments for his Windows license. They moved things around on the Desktop to show him that they were really Microsoft and had control. But you said a teamviewer window popped up. If that's really true, and not just a facsimile created through your browser, then it's possible there was a hack. (Look up teamviewer hacks.) Maybe they somehow got your credentials, for instance. And how did you get TeamViewer? You didn't seem to know. Is it possible they tricked you into installing it? There have also been problems in the past with corrupt TeamViewer installers. After looking around I'm not so sure that TV uses Remote Desktop Protocol (RDP). So it may be something like a browser type of program that uses its own remote server connection. Whatever it is, if you don't actually need it there's no reason to have it. People don't realize how risky it is to use these things. If you do need it you should use it on something like a laptop that you only use for that purpose. Anyone who wants to be able to use their home computer from a hotel room is basically missing the concept. Any tech support person who tells you that you have to install it is basically putting you at risk so they can avoid house calls. So for safety, remove any such software. Avoid similar things like Skype, if possible. Disable most services that start with "Remote". (But not remote procedure call. Disabling that will break everything. Microsoft have, unfortunately, linked it into the system.) If you're not on a home network you should be able to disable services like Server, Workstation, Remote Desktop Helper, Remote Registry (!), NetMeeting, COM+, SSDP Discovery, and so on. Those services are designed for use within a safe network. Running them on standalone machines is mixing oil and water. Ideally you should also have a firewall that blocks anything in or out that you didn't specifically enable. Though I don't know if Win10 will allow you to do that. In short, it shouldn't be possible for anything to access your system remotely and it shouldn't be possible for anything not explicitly approved to call out. It's bad enough that people allow script in the browser, but at least those hacks are running on your system and any attack is related to weaknesses like cross-site scripting. In a sense you voluntarily download and run the malware. With remote services you're dealing with another kind of risk: living in a slum with no lock on your door. Something else you might find interesting: https://www.grc.com/shieldsup I haven't used it for years but it used to have a method to test exposed ports. You should not have anything listening on any port that will respond to an incoming request. That's partly why things like TeamViewer are so risky. It's intranet design on the public Internet. If you "answer the door" then they only need to find a weakness. |
#37
|
|||
|
|||
Sophisticated scam about windows certificate?
On 10/10/2019 12:57, Terry Pinnell wrote:
https://gs29.weebly.com/ CAN YOU TAKE THIS CRAP TO LINUX NEWSGROUP. WE DON'T DEAL WITH NUTTERS ON WINDOWS 10 NEWSGROUP. IN FUTURE PLEASE POST ALL YOUR QUERIES TO LINUX NEWSGROUP AS THEY ARE BETTER PLACED TO ADVICE YOU ON YOUR MENTAL PROBLEMS. YOU POSTS A GMAIL EMAIL ADDRESS AND NOW YOU ARE POSTING A WEEBLY WEBSITE ADDRESS. CLEARLY, YOU NEED YOUR BRAIN EXAMINED BY YOUR MEDICAL DOCTOR. HAVE YOU STOPPED TAKING YOUR PRESCRIPTION DRUGS? -- With over 1,000,000 million devices now running Windows 10, customer satisfaction is higher than any previous version of windows. |
#38
|
|||
|
|||
Sophisticated scam about windows certificate?
π Good Guy π wrote:
On 10/10/2019 12:57, Terry Pinnell wrote: Β*https://gs29.weebly.com/ CAN YOU TAKE THIS CRAP TO LINUX NEWSGROUP.Β* WE DON'T DEAL WITH NUTTERS ON WINDOWS 10 NEWSGROUP. IN FUTURE PLEASE POST ALL YOUR QUERIES TO LINUX NEWSGROUP AS THEY ARE BETTER PLACED TO ADVICE YOU ON YOUR MENTAL PROBLEMS. YOU POSTS A GMAIL EMAIL ADDRESS AND NOW YOU ARE POSTING A WEEBLY WEBSITE ADDRESS.Β* CLEARLY, YOU NEED YOUR BRAIN EXAMINED BY YOUR MEDICAL DOCTOR. HAVE YOU STOPPED TAKING YOUR PRESCRIPTION DRUGS? Translation: "Good" Guy is too stupid to use Linux. |
#39
|
|||
|
|||
Sophisticated scam about windows certificate?
On Thu, 10 Oct 2019 08:22:45 +0100, Terry Pinnell
wrote: They're certainly persistent! This morning I received the following reply, followed by yet another phone call for a last ditch attempt to clinch the sale. -------------------- "Good Morning Mr. Pinnel, I just like to inform you that we are a legitimate company. Without your permission we cannot control your device because if we need to control your computer, we have to call you to run TeamViewer software, when you will share your Teamviewer ID & Password with us, then only it is possible for us to control your device with your permission. This is the way of a genuine company. But the trouble is those hackers, they don't need your permission to control your device. Any time they can control it, even without your knowledge. As we installed Security, Software & Services yesterday on your Network through your device, those hackers they cannot stop your device now. But the trouble is, they can access your all of the devices including your iPad & iPhone and all of your personal accounts and all the password also. SNIP Here's the line from above that jumps out at me: "As we installed Security, Software & Services yesterday on your Network through your device..." They installed software on your PC? That would be a red flag to me. I don't think I would trust that PC at this point. |
#40
|
|||
|
|||
Sophisticated scam about windows certificate?
On Thu, 10 Oct 2019 12:57:24 +0100, Terry Pinnell
wrote: Perhaps I'm being over-optimistic. But from the email reply I had this morning (posted here earlier) plus the phone call, I have a feeling that no malicious further hacking was done during the session. Well, they claimed to have installed something on your PC, so there's that. |
#41
|
|||
|
|||
Sophisticated scam about windows certificate?
On 2019-10-10 9:51 a.m., Char Jackson wrote:
On Thu, 10 Oct 2019 08:22:45 +0100, Terry Pinnell wrote: They're certainly persistent! This morning I received the following reply, followed by yet another phone call for a last ditch attempt to clinch the sale. -------------------- "Good Morning Mr. Pinnel, I just like to inform you that we are a legitimate company. Without your permission we cannot control your device because if we need to control your computer, we have to call you to run TeamViewer software, when you will share your Teamviewer ID & Password with us, then only it is possible for us to control your device with your permission. This is the way of a genuine company. But the trouble is those hackers, they don't need your permission to control your device. Any time they can control it, even without your knowledge. As we installed Security, Software & Services yesterday on your Network through your device, those hackers they cannot stop your device now. But the trouble is, they can access your all of the devices including your iPad & iPhone and all of your personal accounts and all the password also. SNIP Here's the line from above that jumps out at me: "As we installed Security, Software & Services yesterday on your Network through your device..." They installed software on your PC? That would be a red flag to me. I don't think I would trust that PC at this point. I'm not paranoid, But If that was my machine It would be wiped clean in a minute and a new bare metal installation of Windows would be done with all new passwords and all. Rene |
#42
|
|||
|
|||
Sophisticated scam about windows certificate?
On 10/10/2019 16:06, Rene Lamontagne, known old geezer, wrote:
I'm not paranoid, You might no t be paranoid but you could be very stupid. The OP decided to make fun of everybody here by posting something that may not have happened or something he might have read or viewed on TV. Nobody can be that stupid in 2019 to allow any Tom, Dick, and Harry to install something on their machine remotely. Not even a 90 year old geriatric from NHS hospital. In fact you just proved my point. You are very old and in your last few months alive and yet you won't allow anything to remain on the machine. This guy, Terry Pinnell, is a known troll who posts rubbish from time to time to waste everybody's time here. -- With over 1,000,000 million devices now running Windows 10, customer satisfaction is higher than any previous version of windows. |
#43
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
I also meant to include the Skype log which I believe is implicated. https://www.dropbox.com/s/mkettfkjzv...ack-1.txt?dl=0 Terry, East Grinstead, UK |
#44
|
|||
|
|||
Sophisticated scam about windows certificate?
On 09/10/2019 22.22, Ken Blake wrote:
On Wed, 09 Oct 2019 20:09:03 +0100, Terry Pinnell wrote: .... Two points: 1. You should never *delete* a program. You should uninstall it. 2. There's no reason to get rid of TeamViewer. It's an excellent program to have. It lets you help other people and it lets you get help from people you know and trust. Just don't give access to it on your computer to scammers who telephone you. But this installation is suspect. -- Cheers, Carlos. |
#45
|
|||
|
|||
Sophisticated scam about windows certificate?
On 10/10/2019 17.06, Rene Lamontagne wrote:
On 2019-10-10 9:51 a.m., Char Jackson wrote: On Thu, 10 Oct 2019 08:22:45 +0100, Terry Pinnell wrote: They're certainly persistent! This morning I received the following reply, followed by yet another phone call for a last ditch attempt to clinch the sale. -------------------- "Good Morning Mr. Pinnel, I just like to inform you that we are a legitimate company. Without your permission we cannot control your device because if we need to control your computer, we have to call you to run TeamViewer software, when you will share your Teamviewer ID & Password with us, then only it is possible for us to control your device with your permission. This is the way of a genuine company. But the trouble is those hackers, they don't need your permission to control your device. Any time they can control it, even without your knowledge. As we installed Security, Software & Services yesterday on your Network through your device, those hackers they cannot stop your device now. But the trouble is, they can access your all of the devices including your iPad & iPhone and all of your personal accounts and all the password also. SNIP Here's the line from above that jumps out at me: "As we installed Security, Software & Services yesterday on your Network through your device..." They installed software on your PC? That would be a red flag to me. I don't think I would trust that PC at this point. I'm not paranoid, But If that was my machine It would be wiped clean in a minute and a new bare metalΒ* installation of Windows would be done with all new passwords and all. Certainly. -- Cheers, Carlos. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|