dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5428
share rss forum feed

robman50

join:2010-12-14
Beamsville, ON

[INTERNET] fell for Microsoft phone scam (on the phone)

I was just told that my mom's boyfriend got a call from Microsoft telling him his computer send out a report that he has security problems coming from his IP address and he allowed them to come in to his system.
What are the steps to correct this problem?
He does his banking online. Also he uses Cogeco HSI (think it is Express 6 now) if any techs want to jump on in I could PM you guys (account info and/or MAC addy) so you can make sure his security is safe.


Gone
Premium
join:2011-01-24
Fort Erie, ON
kudos:4
This isn't Cogeco's problem, it's yours.

Disconnect the computer from the Internet ASAP and do not reconnect. If that means unplugging the Ethernet cable or disconnecting your wireless router, do it. Back up your personal data to an external hard drive. Disconnect the backup drive and then format the hard drive containing Windows. Reinstall Windows from scratch. Connect back to the Internet and run Windows Update. Reinstall your applications. Restore your personal data from the external hard drive. In that order. If you or someone you know is incapable of doing this, pay someone to do it.

From another computer that hasn't been compromised immediately change all your online banking passwords and passwords to anything else that contains sensitive information (e.g. Facebook, Paypal, etc)

Consider the annoyance you're going to have to deal with and the possible money spent a lesson learnt.


coaxguy

join:2009-07-29
kudos:1
Reviews:
·Bell Fibe
·Start Communicat..

2 edits
reply to robman50
The scam now adays, is they take the victim to a site to download an antivirus, and the victim inputs their credit card information, and because its session shared, the thieves see them enter the credit card number, digit for digit.

Gone is correct that this has nothing to do with Cogeco. The "Cogeco security software" has to do with virus protection and firewall protection. Your mothers boyfriend willingly opened the computer to someone else by opening the software they told him to download and use so they could "look into the system". The software they used is not illegal or malware in anyway either, it is a session sharing software that many businesses use now adays.

»www.youtube.com/watch?v=1hsEHRIMeZo


I myself have toyed with these scammers a number of times for fun. I once told them "how long until you try to steal my identity and open credit cards in my name", they then accused ME of being a scammer.


Gone
Premium
join:2011-01-24
Fort Erie, ON
kudos:4
In that case, it should be obvious what also needs to be done.

robman50

join:2010-12-14
Beamsville, ON
reply to robman50
Well being a repair person I did have a system image backed up so I brought the system right back to its clean state.
I have sent him off to contact his bank anyway while I cleaned up the system.
Some key words that grabbed my attention on being a scam was they want you to subscribe to the MS security program (which is free via windows updates).
I checked the logs and it did have a virus but the temp internet files folder is loaded with porn and the system is sluggish.
So yeah that was the key right there.
I knew it's not a Cogeco problem, thought I'd 'call for help' and ask for some guidance.

rudeboy24

join:2002-10-14
Welland, ON
Reviews:
·voip.ms
·Start Communicat..
first thing that tell you its a scam Microsoft never calls you if you have a virus. just think there is over 1 Billion Windows computers out there, Microsoft would never be able to keep up. Its not possible for them to be doing that.

just remember this "Microsoft will never call you for a virus".

robman50

join:2010-12-14
Beamsville, ON
reply to Gone
change the email passwords to?

rudeboy24

join:2002-10-14
Welland, ON
i would say change any password for any accounts used on the computer ..if the web browser saves logins & password (Witch i dont recommend ever doing with important accounts) change those to.

robman50

join:2010-12-14
Beamsville, ON
reply to robman50
ok, where does he go to change his Cogeco email password?

thingfish

join:2012-09-14
St Catharines, ON
kudos:1


coaxguy

join:2009-07-29
kudos:1
Reviews:
·Bell Fibe
·Start Communicat..
reply to robman50
They are really bold when they pull this crap. They show you log files that contain errors that happen every day and tell you have a virus.

Then they take you to Microsofts homepage and click on the windows security essential link then they quickly paste something in the address bar that takes you to a 3rd party site and watch as you enter your CC or bank account info.

One of the times I played along I asked why they took me from Microsoft.com to www.whateveritwas.com and I pointed out there was no security certificate for the site. The nice Indian man told me I was a thief and trying to hack THEM, and I was a scammer.

I love loading up a virtual machine on my old beat up work laptop and mess with they call.


Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7
said by coaxguy:

....I love loading up a virtual machine on my old beat up work laptop and mess with their call.

 
Or string them along up until when they ask you to give them your credit card number (most these days DO ask, as it's easier than installing a piece of malware to instead just ASK the person for their CC number over the phone), and at that point tell them "Oh BTW, I have a MAC and not a PC, so you cannot POSSIBLY be calling me from 'WINDOWS SUPPORT CENTRE' !"

--

We have only 2 things about which to worry :
(1) That things may never get back to normal
(2) That they already HAVE !
-
START Forum »Start Communications
Or you can still use Canadian Broadband.


robman50

join:2010-12-14
Beamsville, ON
said by Davesnothere:

said by coaxguy:

....I love loading up a virtual machine on my old beat up work laptop and mess with their call.

 
"Oh BTW, I have a MAC and not a PC, so you cannot POSSIBLY be calling me from 'WINDOWS SUPPORT CENTRE' !"

Or to really throw them off, all my PC's run Linux (ubuntu, fedora, etc.) :P

robman50

join:2010-12-14
Beamsville, ON
reply to robman50
This is what really gets me, how the heck did the person gets my moms boyfriend's phone number? Ok so he gets the virus in to the system and is sends out an 'report', so did the spammer trace his IP address back to Cogeco and asked Cogeco for his phone number? This part actually gives me the creeps.

diskdocx

join:2005-09-26
Burlington, ON
Um, no. These are cold calls. He doesn't have a virus.

It's just a telemarketing scam. Unless the phone number is completely unlisted, they just pulled it out of a directory.


coaxguy

join:2009-07-29
kudos:1
Reviews:
·Bell Fibe
·Start Communicat..
reply to robman50
said by robman50:

This is what really gets me, how the heck did the person gets my moms boyfriend's phone number? Ok so he gets the virus in to the system and is sends out an 'report', so did the spammer trace his IP address back to Cogeco and asked Cogeco for his phone number? This part actually gives me the creeps.

No, not at all. It works just like telemarketing. They get your number from a sales list and an auto dialer calls you.

No ISP would ever give out your information to a 3rd party based on a cold call saying "your customer has a virus, I need to call them, please give me their phone number".

thingfish

join:2012-09-14
St Catharines, ON
kudos:1
reply to robman50
As others have said, it's nothing to do with an actual virus.

My mother got a call from these scammers. She doesn't even own a computer...

robman50

join:2010-12-14
Beamsville, ON
reply to robman50
Well for extra security I enabled the 'Discard ping from WAN side' and I disabled upnp in his router which is my old di-604.

Also he changed the My Account password and the email passwords.


Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7

3 edits
reply to diskdocx
said by diskdocx:

These are COLD CALLS.

His PC doesn't have a virus.

It's just a telemarketing scam.

Unless the phone number is completely unlisted, they just pulled it out of a directory.

 
This need to be repeated, and bolded.

There WAS no virus/malware in the computer to begin with, and there may well be none in it afterwards either.

This is mainly a new TM scam, and even unlisted numbers can be reached by autodialers.

As a tech, I have encountered this scenario only last month with someone local to me and their PC.

Still best to cancel any credit cards which may have been used, if things went that far.

But wiping and reloading the PC's hard drive can be a bit heavy-handed, IMNSHO.

After doing a forensic exam and some screenshots of folder trees for their dates, I rolled back Windows System Restore to a few days before they got the call, and did my usual security tests from there, as well as resolving some other minor unrelated issues which the owner mentioned to me.

At the end, I cleared all system restore points and made a single new one.


Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7
 
BTW, I should mention that the caller had only gotten into the computer by talking the owner into installing a 3rd party Remote Access app, so that they could log into it.


mr_slick

join:2003-05-22
Lynnwood, WA
reply to coaxguy

I am jealous!

they have never called me! that would be fun to string them along

and just the other day the nice "american" man from chase asked me why i have not taken advantage of my credit card check offers (when i called to activate a card). i told him because you charge a fee and it is not free... he was dumbfounded as to why i would not pay money to get money that i did not need....

robman50

join:2010-12-14
Beamsville, ON
reply to Davesnothere

Re: [INTERNET] fell for Microsoft phone scam (on the phone)

Ok then if it is not related to a virus then why at the same time when the person was in the computer did the real anti virus program that I put on there detect a virus that was severe but removed and during the time that person was connected to the system, in the same time frame how and why did 2,000+ porn items come in to the temp internet files folder even though this person never ever looks at porn. That sounds like a virus to me.

robman50

join:2010-12-14
Beamsville, ON
reply to Davesnothere
said by Davesnothere:

 
BTW, I should mention that the caller had only gotten into the computer by talking the owner into installing a 3rd party Remote Access app, so that they could log into it.

Yes the program called 'Team viewer' was installed.


coaxguy

join:2009-07-29
kudos:1
Reviews:
·Bell Fibe
·Start Communicat..
reply to robman50
said by robman50:

Ok then if it is not related to a virus then why at the same time when the person was in the computer did the real anti virus program that I put on there detect a virus that was severe but removed and during the time that person was connected to the system, in the same time frame how and why did 2,000+ porn items come in to the temp internet files folder even though this person never ever looks at porn. That sounds like a virus to me.

Yes a completely unrelated virus, nothing to do with the cold call scam. As far as the porn goes, hate to break it to you but if there were temp Internet files for porn sites, then a) they could have been pop ups or b) someone on the computer was looking at porn.

The scammer has no reason to try to steal credit card info and then plant porn cookies.

Did you even watch the video I posted? It is exactly what they do, nothing more, nothing less.

No one pre planted a virus to get your ip
No one called cogeco in an attempt to get your personal info
No one planted evidence of porn on the computer

Someone did use an autodialler program to call the house
Someone did get a resident of the home to install a remote access program to gain control of the computer
Someone did show the resident of the home common error files and told them to enter their credit card # to pay for their "removal"

Your thinking way too much I to this, sadly it happens everyday and for every 1 person who tells them to drop dead, 5 probably fall for the trap.

1. Delete all cookies and temp tiles for the browser used
2. Change any email passwords stored on the computer
3. Change any online banking passwords if online banking is done on that computer
4. If a credit card number was typed in during the screen sharing session cancel it

That's all you need to do.

rudeboy24

join:2002-10-14
Welland, ON
Reviews:
·voip.ms
·Start Communicat..
reply to robman50
changing passwords to account's that have saved passwords in the computer is a precautionary measure just in case the scammer is tech savvy enough to know what files to steal from the computer in the background while they are connected to the victim and that's also a small chance they did that ...but its better safe then sorry.

for the virus popup the scammer possibly uploaded something in the background to cause a virus popup.

maybe a EICAR test file.
»www.eicar.org/86-0-Intended-use.html

diskdocx

join:2005-09-26
Burlington, ON
reply to robman50
said by robman50:

Ok then if it is not related to a virus then why at the same time when the person was in the computer did the real anti virus program that I put on there detect a virus that was severe but removed and during the time that person was connected to the system, in the same time frame how and why did 2,000+ porn items come in to the temp internet files folder even though this person never ever looks at porn. That sounds like a virus to me.

I think you've answered your own question.

"when the person was in the computer"

In other words, not before. Once they were given access to the computer, they could have uploaded/installed anything.

Bottom line, there was no problem with the computer prior to the cold call, and all would have been fine if access hadn't been granted to the computer.

That said, I'm sure the virus was a secondary objective. They wanted, and got, credit card data.


Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7
reply to robman50
said by robman50:

said by Davesnothere:

 
BTW, I should mention that the caller had only gotten into the computer by talking the owner into installing a 3rd party Remote Access app, so that they could log into it.

Yes the program called 'Team viewer' was installed.

 
The one added to the PC which came to me was called 'Show My PC'.


DataRiker
Premium
join:2002-05-19
00000
reply to coaxguy
said by coaxguy:

I love loading up a virtual machine on my old beat up work laptop and mess with they call.

This happens a lot?


coaxguy

join:2009-07-29
kudos:1
Reviews:
·Bell Fibe
·Start Communicat..
said by DataRiker:

said by coaxguy:

I love loading up a virtual machine on my old beat up work laptop and mess with they call.

This happens a lot?

Happened to me about 5x in total over the last 3 years. Closest timing was 2x in one month, that was about 3 months ago.


SimbaTLK1
Rawrrr

join:2001-09-07
Pittsburgh, PA
reply to robman50
said by robman50:

Well for extra security I enabled the 'Discard ping from WAN side' and I disabled upnp in his router which is my old di-604.

2002 just called, they want their router back.