Sophisticated scam about windows certificate?

Terry Pinnell wrote:

Still no idea how they got in initially.

Does your browser download history show anything?

how they displayed the initial pop-up window that grabbed my
attention is beyond my technical grasp.

Pop-up within the browser designed to look like an actual windows dialogue?

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Andy Burns wrote:

Terry Pinnell wrote:

He was using a service called TeamViewer
You are 100% certainly being targetted by scammers, do not even speak to
them if they call back.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx
Entry =
\Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe
Looks like someone (could be you previously legitimately, or someone
tricked you or exploited a remote execution) *HAS* run teamviewer on the PC.

search that users\terry\appdata folder for teamviewer.exe

if you find it, delete it ...

download "autoruns" directly from microsoft (not from anywhere else)

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

select the "everything" tab and filter for "team", do you see anything?



Thanks Andy. You're right. On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call, except for that apparent
TeamViewer window appearing at its very start.

There are many files in that folder. Although it presumably gets deleted
automatically (when?) maybe I should go ahead and do so straight away?

No entries in Autoruns.

I'm also about to delete the six registry entries I listed earlier. Any idea how to
decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the
call, but would like to pin it down. Here it is again:
Start 0x 1d57e80e49c7d73 (132150856133672307)
Stop is strangely identical. I'd have expected a small difference if I'm right about
it being a date/time.


Terry

https://support.microsoft.com/en-ca/...rating-systems

S-1-5-21 is the start of an Administrator account 500 key

like S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzzz-500

*******

0x 1d57e80e49c7d73 (132150856133672307)

I can use filetime.exe on that. There's probably an
assumption of an NTFS-style timestamp in this.

1D57E80 E49C7D73
10/09/2019 05:06:53.367

snip

Thanks Paul.

I'll leave those registry entries then.

Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th
Sep) that's definitely today then. Without a timezone it's not possible to pin down
the time. I'm guessing it was some point during the call which I think was roughly
10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA,
say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first
claimed to be in Texas, but I assumed that was to support his claim to be working
for 'Google Security Services'!)

Terry

The time is likely to be five hours difference, or

1D57E80 E49C7D73
10/09/2019 10:06:53.367 BST

which would be early in your call (seven minutes into the call).

I took a look at how difficult it would be to add timezone
juggling to my little program, and it's a bit too hard to
do in C code. I would have to change languages to make
it look easy to do.

One other thing you could try, for fun, is to use
Agent Ransack to do a file search of C: , enter nothing in
the filename box or the "containing text" box, then
do a search, then sort by date when it finishes.
Then, scroll down to the time in question, to see
what file(s) were getting updated at that time.

Paul

Terry Pinnell wrote:

Andy Burns wrote:

Terry Pinnell wrote:

Andy Burns wrote:

Did they ask you to visit a web page? or send you an email with a link?

Yes, "their company" site

what browser did you use?

Waterfox

How up to date are you with windows updates?

Fully, according to Settings. Currently Version 1903 (OS Build 18362.388)

And after the WU that ran this morning: 1903 (OS Build 18362.418)

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Andy Burns wrote:

Terry Pinnell wrote:

He was using a service called TeamViewer
You are 100% certainly being targetted by scammers, do not even speak to
them if they call back.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx
Entry =
\Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe
Looks like someone (could be you previously legitimately, or someone
tricked you or exploited a remote execution) *HAS* run teamviewer on the PC.

search that users\terry\appdata folder for teamviewer.exe

if you find it, delete it ...

download "autoruns" directly from microsoft (not from anywhere else)

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

select the "everything" tab and filter for "team", do you see anything?



Thanks Andy. You're right. On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call, except for that apparent
TeamViewer window appearing at its very start.

There are many files in that folder. Although it presumably gets deleted
automatically (when?) maybe I should go ahead and do so straight away?

No entries in Autoruns.

I'm also about to delete the six registry entries I listed earlier. Any idea how to
decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the
call, but would like to pin it down. Here it is again:
Start 0x 1d57e80e49c7d73 (132150856133672307)
Stop is strangely identical. I'd have expected a small difference if I'm right about
it being a date/time.


Terry

https://support.microsoft.com/en-ca/...rating-systems

S-1-5-21 is the start of an Administrator account 500 key

like S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzzz-500

*******

0x 1d57e80e49c7d73 (132150856133672307)

I can use filetime.exe on that. There's probably an
assumption of an NTFS-style timestamp in this.

1D57E80 E49C7D73
10/09/2019 05:06:53.367

snip

Thanks Paul.

I'll leave those registry entries then.

Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th
Sep) that's definitely today then. Without a timezone it's not possible to pin down
the time. I'm guessing it was some point during the call which I think was roughly
10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA,
say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first
claimed to be in Texas, but I assumed that was to support his claim to be working
for 'Google Security Services'!)

Terry

The time is likely to be five hours difference, or

1D57E80 E49C7D73
10/09/2019 10:06:53.367 BST

which would be early in your call (seven minutes into the call).

I took a look at how difficult it would be to add timezone
juggling to my little program, and it's a bit too hard to
do in C code. I would have to change languages to make
it look easy to do.

One other thing you could try, for fun, is to use
Agent Ransack to do a file search of C: , enter nothing in
the filename box or the "containing text" box, then
do a search, then sort by date when it finishes.
Then, scroll down to the time in question, to see
what file(s) were getting updated at that time.

Paul


I was thinking of trying something similar with Everything but your Ransack did a
great job, thanks a bunch Paul. Not 'fun' though ;-)
I got nearly 818k hits (restricted to C much faster than I'd expected.
(BTW, assuming you use both tools, do you have a preference?)

Here's an overview:
https://www.dropbox.com/s/qgb41t917y...kHits.jpg?dl=0

Here's that web page they pulled up. In which I regrettably then allowed the session
to continue ;-(
are the two obviously relevant files.
https://gs29.weebly.com/

And here's the all important TeamViewer log.
https://www.dropbox.com/s/cvzrgdy80u...gfile.log?dl=0

But most of the 300 or so hits within the phone call period of approx 10:00-11:15 on
9t October were binaries. The snippets of readable text I could see with my hex
editor meant little to me. Some are surely relevant but they are so inaccessible. I
have uploaded one arbitrary example and if you think it worthwhile after a cursory
look I could upload others.
https://www.dropbox.com/s/3x4wvqmcpm...B0312459A?dl=0

Perhaps I'm being over-optimistic. But from the email reply I had this morning
(posted here earlier) plus the phone call, I have a feeling that no malicious
further hacking was done during the session. The focus was on getting me to buy.
That log seems to include a couple of screen grabs but I can't interpret much of the
rest.

If my optimism about the scammer is justified, it still leaves the question of just
how badly hacked my PC is. That was the basis of their attempted scam.

I also looked at Event Viewer but that was so daunting I closed it again fairly
quickly!

Terry

Terry Pinnell wrote:

Here's that web page they pulled up. In which I regrettably then allowed the session
to continue ;-(

Yes, that would explain it. It's not my job to "tell you off" as such,
and you've probably wised-up a bit but really you need to see the signs
more clearly ...

Why would google care whether your machine had been hacked?
why would they call you from texas then ask you to speak to india?
Have you ever had to pay for a certificate before? No, so why would you
need to renew it all of a sudden?
would google use a free weebly hosted website with a dodgy hostname?
would you trust such an amateurish looking website? You know not to
download and run random .exe files, surely?

Luckily you stopped short of paying them, the short advice is it's
ALWAYS a scam, never stop to consider whether it might be valid, just
shout "**** off" at them and hang up ...

"Terry Pinnell" wrote


| Looks like the scam hasn't changed much in three years:
|
| https://community.teamviewer.com/t5/...mmers/td-p/682
|

Yes, but I think there are two issues there. One is the
phone call. That happened to the woman I live with, where
she saw a convincing popup on a webpage that told her
she was infected and gave a phone number to call. My
brother was called cold and asked to download a fix,
which he did, and that was a remote control program. The
caller was telling him he was behind on payments for his
Windows license. They moved things around on the Desktop
to show him that they were really Microsoft and had control.

But you said a teamviewer window popped up. If that's
really true, and not just a facsimile created through your
browser, then it's possible there was a hack. (Look up
teamviewer hacks.) Maybe they somehow got your
credentials, for instance. And how did you get TeamViewer?
You didn't seem to know. Is it possible they tricked you
into installing it? There have also been problems in the past
with corrupt TeamViewer installers.

After looking around I'm not so sure that TV uses Remote
Desktop Protocol (RDP). So it may be something like a
browser type of program that uses its own remote server
connection.

Whatever it is, if you don't actually need it there's no
reason to have it. People don't realize how risky it is to use
these things. If you do need it you should use it on something
like a laptop that you only use for that purpose. Anyone
who wants to be able to use their home computer from
a hotel room is basically missing the concept. Any tech support
person who tells you that you have to install it is basically
putting you at risk so they can avoid house calls.

So for safety, remove any such software. Avoid similar things
like Skype, if possible. Disable most services that start with "Remote".
(But not remote procedure call. Disabling that will break everything.
Microsoft have, unfortunately, linked it into the system.) If you're
not on a home network you should be able to disable services like Server,
Workstation, Remote Desktop Helper, Remote Registry (!), NetMeeting,
COM+, SSDP Discovery, and so on. Those services are designed
for use within a safe network. Running them on standalone machines
is mixing oil and water. Ideally you should also have a firewall that
blocks anything in or out that you didn't specifically enable. Though
I don't know if Win10 will allow you to do that.

In short, it shouldn't be possible for anything to access your system
remotely and it shouldn't be possible for anything not explicitly
approved to call out. It's bad enough that people allow script in the
browser, but
at least those hacks are running on your system and any attack is
related to weaknesses like cross-site scripting. In a sense you
voluntarily download and run the malware. With remote services
you're dealing with another kind of risk: living in a slum with no lock
on your door.

Something else you might find interesting:

https://www.grc.com/shieldsup

I haven't used it for years but it used to have a method to
test exposed ports. You should not have anything listening on
any port that will respond to an incoming request. That's partly
why things like TeamViewer are so risky. It's intranet design on
the public Internet. If you "answer the door" then they only
need to find a weakness.

On 10/10/2019 12:57, Terry Pinnell wrote:
https://gs29.weebly.com/

CAN YOU TAKE THIS CRAP TO LINUX NEWSGROUP. WE DON'T DEAL WITH NUTTERS
ON WINDOWS 10 NEWSGROUP.

IN FUTURE PLEASE POST ALL YOUR QUERIES TO LINUX NEWSGROUP AS THEY ARE
BETTER PLACED TO ADVICE YOU ON YOUR MENTAL PROBLEMS.

YOU POSTS A GMAIL EMAIL ADDRESS AND NOW YOU ARE POSTING A WEEBLY WEBSITE
ADDRESS. CLEARLY, YOU NEED YOUR BRAIN EXAMINED BY YOUR MEDICAL DOCTOR.

HAVE YOU STOPPED TAKING YOUR PRESCRIPTION DRUGS?








--
With over 1,000,000 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

😉 Good Guy 😉 wrote:
On 10/10/2019 12:57, Terry Pinnell wrote:
Â*https://gs29.weebly.com/

CAN YOU TAKE THIS CRAP TO LINUX NEWSGROUP.Â* WE DON'T DEAL WITH NUTTERS
ON WINDOWS 10 NEWSGROUP.

IN FUTURE PLEASE POST ALL YOUR QUERIES TO LINUX NEWSGROUP AS THEY ARE
BETTER PLACED TO ADVICE YOU ON YOUR MENTAL PROBLEMS.

YOU POSTS A GMAIL EMAIL ADDRESS AND NOW YOU ARE POSTING A WEEBLY WEBSITE
ADDRESS.Â* CLEARLY, YOU NEED YOUR BRAIN EXAMINED BY YOUR MEDICAL DOCTOR.

HAVE YOU STOPPED TAKING YOUR PRESCRIPTION DRUGS?









Translation: "Good" Guy is too stupid to use Linux.

On Thu, 10 Oct 2019 08:22:45 +0100, Terry Pinnell
wrote:

They're certainly persistent! This morning I received the following reply, followed
by yet another phone call for a last ditch attempt to clinch the sale.
--------------------
"Good Morning Mr. Pinnel,

I just like to inform you that we are a legitimate company. Without your
permission we cannot control your device because if we need to control your
computer, we have to call you to run TeamViewer software, when you will
share your Teamviewer ID & Password with us, then only it is possible for
us to control your device with your permission. This is the way of a
genuine company.
But the trouble is those hackers, they don't need your permission to
control your device. Any time they can control it, even without your
knowledge.

As we installed Security, Software & Services yesterday on your Network
through your device, those hackers they cannot stop your device now. But
the trouble is, they can access your all of the devices including your iPad
& iPhone and all of your personal accounts and all the password also.
SNIP

Here's the line from above that jumps out at me:
"As we installed Security, Software & Services yesterday on your Network
through your device..."

They installed software on your PC? That would be a red flag to me. I don't
think I would trust that PC at this point.

On Thu, 10 Oct 2019 12:57:24 +0100, Terry Pinnell
wrote:

Perhaps I'm being over-optimistic. But from the email reply I had this morning
(posted here earlier) plus the phone call, I have a feeling that no malicious
further hacking was done during the session.

Well, they claimed to have installed something on your PC, so there's that.

On 2019-10-10 9:51 a.m., Char Jackson wrote:
On Thu, 10 Oct 2019 08:22:45 +0100, Terry Pinnell
wrote:

They're certainly persistent! This morning I received the following reply, followed
by yet another phone call for a last ditch attempt to clinch the sale.
--------------------
"Good Morning Mr. Pinnel,

I just like to inform you that we are a legitimate company. Without your
permission we cannot control your device because if we need to control your
computer, we have to call you to run TeamViewer software, when you will
share your Teamviewer ID & Password with us, then only it is possible for
us to control your device with your permission. This is the way of a
genuine company.
But the trouble is those hackers, they don't need your permission to
control your device. Any time they can control it, even without your
knowledge.

As we installed Security, Software & Services yesterday on your Network
through your device, those hackers they cannot stop your device now. But
the trouble is, they can access your all of the devices including your iPad
& iPhone and all of your personal accounts and all the password also.
SNIP

Here's the line from above that jumps out at me:
"As we installed Security, Software & Services yesterday on your Network
through your device..."

They installed software on your PC? That would be a red flag to me. I don't
think I would trust that PC at this point.



I'm not paranoid, But If that was my machine It would be wiped clean in
a minute and a new bare metal installation of Windows would be done
with all new passwords and all.

Rene

On 10/10/2019 16:06, Rene Lamontagne, known old geezer, wrote:



I'm not paranoid,

You might no t be paranoid but you could be very stupid. The OP decided
to make fun of everybody here by posting something that may not have
happened or something he might have read or viewed on TV. Nobody can be
that stupid in 2019 to allow any Tom, Dick, and Harry to install
something on their machine remotely. Not even a 90 year old geriatric
from NHS hospital. In fact you just proved my point. You are very old
and in your last few months alive and yet you won't allow anything to
remain on the machine.

This guy, Terry Pinnell, is a known troll who posts rubbish from time to
time to waste everybody's time here.







--
With over 1,000,000 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

Terry Pinnell wrote:
I also meant to include the Skype log which I believe is implicated.
https://www.dropbox.com/s/mkettfkjzv...ack-1.txt?dl=0

Terry, East Grinstead, UK

On 09/10/2019 22.22, Ken Blake wrote:
On Wed, 09 Oct 2019 20:09:03 +0100, Terry Pinnell
wrote:

....



Two points:

1. You should never *delete* a program. You should uninstall it.

2. There's no reason to get rid of TeamViewer. It's an excellent
program to have. It lets you help other people and it lets you get
help from people you know and trust. Just don't give access to it on
your computer to scammers who telephone you.

But this installation is suspect.

--
Cheers, Carlos.

On 10/10/2019 17.06, Rene Lamontagne wrote:
On 2019-10-10 9:51 a.m., Char Jackson wrote:
On Thu, 10 Oct 2019 08:22:45 +0100, Terry Pinnell
wrote:

They're certainly persistent! This morning I received the following
reply, followed
by yet another phone call for a last ditch attempt to clinch the sale.
--------------------
"Good Morning Mr. Pinnel,

I just like to inform you that we are a legitimate company. Without your
permission we cannot control your device because if we need to
control your
computer, we have to call you to run TeamViewer software, when you will
share your Teamviewer ID & Password with us, then only it is possible
for
us to control your device with your permission. This is the way of a
genuine company.
But the trouble is those hackers, they don't need your permission to
control your device. Any time they can control it, even without your
knowledge.

As we installed Security, Software & Services yesterday on your Network
through your device, those hackers they cannot stop your device now. But
the trouble is, they can access your all of the devices including
your iPad
& iPhone and all of your personal accounts and all the password also.
SNIP

Here's the line from above that jumps out at me:
"As we installed Security, Software & Services yesterday on your Network
through your device..."

They installed software on your PC? That would be a red flag to me. I
don't
think I would trust that PC at this point.



I'm not paranoid, But If that was my machine It would be wiped clean in
a minute and a new bare metalÂ* installation of Windows would be done
with all new passwords and all.

Certainly.


--
Cheers, Carlos.