If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#46
|
|||
|
|||
Sophisticated scam about windows certificate?
On 10/10/2019 21.59, Terry Pinnell wrote:
Terry Pinnell wrote: I also meant to include the Skype log which I believe is implicated. https://www.dropbox.com/s/mkettfkjzv...ack-1.txt?dl=0 Skype? Well, that's how they got your IP address. -- Cheers, Carlos. |
Ads |
#47
|
|||
|
|||
Sophisticated scam about windows certificate?
On 09/10/2019 20.52, Terry Pinnell wrote:
Meanwhile I've requested a Mastercard change, which is a PITA as so much else depends on it. Why, did you gave its number to them? -- Cheers, Carlos. |
#48
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
Paul wrote: Terry Pinnell wrote: Paul wrote: Terry Pinnell wrote: Andy Burns wrote: Terry Pinnell wrote: He was using a service called TeamViewer You are 100% certainly being targetted by scammers, do not even speak to them if they call back. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx Entry = \Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe Looks like someone (could be you previously legitimately, or someone tricked you or exploited a remote execution) *HAS* run teamviewer on the PC. search that users\terry\appdata folder for teamviewer.exe if you find it, delete it ... download "autoruns" directly from microsoft (not from anywhere else) https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns select the "everything" tab and filter for "team", do you see anything? Thanks Andy. You're right. On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call, except for that apparent TeamViewer window appearing at its very start. There are many files in that folder. Although it presumably gets deleted automatically (when?) maybe I should go ahead and do so straight away? No entries in Autoruns. I'm also about to delete the six registry entries I listed earlier. Any idea how to decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the call, but would like to pin it down. Here it is again: Start 0x 1d57e80e49c7d73 (132150856133672307) Stop is strangely identical. I'd have expected a small difference if I'm right about it being a date/time. Terry https://support.microsoft.com/en-ca/...rating-systems S-1-5-21 is the start of an Administrator account 500 key like S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzzz-500 ******* 0x 1d57e80e49c7d73 (132150856133672307) I can use filetime.exe on that. There's probably an assumption of an NTFS-style timestamp in this. 1D57E80 E49C7D73 10/09/2019 05:06:53.367 snip Thanks Paul. I'll leave those registry entries then. Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th Sep) that's definitely today then. Without a timezone it's not possible to pin down the time. I'm guessing it was some point during the call which I think was roughly 10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA, say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first claimed to be in Texas, but I assumed that was to support his claim to be working for 'Google Security Services'!) Terry The time is likely to be five hours difference, or 1D57E80 E49C7D73 10/09/2019 10:06:53.367 BST which would be early in your call (seven minutes into the call). I took a look at how difficult it would be to add timezone juggling to my little program, and it's a bit too hard to do in C code. I would have to change languages to make it look easy to do. One other thing you could try, for fun, is to use Agent Ransack to do a file search of C: , enter nothing in the filename box or the "containing text" box, then do a search, then sort by date when it finishes. Then, scroll down to the time in question, to see what file(s) were getting updated at that time. Paul I was thinking of trying something similar with Everything but your Ransack did a great job, thanks a bunch Paul. Not 'fun' though ;-) I got nearly 818k hits (restricted to C much faster than I'd expected. (BTW, assuming you use both tools, do you have a preference?) Here's an overview: https://www.dropbox.com/s/qgb41t917y...kHits.jpg?dl=0 Here's that web page they pulled up. In which I regrettably then allowed the session to continue ;-( are the two obviously relevant files. https://gs29.weebly.com/ And here's the all important TeamViewer log. https://www.dropbox.com/s/cvzrgdy80u...gfile.log?dl=0 But most of the 300 or so hits within the phone call period of approx 10:00-11:15 on 9t October were binaries. The snippets of readable text I could see with my hex editor meant little to me. Some are surely relevant but they are so inaccessible. I have uploaded one arbitrary example and if you think it worthwhile after a cursory look I could upload others. https://www.dropbox.com/s/3x4wvqmcpm...B0312459A?dl=0 Perhaps I'm being over-optimistic. But from the email reply I had this morning (posted here earlier) plus the phone call, I have a feeling that no malicious further hacking was done during the session. The focus was on getting me to buy. That log seems to include a couple of screen grabs but I can't interpret much of the rest. If my optimism about the scammer is justified, it still leaves the question of just how badly hacked my PC is. That was the basis of their attempted scam. I also looked at Event Viewer but that was so daunting I closed it again fairly quickly! Terry Paul, Did you take a look at my carefully prepared feedback after following up your helpful suggestion please? I was hoping to get some insight into two things: 1. Does Skype appear to be the means by which the scammer gained access and displayed an attention-grabbing window on my screen from the outset? 2. From the TeamViewer log, is it possible to reach any conclusions on what, if any, damage might have been done during that TeamViewer session? Based on objective forensics rather than worst-case speculation.. Terry |
#49
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
Terry Pinnell wrote: Paul wrote: Terry Pinnell wrote: Paul wrote: Terry Pinnell wrote: Andy Burns wrote: Terry Pinnell wrote: He was using a service called TeamViewer You are 100% certainly being targetted by scammers, do not even speak to them if they call back. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx Entry = \Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe Looks like someone (could be you previously legitimately, or someone tricked you or exploited a remote execution) *HAS* run teamviewer on the PC. search that users\terry\appdata folder for teamviewer.exe if you find it, delete it ... download "autoruns" directly from microsoft (not from anywhere else) https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns select the "everything" tab and filter for "team", do you see anything? Thanks Andy. You're right. On my entire PC (all internal and external drives) there's just that one copy, namely C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe I'd say it must have got installed during the call, except for that apparent TeamViewer window appearing at its very start. There are many files in that folder. Although it presumably gets deleted automatically (when?) maybe I should go ahead and do so straight away? No entries in Autoruns. I'm also about to delete the six registry entries I listed earlier. Any idea how to decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the call, but would like to pin it down. Here it is again: Start 0x 1d57e80e49c7d73 (132150856133672307) Stop is strangely identical. I'd have expected a small difference if I'm right about it being a date/time. Terry https://support.microsoft.com/en-ca/...rating-systems S-1-5-21 is the start of an Administrator account 500 key like S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzzz-500 ******* 0x 1d57e80e49c7d73 (132150856133672307) I can use filetime.exe on that. There's probably an assumption of an NTFS-style timestamp in this. 1D57E80 E49C7D73 10/09/2019 05:06:53.367 snip Thanks Paul. I'll leave those registry entries then. Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th Sep) that's definitely today then. Without a timezone it's not possible to pin down the time. I'm guessing it was some point during the call which I think was roughly 10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA, say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first claimed to be in Texas, but I assumed that was to support his claim to be working for 'Google Security Services'!) Terry The time is likely to be five hours difference, or 1D57E80 E49C7D73 10/09/2019 10:06:53.367 BST which would be early in your call (seven minutes into the call). I took a look at how difficult it would be to add timezone juggling to my little program, and it's a bit too hard to do in C code. I would have to change languages to make it look easy to do. One other thing you could try, for fun, is to use Agent Ransack to do a file search of C: , enter nothing in the filename box or the "containing text" box, then do a search, then sort by date when it finishes. Then, scroll down to the time in question, to see what file(s) were getting updated at that time. Paul I was thinking of trying something similar with Everything but your Ransack did a great job, thanks a bunch Paul. Not 'fun' though ;-) I got nearly 818k hits (restricted to C much faster than I'd expected. (BTW, assuming you use both tools, do you have a preference?) Here's an overview: https://www.dropbox.com/s/qgb41t917y...kHits.jpg?dl=0 Here's that web page they pulled up. In which I regrettably then allowed the session to continue ;-( are the two obviously relevant files. https://gs29.weebly.com/ And here's the all important TeamViewer log. https://www.dropbox.com/s/cvzrgdy80u...gfile.log?dl=0 But most of the 300 or so hits within the phone call period of approx 10:00-11:15 on 9t October were binaries. The snippets of readable text I could see with my hex editor meant little to me. Some are surely relevant but they are so inaccessible. I have uploaded one arbitrary example and if you think it worthwhile after a cursory look I could upload others. https://www.dropbox.com/s/3x4wvqmcpm...B0312459A?dl=0 Perhaps I'm being over-optimistic. But from the email reply I had this morning (posted here earlier) plus the phone call, I have a feeling that no malicious further hacking was done during the session. The focus was on getting me to buy. That log seems to include a couple of screen grabs but I can't interpret much of the rest. If my optimism about the scammer is justified, it still leaves the question of just how badly hacked my PC is. That was the basis of their attempted scam. I also looked at Event Viewer but that was so daunting I closed it again fairly quickly! Terry Paul, Did you take a look at my carefully prepared feedback after following up your helpful suggestion please? I was hoping to get some insight into two things: 1. Does Skype appear to be the means by which the scammer gained access and displayed an attention-grabbing window on my screen from the outset? 2. From the TeamViewer log, is it possible to reach any conclusions on what, if any, damage might have been done during that TeamViewer session? Based on objective forensics rather than worst-case speculation.. Terry I looked at the Skype log, and did not see anything suspicious. You expect to see Skype activity, every time the computer is booted. In that sense, these logs contain a "lot of noise" and not a lot of signal. As for the TeamViewer, either it was a legit copy of TeamViewer, or it was a fake of some sort. Or, it's covering for the real attack mechanism. But I can't tell from here, whether or how that TeamViewer got on the machine. They did manage to pop up a browser window. But we don't know what else they did. There's no way to guess at their capability level. (Which is why some respondents gave a "nuke and pave" answer.) While we suspect the scammers weren't interested in making a nuisance of themselves, and were only after "easy money" via the certificate scam, can we sleep comfortably not really knowing their whole motivation ? Normally, these people are employees in a larger operation, and just earn a salary doing this stuff. It wouldn't be normal for two guys in their moms basement, to be idly hacking people like yourself, and those kinds of people would be much more of a worry. The only time the salaried employees cause a problem, is if you get into a cursing match with them. That's when you find out what capabilities they've got... Paul |
#50
|
|||
|
|||
Sophisticated scam about windows certificate?
On 12/10/2019 09.57, Terry Pinnell wrote:
Terry Pinnell wrote: Paul wrote: .... Paul, Did you take a look at my carefully prepared feedback after following up your helpful suggestion please? I was hoping to get some insight into two things: 1. Does Skype appear to be the means by which the scammer gained access and displayed an attention-grabbing window on my screen from the outset? I said that Skype could be a means to get your IP address. They have a "phone" connection and they know (I believe) the IP of the machine. But later I thought that they could also get your IP when you accessed the web page they told you to use. Being under their control, it is trivial to find out the IP from the logs of the server. 2. From the TeamViewer log, is it possible to reach any conclusions on what, if any, damage might have been done during that TeamViewer session? Based on objective forensics rather than worst-case speculation.. If I were you, or if I were the person maintaining your computer, I would nuke the machine. Format and reinstall. In fact, I would propose, if I were the maintenance guy, to switch to Linux at this point. But I'm not that guy, so it is up to you. -- Cheers, Carlos. |
#51
|
|||
|
|||
Sophisticated scam about windows certificate?
Terry Pinnell wrote:
[...] Thanks, I'm thirsty for slightly reassuring messages like that! In a similar vein, Malwarebytes, CCleaner and my permanently installed Defender reported nothing bad. CCleaner should have found the TeamViewer registry entries which you found, but couldn't delete, assuming that you *did* tick the 'Obsolete Software' category in the 'Registry Cleaner' section. (Of course you should also tick most if not all other categories, especially 'Applications', 'Application Paths' and 'Installer'. After all, you first do a 'Scan for Issues' and then an *interactive* 'Fix selected issues...'.) And the TeamViever .exe (and stuff) was in an uncommon location (unless you have the habit of only installing stuff for yourself and not system-wide). |
#52
|
|||
|
|||
Sophisticated scam about windows certificate?
On Fri, 11 Oct 2019 04:09:18 +0200, "Carlos E.R."
wrote: On 09/10/2019 20.52, Terry Pinnell wrote: Meanwhile I've requested a Mastercard change, which is a PITA as so much else depends on it. Why, did you gave its number to them? He doesn't need to. The card details are possibly in his browser auto-complete database. If not there, they may be in any of several other places including licences for software he's bought or iTunes or Microsoft, Google or Apple store type purchases. Having an hour to look around your computer, I could find *anything* interesting on it and the Indian tech guy could have had pals beavering away in the background. Your Nuke-and-Pave suggestion sounds more and more appealing with every message. But the *FIRST* thing I would have done in that type of situation is something obvious that so far hasn't been suggested in the thread: kill the connection to the Internet from that PC. Disconnect it from the home network, also. Once that's done, Mr. Pinnell might like to think of trying msconfig.exe and looking for rogue processes in the start-up panel. Also SysInternal's Process Explorer, or even just Taskmaster.exe for running services and processes that look odd. It's a long shot as most malware is better written than to betray itself here, but looking in the list of installed programs *might* show something that can be uninstalled. It sometimes does. Not all malware writers are of genius level. I know those are stupid, old-fashioned and obvious tools to use but they just *might* help. Running the "TeamViewer.exe" file through the scanner in VirusTotal just may show something even though MalwareBytes ignores it. The writer may not have blocked it from *every* scanner. Note: just because a running service says it is owned by Google, Apple, the F.B.I. or Microsoft itself does not mean it truly *is*, if it looks peculiar, it might be worth VirusTotalling it and asking about it here. Note 2: my "security" stuff kills the new VirusTotal.com website. It lets me use the older version but I can't get the new one to run no matter what I unset. Methinks I'm a little *too* paranoid. J. |
#53
|
|||
|
|||
Sophisticated scam about windows certificate?
On Thu, 10 Oct 2019 08:25:45 +0100, Terry Pinnell
wrote: "Mayayana" wrote: "Terry Pinnell" wrote |A couple of hours ago I was contacted by someone claiming to be from Google Security | Services. Texas based, he said. I get several scam calls a week and handled this in | my usual fashion with a "Not interested, don't call me again" and ended the call. | But unusually this one called straight back and got me listening for a while. At my | insistence he gave me a phone number of 18005321200, which I've not yet tried. He | claimed that my PC had been hacked and he proceeded to demonstrate evidence that he | had access etc. He was using a service called TeamViewer, whose details he popped up | on my screen. (I've since called that company and that point out that anyone can use | their software.) | That's a classic scam. I have a brother who fell for it. Luckily for him, he's a starving artist and doesn't have a charge card. But there is a valuable lesson he Remote desktop has been hacked in the past and is high-risk. If you don't log into your computer from elsewhere you should disable the service. Also disable other remote-functionality services. They're designed mainly for use on a safe, corporate intranet. If the caller had access to your desktop then you might want to also run some scans. Though usually these scammers are not interested in installing trojans or the like. They just want you to pay them money and for you to believe it was legit, so you won't cancel the payment. Looks like the scam hasn't changed much in three years: https://community.teamviewer.com/t5/...mmers/td-p/682 Terry Good job finding that. I think we should strongly endorse TeamViewer's advice: "We strongly recommend that affected victims contact their bank, a consumer protection organization and a trustworthy IT support company. In most cases, the payments that have been made can be refunded by the bank, and any malicious software installed by the callers can be removed by the IT support company. We can also determine and block the TeamViewer ID used by the scammers if we are provided with the victim's ID. To ensure that it is safe to use your computer again (for example, for online banking), we recommend having it checked by a local IT support company or a person you can trust." Having a trusted company or expert friend go over your machine is not the worst idea in the world, though a nuke-and-pave does look like a far easier proposition. "Trusted company" does exclude folks like "Microsoft Windows Technical Support" guys based in Goa, obviously. If you do do a NAP, it may be a good idea to run a malware scanner or two, or more, over any physically connected external drives and networked devices that have talked to your PC recently. It may be a good notion to do that anyway, just for peace of mind. J. |
#54
|
|||
|
|||
Sophisticated scam about windows certificate?
On 13/10/2019 18.46, John wrote:
On Fri, 11 Oct 2019 04:09:18 +0200, "Carlos E.R." wrote: On 09/10/2019 20.52, Terry Pinnell wrote: Meanwhile I've requested a Mastercard change, which is a PITA as so much else depends on it. Why, did you gave its number to them? He doesn't need to. The card details are possibly in his browser auto-complete database. Huh. FF at least knows not to keep them. If not there, they may be in any of several other places including licences for software he's bought or iTunes or Microsoft, Google or Apple store type purchases. :-/ Having an hour to look around your computer, I could find *anything* interesting on it and the Indian tech guy could have had pals beavering away in the background. Your Nuke-and-Pave suggestion sounds more and more appealing with every message. Yes... :-( But the *FIRST* thing I would have done in that type of situation is something obvious that so far hasn't been suggested in the thread: kill the connection to the Internet from that PC. Disconnect it from the home network, also. That too. -- Cheers, Carlos. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|