Ask HN: Grandma's computer compromised by scammer, how to assess risk?
https://drive.google.com/file/d/0B3-pXTFbLBkHUldDQ1JVSnNvd00/view?usp=sharing
I apologize for adding link but this is a quicker explanation with a few images rather than max the char limit. Notable things:
* probably pop-up initiated 200+ redirects broke back button.
* she called scammers(decent/good job copying look of chrome maliscious warning except with phone number and login)
* there are 3 hours before i arived where she was speaking with them intermittenly and she downloaded logmein.com, citrix software and gave them full access to computer.
* phone num lead me to website which is now 100% gone and "alex smith" had a seriously thick foreign accent as she described it.
EDIT [2.1]
There was a dir called [sons name] on the desktop (she thinks it might have been there always but not sure) with:
* 5 year old full Experian credit report
* some old job applications(a super quick look didn't show his full SS but I only looked very quickly, did see last 4)
* info about a p&s of some land he sold.
and he got the job 4 years ago now. Is branch manager of a financial companies office. He is concerned his information could have been downloaded and he is at risk. Trying to assess what I should tell him. Downplayed risk a bit short term so he doesn't flip on his mom, but understandably he is concerned about professional & personal ramifications.
edit 3:
I called te non-emg police line(haha first time ever) and asked if it was worth reporting in case needed to build narrative for ID theft in future. They said to do ic3.gov. I am more concerned with getting the paperwork incase i neeed to build narrative, than actually expecting them to find the people.
44 comments
[ 4.7 ms ] story [ 103 ms ] threadThe OS should also be reinstalled from scratch, after backing up any pictures or documents and reformatting the disk.
> The OS should also be reinstalled from scratch, after backing up any pictures or documents and reformatting the disk.
I removed both ram cahces and replaced them as well as the harddrive with another entirely reset windows 10 install i had laying around.
HOWEVER, she is reasonably tech savvy for 80 uses computer everyday, ect, but she was having trouble adapting and begged me to put win7 back on. I simply swapped hard drives back, so there has been 0 diagnostics run on the current drive except a single full system scan done by the microsoft virus program, although, again, she said they installed it (it does look like real MS) but maybe they just added an exception. I figured I would do damage control, and let her use current OS for now(told her not to do online shopping haha) while I try to assess full risk.
My chief concern is more the shape of the attack/this sort of scam. I don't know what a "typical" attack is, a scam or they follow on by bundling up the data and selling it to the more specialized identity theft/hackers online.
I am not super familiar with windows (mac/linux) so I wouldn't be as comfortable using powershell to look at internal processes. I didn't want to freak her out, but I do want to know if it would be "normal" for this type of scam to include downloading the hard drive data and selling it/using it to commit ID theft ect.
in terms of actual actionable steps, they would really be the same fix. however, if i found active system processes sending data to random IPs, i would obviously excalate my concerns.
* replace/reformat hardrive
* replace RAM sticks for good measure, as I have them already.
* config firewall
* put on standard windows security settings, remove remote access to computer, ect. lock it down.
* shes a grandmother. so essentially, just put a fuckton of addons on chrome and delete/hide other browsers. highest chrome security settings, httpseverywhere, adblock plus(not putting uBlock on, consider target user), ghostery, ect.
* explain some high level steps to her about protecting herself, all popups are scams ect
* if possible block incoming calls from 800, 900, international, and business numbers. Possible, but could impact her UX of life.
* tell her to call me if she has questions first before doing anything.
HOWEVER. A confirmation of malware would mean that the attack vector changes significantly. If a confirmation they actually actively did data harvesting or otherwise intend to go after her and her son's IDs or financials. I would escalate. I have already:
* changed all card numbers, the router and ISPs passwords,
* placed notes of breach in all accounts, ect.
* confirmed no suspiscious activity on investments and also secured them to the best I could via that companies policy without needing a 3day verified letter to execute a transfer or change in postion of the portfolio.
* replaced debit cards
* reset investments login.
[ I am aware that allowing her to use the likely compromised hard drive is a risk. but, I believe that between the security measures I have taken and the holiday weekend, I have some time to consider how I fix the issue technically ]
But if I actually found proof of maliscious code, it wouldn't be likely they were going to continue scamming: it would be a near certainty.
if the attack vector becomes securing any hole in America's horrible financial system, I would have to also set up account/credit monitoring, consider a credit freeze and take further measures. These are things I would possibly do to some extent for myself if this was my own system/life.
however I am a technical user with a background in finance and tech, and I worked at a fintech startup where we were trying to sell to banks. So i am not an expert, but have MUCH more knowledge about the industry than the victim here. So I am doing cost/ben on how much I need to do here (also of my own time to some extent) to secure everything while still allowing her not to need to do 2 factor authentication and call her bank everytime she needs to buy groceries. She is 80, so for her demographic she is highly technical. Compared to even a 65 year old, she is certainly not and does not have the technical or peripheral knowledge to execute/do tasks we would consider basic:
* make a change from win 7 - win 10
* use a password manager not already set up in chrome
* understand seperation of technological concerns. for example, she didn't want to change to win 10 because her passwords are prefilled for her in Google Chrome, and the new operating system would require her to not have them. I am aware of how chrome accounts work, this is an example.
I would do the following:
-- Cancel all credit cards
-- Change all bank accounts
-- Put a credit lock on her social security number
-- Change all passwords, prioritizing any kind of banking software or software with access to wires and accounts
-- Change all the email and online files
After doing that you can file a few forms with the local police and this federal ID theft site.
Then when the credit people start calling in a few months (hopefully the credit lock will prevent this), you can present the information.
edit: also, thanks for the compassion, cheers. ;)
1. Disconnect the hard disk, and image it using a clean host machine. Since the attackers had full admin-access, you'll want an image in case they deleted anything (and to perform forensics if you care).
2. Wipe the hard disk and re-install Windows 10, there is no other best practice here. As others have said, there are too many places to hide trojans and malware, and all bets are off now that the machine was compromised.
* Was this the whole attack? Or was this stage 1, and they are going to sell/use data for identity theft.
* Use contacts info to try and scam friends/family
* Worth reporting to build narrative for the future if needed to prove identity theft leter?
* What a 'typical' scammer business model is
* If there is a simple way to check if they have active malware installed.
I could never be comfortable with the old hardware, but I would suggest credit monitoring ect if I could verify 100% they either downloaded all the data or backdoored it. I could do this on mac/linux and probably figure it out on windows, i just don't want to freak her out. Do you think it is worth trying to tcpdump and look at the sys logs and stuff and trying to diagnose that they did more than just scam? If I knew they did, I would get lifelock for her or something, but when the friendly support rep(the hacker) told her there were 26 hackers currently on her computer and he was fixing it for her, she was obviously super concerned.
This way you can also put the image on a flash drive or Blu-Ray so you don't have to keep physical possession of hard drive/data which sounds like it is important.
I believe tcpdump only helps you if the attack is ongoing, since this is after-the-fact, having an image you can analyze later is probably your best bet.
Also, I wanted to replace the ram chips incase they persisted malware to them, but I was holding off to see how serious everyone on here thought it was. What is the windows equiv of stuff like:
ect. and the system level process directories like ect. I guess, i'll just take a peak now. It would be worth spending an hour or so if I could know without a reasonable doubt that they did install malware. If I can't find something obvious, I'll still do clean install.1. What to do about ID theft (2 comments / 2009) 2. MS Phone scam(1c, 2014, not very useful) 3. Phone Scammers(3c, 2013) 4. Guardian link about Indian callcenters/phone scamming(0c, article)
1. https://news.ycombinator.com/item?id=695415 2. https://news.ycombinator.com/item?id=9241168 3. https://news.ycombinator.com/item?id=8136782 4. http://www.guardian.co.uk/world/2010/jul/18/phone-scam-india...
edit: will add more useful info, as I find them
A link to a BBC Radio programme that contains a bit about a woman who responded to telephone scammers. She lost £15,000.
It won't stop 100% of all scams, but it does eliminate a whole class of malware.
I converted my 88-year-old father to Chromebooks 3 years ago. He loves it, and my support calls have tapered off :-)
Personally, I'd chuck the computer away and buy a new one, but I'm paranoid.
edit: I used to get really paranoid after using Windows for an extended period of time. Still do sometimes, but learned to live with it. I feel like I have no control over what services are listening on 0.0.0.0, the firewall is completely unusable compared to iptables.
Technically, you've clearly got an understanding of the fix, so I won't waste a lot of time on that. I wanted to speak to the rest though, as I've had personal experience with identity theft in the past few years. Really, anyone should just operate from the assumption that their SSN is compromised. Too many places have used them and too many places either don't even realize when they've been hacked or hide that fact when it's discovered. Her son should do the stuff written below whether they actually got his info from that folder or not. (Also, they did freeze the payment they made to the scammers, right?)
First off, do check if your local police have a place to file a report online. My local police dept. has a website where you can report identity theft and immediately get a report number and printout. If someone uses their information to file a fraudulent tax return, they'll need that report as part of their package to substantiate the issue to the IRS. If you want to do IC3, too, that's fine--but get the traditional police report (and don't wait until some problem comes up as a result of the breach). It is a good idea to build a narrative with corroborating evidence--the IRS was apologetic to me, but having a evidence of a reported incident and efforts to follow up is a nice preventive to potential pushback at a later date from a private entity that wasn't careful.
I'd also recommend filing a tax return early, as soon as they receive their W2. Fraudsters try to get their fake returns in before the legitimate one, because the IRS will issue their refund without questions unless you've already filed.
Getting access changed for all of their accounts is a first step, but I would recommend also getting 2-factor set up for any account it's available for. 2-factor makes any future breaches that much easier to mitigate. Additionally, they should check any account settings for additional recovery emails or in email accounts settings for any forwarding addresses added to the account. All the remediations in the world don't help much if they can still trigger a change in a few months by getting the password reset sent to fuckingscammers@dickheads.com. This should additionally include making sure that anyone they have an account with has a fraud notice and ID check that doesn't rely on information in their credit report. For instance, my security question answer to "What is your mother's maiden name?" is to the effect of "a(DH?BMBNOrcumb#72tT". Use a password manager to keep those straight (I just keep them in the Notes field and cut and paste as necessary).
The son should have a fraud freeze with the credit agencies, so that they can't use the experian report to create new accounts, and he should make sure he's changed his passwords (if there was a folder of his on the computer with his job search files, it is also likely he's used it for browsing and there could have been passwords saved somewhere). I'm not sure what his concern is professionally, but he could contact his company's information security office about potential safeguards.
I've had no other identity theft issues from my information being out there aside from the fraudulent tax return, which makes sense. The IRS cut the douches a check for $8582, which, had they not fat-fingered the 16-digit prepaid Visa card number they tried to have it deposited onto, would have been a much more lucrative payoff than trying to run a couple of fraudulent credit card charges that Visa would quickly flag. Once you've triaged actual account access, keeping the credit agencies locked down is really the main thing to keep an eye on, since that would flag any attempt to use the information further. They should be reasonably vigilant, but my experience has not been that this was an apocalyptic meltdown of my financial identit...
i realized this earlier in the day, your comment only became visible to me in the last 10 mins pr so. i noticed replies ceased several hours ago and emailed HN support.
the link had been flagged by several users and was restored by dang a few minutes ago. i dont have infor but i assume it was the horrible title which i submitted after charring out on mobile 3 or 4 times, amd i didnt want to rewrite/lost the original post which has since been restrictured.
thanks again dang, and also i appreciate this write up as there wasn't much on HN about dealing with this. it ia clearly written up exatensively in the media but there is so much spam and incorrect info i looked here for better reaources and experiences like yours as there are technical, financial and privacy considerations and as any good security professional knows, missing even one thing can have huge consequences.
On a side note, the amusing part about having my identity stolen is that identity management at the enterprise level is what I do professionally, so I am well aware of the flaws in identity management that make id theft exploitable and now have a really good story to drag out when someone gives me pushback. Also, when the IRS guy was apologizing to me about all the inconvenience, I stopped him and said "don't apologize, I think this is hilarious. I have his refund check, he'll never get it, and I know he's trying to find out what happened because every time he pretends to be me and files an inquiry with you guys, the IRS response letter gets sent to my address since that's what's on the return. I'm probably the only person in America who laughs maniacally when I see a letter from the IRS in my mailbox."
For those who are so inclined, I found the approach the guy in this article took to be pretty intriguing, and have a to-do project of figuring out how to do this in a virtual machine:
http://www.computerworld.com/article/3030216/windows-pcs/fed...
Cached website is likely recoverable from the disk image. I used that technique a few times to get into some clients' accounts with their consent.
Anyway, assume total compromise and apply nuclear option. It is possible to track down the perpetrators because they use toll free numbers.
Either way, for sure has to be totally reformatted, super shitty thing to do to someone. there is being a skilled hacker and social engineer and then there is scamming an old lady. thanks for info.