The Windows Support scam - friend hit, need answer fast!

An elderly friend has fallen victim to this scam. They remotely connected to her PC somehow - I have no details yet. She’s been scammed out of some money. She’s spoken to the police and they’ve advised her to not use her PC until someone knowledgeable looks it over, and I am visiting tomorrow.

So what’s the latest on this scam? What other nasties am I likely to find? Anything in particular to check? I’ll be taking along the usual utilities, and the Mk 1 eyeball often works wonders, but forewarned is forearmed.

First, contact her credit card company to get the charges taken off her bill.

Second do a scan with Malwarebytes. It should pick up anything that’s installed.

Note that there might not be anything. It all depends on how far along in the process she got. Usually, they connect to you computer and spend time trying to convince you that you’re infected. If you cut off early on, then they haven’t installed anything (note that the scam works pretty well even if they don’t install anything).

You might want to install a firewall to check if anything untoward is accessing the Internet. But there’s a good chance they never installed anything.

This is definitely a scam. I actually got suckered into it, realized in the first 2 minutes on the phone it was NOT an official Microsoft service, and then stayed on to understand the scan.

These folks do a great job of implying that they are Microsoft, but they aren’t. They started the whole sucker pitch on my daughter and backed off once they learned she was 15.

What they do is take remote control of your PC, install software that then showcases all sorts of malware and virus and risks (which is made up). Here’s a Wired articlefrom a few years ago.

I’m no expert on this but I would

  1. restore to an earlier point
  2. run Defender, Malware Bytes and all the anti spyware that some excellent stickies on SDMB have highlighted.
  3. Remove programs and delete anything dodgy (and your elderly friend probably has a bunch of crapware on there that you might as well clean up)
  4. Lock down the browser settings to “safe mode”

An elderly friend of mine fell for this scam a few months ago. She demanded that I come over and help her, which I reluctantly did. I ended up talking to what ever company rep she was talking to, and I insisted that she did not want their services, and that they were to release her from whatever she signed up for. This took a good half an hour of fighting on the phone, while I listened to my friend alternately shrieking and crying behind me.

Once that was done, I had her call her credit card company, and have them close the account. I did this just to be sure they couldn’t charge her for any sort of subscription in the future. Her credit issuer had already denied the initial charge, according to what that rep told her on on the phone, so I believe she was never charged.

I removed the remote software they had installed, and ran Malwarebytes to make sure there wasn’t anything else lurking about. There weren’t any problems after that.

That is, of course, until last month, when she click on a link in an email she received from “a friend,” which of course didn’t come from her friend, and she had a lengthy email conversation with some scammer about the legitimacy of the original email, which they assured her perfectly safe, and she provided them with her email password. :smack:

I always have a laugh when they say, “I’m from the service department of your computer.”

Not only do they not give an actual company name, but “my computer” was scratch-built and doesn’t have a service department.

Evil bastards.

The only truly safe thing is to do a clean install on a new drive. They had full access to her computer and could install just about anything they wanted. They could have installed root kits or boot loader viruses. If you’re not an expert on cleaning drives, it would be easy to miss things. Boot loader viruses can be especially difficult to remove as they reinstall themselves every time the computer boots.

A new hard drive shouldn’t be too expensive. Get a new hard drive and an external enclosure for the old drive. Do a clean install on the new drive and then copy over whatever files she needs from the old drive.

They don’t connect through the browser. They have you download a screen sharing program and then they are literally able to access your computer just like you do. They have full access. It’s like they are sitting at your keyboard. That’s why you have no idea what they could have done. They could have downloaded anything and made whatever modifications they wanted.

Yeah, I had one who claimed to be from “The Department of Fixing Computers, with Windows”

I got a call from these assholes today, and just let loose on them, asking the caller if his mother knew what he did for a living and suggesting that she’d be a lot happier if he working in some more honorable profession like sucking cocks for a living.

I suspect they’ve bought the AARP database because they seem to call people over 50 primarily.

I usually say “which one?”, and if that doesn’t floor them, and they start going on about opening Windows, I try “OK, I’ve opened all the windows, now what? Only can you hurry up, it’s a bit cold outside”, and when they talk about Windows on the computer, I try “What windows, there’s only the ordinary screen on my computer”.

Hours of fun for all the family.

Guys, I’m well aware this is a scam. I’m going to run the usual checks. I’ve asked her to bring along installation DVDs etc. It’s just the new wrinkles I’d like to know. I’ve just been on the phone to her and she’s in a bit of a state at the moment and is going to be visiting later today. Apparently they had her on the phone for several hours, so as she’s got a fibre line, I’m assuming they grabbed everything.

That’s funny. I always ask them if their mother knows they’re a crook. That gets a quick hangup. And no, I am not an AARP member and not in the US anyway.

If I get an email asking me to click a link, there had better be a personal message attached (that is obviously meant for me) or I will email the sender asking if it is legitimate. If I don’t know the sender, it goes directly to the spam directory without passing Go.

Even so I once acquired a virus. What I did was download a program that I install on every computer I own. Until it was too late, I didn’t notice the download came from a third party, not the home site of the program. What I did then was use the recovery program to start over (it was a new computer). It still irritates me that the home site of that program did not even show up (on the first page anyway) in a google search. I got it from the Wiki article on the program.

I had one going for about a half an hour looking for the any key.

then they got the supervisor on the line.

I would read this and then ask the forum gurus to check your logs and follow their advice:

If you have some technical knowledge you could run DBAN which will erase the entire hard drive, then you can reinstall windows using the installation disks and be assured that any malware is gone.

I have received a few of these calls. I let them go on for awhile then I tell them that its funny they are receiving a notice about my Windows computer because I am running Linux. That’s when they usually hang up.

I did that once. When the supervisor got on, I start using a Mr. Rogers soundboard for all my answers:

“Oh, I’m glad you called!”

“Oh, yes, I’ve read about that in the Bible!”

“Have you ever had a checkup?”

She’s just left. She didn’t have the installation DVDs, nor did she bring the charger for her laptop, so a re-installation was out of the question. The technician she contacted at BT when she realised what had happened had done an excellent job of removing all the malware that had been installed. But he’d missed one little thing… After that was resolved, which mainly took an hour of waiting for the scans to finish, we went through resetting all her passwords and changed them and synchronised them across her devices.

Once she’s again confident, in a month or two, I’ll introduce her to Windows 10 and two factor authentication.

What is BT?

I would be cautious about saying the tech removed all the malware. There’s no way to be certain of that. He removed all the malware his software recognized, but that doesn’t mean he could identify everything that was done to the laptop.

You can’t look at a random file and say if it’s malicious or not. What they do is look for patterns which match known malicious files. But if a file doesn’t match a known pattern, it won’t be flagged.

You’re getting a false sense of security from the tech and the cleanup software. It only cleans up the things it knows about. The things it doesn’t know about are still on the drive. The only safe thing is to reinstall to a clean hard drive.

BT are British Telecom, the U.K.'s biggest and foremost telephone and data supplier.

As I said, there was ‘one little thing…’ :slight_smile:

Otherwise you are entirely correct and I so advised her. But I did my job and it looked clean to me afterwards. I have advised her to be vigilant.

Hari Seldon:

Let me guess…Adobe Flash Player?

Or a completely reformatted drive. There’s no reason to go out and spend money.