Sophisticated scam about windows certificate?

On 10/10/2019 21.59, Terry Pinnell wrote:
Terry Pinnell wrote:
I also meant to include the Skype log which I believe is implicated.
https://www.dropbox.com/s/mkettfkjzv...ack-1.txt?dl=0


Skype? Well, that's how they got your IP address.

--
Cheers, Carlos.

On 09/10/2019 20.52, Terry Pinnell wrote:
Meanwhile I've requested a Mastercard change, which is a PITA as so much else
depends on it.

Why, did you gave its number to them?

--
Cheers, Carlos.

Terry Pinnell wrote:

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Andy Burns wrote:

Terry Pinnell wrote:

He was using a service called TeamViewer
You are 100% certainly being targetted by scammers, do not even speak to
them if they call back.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx
Entry =
\Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe
Looks like someone (could be you previously legitimately, or someone
tricked you or exploited a remote execution) *HAS* run teamviewer on the PC.

search that users\terry\appdata folder for teamviewer.exe

if you find it, delete it ...

download "autoruns" directly from microsoft (not from anywhere else)

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

select the "everything" tab and filter for "team", do you see anything?



Thanks Andy. You're right. On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call, except for that apparent
TeamViewer window appearing at its very start.

There are many files in that folder. Although it presumably gets deleted
automatically (when?) maybe I should go ahead and do so straight away?

No entries in Autoruns.

I'm also about to delete the six registry entries I listed earlier. Any idea how to
decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the
call, but would like to pin it down. Here it is again:
Start 0x 1d57e80e49c7d73 (132150856133672307)
Stop is strangely identical. I'd have expected a small difference if I'm right about
it being a date/time.


Terry

https://support.microsoft.com/en-ca/...rating-systems

S-1-5-21 is the start of an Administrator account 500 key

like S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzzz-500

*******

0x 1d57e80e49c7d73 (132150856133672307)

I can use filetime.exe on that. There's probably an
assumption of an NTFS-style timestamp in this.

1D57E80 E49C7D73
10/09/2019 05:06:53.367

snip

Thanks Paul.

I'll leave those registry entries then.

Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th
Sep) that's definitely today then. Without a timezone it's not possible to pin down
the time. I'm guessing it was some point during the call which I think was roughly
10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA,
say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first
claimed to be in Texas, but I assumed that was to support his claim to be working
for 'Google Security Services'!)

Terry

The time is likely to be five hours difference, or

1D57E80 E49C7D73
10/09/2019 10:06:53.367 BST

which would be early in your call (seven minutes into the call).

I took a look at how difficult it would be to add timezone
juggling to my little program, and it's a bit too hard to
do in C code. I would have to change languages to make
it look easy to do.

One other thing you could try, for fun, is to use
Agent Ransack to do a file search of C: , enter nothing in
the filename box or the "containing text" box, then
do a search, then sort by date when it finishes.
Then, scroll down to the time in question, to see
what file(s) were getting updated at that time.

Paul


I was thinking of trying something similar with Everything but your Ransack did a
great job, thanks a bunch Paul. Not 'fun' though ;-)
I got nearly 818k hits (restricted to C much faster than I'd expected.
(BTW, assuming you use both tools, do you have a preference?)

Here's an overview:
https://www.dropbox.com/s/qgb41t917y...kHits.jpg?dl=0

Here's that web page they pulled up. In which I regrettably then allowed the session
to continue ;-(
are the two obviously relevant files.
https://gs29.weebly.com/

And here's the all important TeamViewer log.
https://www.dropbox.com/s/cvzrgdy80u...gfile.log?dl=0

But most of the 300 or so hits within the phone call period of approx 10:00-11:15 on
9t October were binaries. The snippets of readable text I could see with my hex
editor meant little to me. Some are surely relevant but they are so inaccessible. I
have uploaded one arbitrary example and if you think it worthwhile after a cursory
look I could upload others.
https://www.dropbox.com/s/3x4wvqmcpm...B0312459A?dl=0

Perhaps I'm being over-optimistic. But from the email reply I had this morning
(posted here earlier) plus the phone call, I have a feeling that no malicious
further hacking was done during the session. The focus was on getting me to buy.
That log seems to include a couple of screen grabs but I can't interpret much of the
rest.

If my optimism about the scammer is justified, it still leaves the question of just
how badly hacked my PC is. That was the basis of their attempted scam.

I also looked at Event Viewer but that was so daunting I closed it again fairly
quickly!

Terry

Paul,

Did you take a look at my carefully prepared feedback after following up your
helpful suggestion please?

I was hoping to get some insight into two things:

1. Does Skype appear to be the means by which the scammer gained access and
displayed an attention-grabbing window on my screen from the outset?

2. From the TeamViewer log, is it possible to reach any conclusions on what, if any,
damage might have been done during that TeamViewer session? Based on objective
forensics rather than worst-case speculation..

Terry

Terry Pinnell wrote:
Terry Pinnell wrote:

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Andy Burns wrote:

Terry Pinnell wrote:

He was using a service called TeamViewer
You are 100% certainly being targetted by scammers, do not even speak to
them if they call back.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b am\State\UserSettings\S-1-5-21-xxxxxxxxxxxxxxxxx
Entry =
\Device\HarddiskVolume6\Users\terry\AppData\Local\ Temp\TeamViewer\TeamViewer.exe
Looks like someone (could be you previously legitimately, or someone
tricked you or exploited a remote execution) *HAS* run teamviewer on the PC.

search that users\terry\appdata folder for teamviewer.exe

if you find it, delete it ...

download "autoruns" directly from microsoft (not from anywhere else)

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

select the "everything" tab and filter for "team", do you see anything?



Thanks Andy. You're right. On my entire PC (all internal and external drives)
there's just that one copy, namely
C:\Users\terry\AppData\Local\Temp\TeamViewer\TeamV iewer.exe

I'd say it must have got installed during the call, except for that apparent
TeamViewer window appearing at its very start.

There are many files in that folder. Although it presumably gets deleted
automatically (when?) maybe I should go ahead and do so straight away?

No entries in Autoruns.

I'm also about to delete the six registry entries I listed earlier. Any idea how to
decode that Start and Stop number, as I'm guessing it's a Date/Time, and during the
call, but would like to pin it down. Here it is again:
Start 0x 1d57e80e49c7d73 (132150856133672307)
Stop is strangely identical. I'd have expected a small difference if I'm right about
it being a date/time.


Terry

https://support.microsoft.com/en-ca/...rating-systems

S-1-5-21 is the start of an Administrator account 500 key

like S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzzz-500

*******

0x 1d57e80e49c7d73 (132150856133672307)

I can use filetime.exe on that. There's probably an
assumption of an NTFS-style timestamp in this.

1D57E80 E49C7D73
10/09/2019 05:06:53.367

snip
Thanks Paul.

I'll leave those registry entries then.

Neat forensics with that code! Assuming 10/09/2019 is US format (9th Oct, not 10th
Sep) that's definitely today then. Without a timezone it's not possible to pin down
the time. I'm guessing it was some point during the call which I think was roughly
10:00 to 11:15 UK BST. India would be about 4 hours *ahead*, but 05:06 implies USA,
say 6 hours behind. Puzzling, as both guys on the call were Indian. (The first
claimed to be in Texas, but I assumed that was to support his claim to be working
for 'Google Security Services'!)

Terry
The time is likely to be five hours difference, or

1D57E80 E49C7D73
10/09/2019 10:06:53.367 BST

which would be early in your call (seven minutes into the call).

I took a look at how difficult it would be to add timezone
juggling to my little program, and it's a bit too hard to
do in C code. I would have to change languages to make
it look easy to do.

One other thing you could try, for fun, is to use
Agent Ransack to do a file search of C: , enter nothing in
the filename box or the "containing text" box, then
do a search, then sort by date when it finishes.
Then, scroll down to the time in question, to see
what file(s) were getting updated at that time.

Paul

I was thinking of trying something similar with Everything but your Ransack did a
great job, thanks a bunch Paul. Not 'fun' though ;-)
I got nearly 818k hits (restricted to C much faster than I'd expected.
(BTW, assuming you use both tools, do you have a preference?)

Here's an overview:
https://www.dropbox.com/s/qgb41t917y...kHits.jpg?dl=0

Here's that web page they pulled up. In which I regrettably then allowed the session
to continue ;-(
are the two obviously relevant files.
https://gs29.weebly.com/

And here's the all important TeamViewer log.
https://www.dropbox.com/s/cvzrgdy80u...gfile.log?dl=0

But most of the 300 or so hits within the phone call period of approx 10:00-11:15 on
9t October were binaries. The snippets of readable text I could see with my hex
editor meant little to me. Some are surely relevant but they are so inaccessible. I
have uploaded one arbitrary example and if you think it worthwhile after a cursory
look I could upload others.
https://www.dropbox.com/s/3x4wvqmcpm...B0312459A?dl=0

Perhaps I'm being over-optimistic. But from the email reply I had this morning
(posted here earlier) plus the phone call, I have a feeling that no malicious
further hacking was done during the session. The focus was on getting me to buy.
That log seems to include a couple of screen grabs but I can't interpret much of the
rest.

If my optimism about the scammer is justified, it still leaves the question of just
how badly hacked my PC is. That was the basis of their attempted scam.

I also looked at Event Viewer but that was so daunting I closed it again fairly
quickly!

Terry

Paul,

Did you take a look at my carefully prepared feedback after following up your
helpful suggestion please?

I was hoping to get some insight into two things:

1. Does Skype appear to be the means by which the scammer gained access and
displayed an attention-grabbing window on my screen from the outset?

2. From the TeamViewer log, is it possible to reach any conclusions on what, if any,
damage might have been done during that TeamViewer session? Based on objective
forensics rather than worst-case speculation..

Terry

I looked at the Skype log, and did not see anything suspicious.

You expect to see Skype activity, every time the computer is
booted. In that sense, these logs contain a "lot of noise"
and not a lot of signal.

As for the TeamViewer, either it was a legit copy of TeamViewer,
or it was a fake of some sort. Or, it's covering for the
real attack mechanism. But I can't tell from here, whether
or how that TeamViewer got on the machine. They did manage to
pop up a browser window. But we don't know what else they
did.

There's no way to guess at their capability level.

(Which is why some respondents gave a "nuke and pave" answer.)

While we suspect the scammers weren't interested
in making a nuisance of themselves, and were only
after "easy money" via the certificate scam, can we
sleep comfortably not really knowing their
whole motivation ? Normally, these people are employees
in a larger operation, and just earn a salary doing
this stuff. It wouldn't be normal for two guys in
their moms basement, to be idly hacking people like
yourself, and those kinds of people would be much
more of a worry.

The only time the salaried employees cause a
problem, is if you get into a cursing match
with them. That's when you find out what
capabilities they've got...

Paul

On 12/10/2019 09.57, Terry Pinnell wrote:
Terry Pinnell wrote:

Paul wrote:

....


Paul,

Did you take a look at my carefully prepared feedback after following up your
helpful suggestion please?

I was hoping to get some insight into two things:

1. Does Skype appear to be the means by which the scammer gained access and
displayed an attention-grabbing window on my screen from the outset?

I said that Skype could be a means to get your IP address. They have a
"phone" connection and they know (I believe) the IP of the machine.

But later I thought that they could also get your IP when you accessed
the web page they told you to use. Being under their control, it is
trivial to find out the IP from the logs of the server.

2. From the TeamViewer log, is it possible to reach any conclusions on what, if any,
damage might have been done during that TeamViewer session? Based on objective
forensics rather than worst-case speculation..

If I were you, or if I were the person maintaining your computer, I
would nuke the machine. Format and reinstall. In fact, I would propose,
if I were the maintenance guy, to switch to Linux at this point. But I'm
not that guy, so it is up to you.


--
Cheers, Carlos.

Terry Pinnell wrote:
[...]
Thanks, I'm thirsty for slightly reassuring messages like that!

In a similar vein, Malwarebytes, CCleaner and my permanently installed
Defender reported nothing bad.

CCleaner should have found the TeamViewer registry entries which you
found, but couldn't delete, assuming that you *did* tick the 'Obsolete
Software' category in the 'Registry Cleaner' section. (Of course you
should also tick most if not all other categories, especially
'Applications', 'Application Paths' and 'Installer'. After all, you
first do a 'Scan for Issues' and then an *interactive* 'Fix selected
issues...'.)

And the TeamViever .exe (and stuff) was in an uncommon location
(unless you have the habit of only installing stuff for yourself and
not system-wide).

On Fri, 11 Oct 2019 04:09:18 +0200, "Carlos E.R."
wrote:

On 09/10/2019 20.52, Terry Pinnell wrote:
Meanwhile I've requested a Mastercard change, which is a PITA as so much else
depends on it.

Why, did you gave its number to them?

He doesn't need to. The card details are possibly in his browser
auto-complete database. If not there, they may be in any of several
other places including licences for software he's bought or iTunes or
Microsoft, Google or Apple store type purchases.

Having an hour to look around your computer, I could find *anything*
interesting on it and the Indian tech guy could have had pals
beavering away in the background.

Your Nuke-and-Pave suggestion sounds more and more appealing with
every message.

But the *FIRST* thing I would have done in that type of situation is
something obvious that so far hasn't been suggested in the thread:
kill the connection to the Internet from that PC. Disconnect it from
the home network, also.

Once that's done, Mr. Pinnell might like to think of trying
msconfig.exe and looking for rogue processes in the start-up panel.
Also SysInternal's Process Explorer, or even just Taskmaster.exe for
running services and processes that look odd.

It's a long shot as most malware is better written than to betray
itself here, but looking in the list of installed programs *might*
show something that can be uninstalled. It sometimes does. Not all
malware writers are of genius level.

I know those are stupid, old-fashioned and obvious tools to use but
they just *might* help.

Running the "TeamViewer.exe" file through the scanner in VirusTotal
just may show something even though MalwareBytes ignores it. The
writer may not have blocked it from *every* scanner.

Note: just because a running service says it is owned by Google,
Apple, the F.B.I. or Microsoft itself does not mean it truly *is*, if
it looks peculiar, it might be worth VirusTotalling it and asking
about it here.

Note 2: my "security" stuff kills the new VirusTotal.com website. It
lets me use the older version but I can't get the new one to run no
matter what I unset. Methinks I'm a little *too* paranoid.


J.

On Thu, 10 Oct 2019 08:25:45 +0100, Terry Pinnell
wrote:

"Mayayana" wrote:

"Terry Pinnell" wrote
|A couple of hours ago I was contacted by someone claiming to be from Google
Security
| Services. Texas based, he said. I get several scam calls a week and
handled this in
| my usual fashion with a "Not interested, don't call me again" and ended
the call.
| But unusually this one called straight back and got me listening for a
while. At my
| insistence he gave me a phone number of 18005321200, which I've not yet
tried. He
| claimed that my PC had been hacked and he proceeded to demonstrate
evidence that he
| had access etc. He was using a service called TeamViewer, whose details he
popped up
| on my screen. (I've since called that company and that point out that
anyone can use
| their software.)
|

That's a classic scam. I have a brother who fell for it.
Luckily for him, he's a starving artist and doesn't have
a charge card.

But there is a valuable lesson he Remote desktop has
been hacked in the past and is high-risk. If you don't log
into your computer from elsewhere you should disable
the service. Also disable other remote-functionality services.
They're designed mainly for use on a safe, corporate
intranet.

If the caller had access to your desktop then you might
want to also run some scans. Though usually these scammers
are not interested in installing trojans or the like. They just want
you to pay them money and for you to believe it was legit, so
you won't cancel the payment.


Looks like the scam hasn't changed much in three years:

https://community.teamviewer.com/t5/...mmers/td-p/682

Terry


Good job finding that. I think we should strongly endorse
TeamViewer's advice:

"We strongly recommend that affected victims contact their bank, a
consumer protection organization and a trustworthy IT support company.
In most cases, the payments that have been made can be refunded by the
bank, and any malicious software installed by the callers can be
removed by the IT support company. We can also determine and block the
TeamViewer ID used by the scammers if we are provided with the
victim's ID.

To ensure that it is safe to use your computer again (for example, for
online banking), we recommend having it checked by a local IT support
company or a person you can trust."

Having a trusted company or expert friend go over your machine is not
the worst idea in the world, though a nuke-and-pave does look like a
far easier proposition.

"Trusted company" does exclude folks like "Microsoft Windows
Technical Support" guys based in Goa, obviously.

If you do do a NAP, it may be a good idea to run a malware scanner or
two, or more, over any physically connected external drives and
networked devices that have talked to your PC recently. It may be a
good notion to do that anyway, just for peace of mind.

J.

On 13/10/2019 18.46, John wrote:
On Fri, 11 Oct 2019 04:09:18 +0200, "Carlos E.R."
wrote:

On 09/10/2019 20.52, Terry Pinnell wrote:
Meanwhile I've requested a Mastercard change, which is a PITA as so much else
depends on it.

Why, did you gave its number to them?

He doesn't need to. The card details are possibly in his browser
auto-complete database.

Huh. FF at least knows not to keep them.

If not there, they may be in any of several
other places including licences for software he's bought or iTunes or
Microsoft, Google or Apple store type purchases.

:-/

Having an hour to look around your computer, I could find *anything*
interesting on it and the Indian tech guy could have had pals
beavering away in the background.

Your Nuke-and-Pave suggestion sounds more and more appealing with
every message.

Yes... :-(


But the *FIRST* thing I would have done in that type of situation is
something obvious that so far hasn't been suggested in the thread:
kill the connection to the Internet from that PC. Disconnect it from
the home network, also.

That too.


--
Cheers, Carlos.