Ask HN: Grandma's computer compromised by scammer, how to assess risk?

28 points by vonklaus ↗ HN
EDIT: I apologize for removing initial desc., I uploaded a document I sent to her son which explains, what i could grok about what happened. I edited the markdown file quickly and uploaded it to gdocs. I put bullets of major stuff. the public link for more info with some pics is here:

https://drive.google.com/file/d/0B3-pXTFbLBkHUldDQ1JVSnNvd00/view?usp=sharing

I apologize for adding link but this is a quicker explanation with a few images rather than max the char limit. Notable things:

* probably pop-up initiated 200+ redirects broke back button.

* she called scammers(decent/good job copying look of chrome maliscious warning except with phone number and login)

* there are 3 hours before i arived where she was speaking with them intermittenly and she downloaded logmein.com, citrix software and gave them full access to computer.

* phone num lead me to website which is now 100% gone and "alex smith" had a seriously thick foreign accent as she described it.

EDIT [2.1]

There was a dir called [sons name] on the desktop (she thinks it might have been there always but not sure) with:

* 5 year old full Experian credit report

* some old job applications(a super quick look didn't show his full SS but I only looked very quickly, did see last 4)

* info about a p&s of some land he sold.

and he got the job 4 years ago now. Is branch manager of a financial companies office. He is concerned his information could have been downloaded and he is at risk. Trying to assess what I should tell him. Downplayed risk a bit short term so he doesn't flip on his mom, but understandably he is concerned about professional & personal ramifications.

edit 3:

I called te non-emg police line(haha first time ever) and asked if it was worth reporting in case needed to build narrative for ID theft in future. They said to do ic3.gov. I am more concerned with getting the paperwork incase i neeed to build narrative, than actually expecting them to find the people.

44 comments

[ 4.7 ms ] story [ 103 ms ] thread
It seems that it would be safer to block that credit card entirely and request a new number.

The OS should also be reinstalled from scratch, after backing up any pictures or documents and reformatting the disk.

I cancelled all cards and did what i could for the finance company. putting a freeze or security on her investment account required her to have to go to a bank(or other official notary accepted by the firm) and verify her identity and then mail a letter to the company to authorize transfer. so all the accounts were cancelled/cards reordered but freezing her account would be a huge impediment as she makes transfers every few weeks to live. the cards/ect from initial breach i am not particularly worried about. but to your second point:

> The OS should also be reinstalled from scratch, after backing up any pictures or documents and reformatting the disk.

I removed both ram cahces and replaced them as well as the harddrive with another entirely reset windows 10 install i had laying around.

HOWEVER, she is reasonably tech savvy for 80 uses computer everyday, ect, but she was having trouble adapting and begged me to put win7 back on. I simply swapped hard drives back, so there has been 0 diagnostics run on the current drive except a single full system scan done by the microsoft virus program, although, again, she said they installed it (it does look like real MS) but maybe they just added an exception. I figured I would do damage control, and let her use current OS for now(told her not to do online shopping haha) while I try to assess full risk.

good idea. is lifelock worth getting? also, the random 888 number likeky is disconnected, their website is just nginx which i think dynamically creates temp sites for whoever they are scamming ect, and then disappears, the payment was made to a canadian acct. is it worth trying to report this? there isn't real data to hand off to identitytheft.gov.
This is a terrible thing to do; there's no way she won't be back in their system at some point. Seriously. If need be, buy her a chromebook and walk her through what she needs to learn. But, Windows 7, and previously compromised together is not any kindness.
thanks. This was my concern. I have mitigated short term risk (next 2 weeks ish) so I am just trying to assess whether it is worth freaking her out and dumping the whole system. i already did but as an 80 y/o she didn't adjsut super well to having hackers breach her PC, have all new passwords for her stuff, and trying to use a new OS. So i removed the HD with windows 10, and put the old original HD back in with win7. wanted to know how serious others thought risk was before I escalated.
So, I'd at least do a clean install of Windows 7 on that spare HD.
Just re install the OS if the goal is to get it back to a safe state.
I could never, myself, be comfortable not doing that as someone who was at best a total scammer and at worst a hacker/affiliated with hackers and carders, had full system and admin access for several hours. However, i did what I could because she didn't like the clean win 10 frsh install, but my chief concern is not the computer right now as I can fix it.

My chief concern is more the shape of the attack/this sort of scam. I don't know what a "typical" attack is, a scam or they follow on by bundling up the data and selling it to the more specialized identity theft/hackers online.

I am not super familiar with windows (mac/linux) so I wouldn't be as comfortable using powershell to look at internal processes. I didn't want to freak her out, but I do want to know if it would be "normal" for this type of scam to include downloading the hard drive data and selling it/using it to commit ID theft ect.

(comment deleted)
There is a reason windows experts recommend full wipes: They know there are lots of places for nasty stuff to hide and it is not worth the time to try and find it all. Set your ego aside and wipe it.
Yeah, it is probably possible to recover, but it just doesn't make sense to spend the kind of time it would take to be sure.
I have 2 clean compatible ddr3 ram caches and a new HD which I originally installed post breach (what I would do if my system) but I swapped back to orig hardware short term as she couldn't figure out new OS. Do you think it is likely that they installed backdoor(maliscious code)? I am not super familiar with PC but i would want to run the tcpdump equiv for powershell ect. I am just not familiar enough to know wheere files/daemons/ect are and how to diagnose it. Even if I would never reuse this HD, I would like to verify what happened. For me it would be i guess the same result but it would be better to know: if the computer was likely running malware or certainly running malware.

in terms of actual actionable steps, they would really be the same fix. however, if i found active system processes sending data to random IPs, i would obviously excalate my concerns.

Who knows, man? If you aren't a Windows system administration/Windows internals wizard you can't really hope to untangle it all.
thanks. i am capable, but i don't want to "untangle" it. I would always treat that system as maliscious. I just want to know if i should confirm it was maliscious. I could, in fact, run some program diagnostics. The impediment is less technical skill than a cost/benefit of me taking her computer back and freaking her out more.
I don't understand the distinction you are making. If you are capable of identifying all the malicious software that's most of the way toward removing it.
I want to clarify, securing a system from this caliber of attack is fairly trivial:

* replace/reformat hardrive

* replace RAM sticks for good measure, as I have them already.

* config firewall

* put on standard windows security settings, remove remote access to computer, ect. lock it down.

* shes a grandmother. so essentially, just put a fuckton of addons on chrome and delete/hide other browsers. highest chrome security settings, httpseverywhere, adblock plus(not putting uBlock on, consider target user), ghostery, ect.

* explain some high level steps to her about protecting herself, all popups are scams ect

* if possible block incoming calls from 800, 900, international, and business numbers. Possible, but could impact her UX of life.

* tell her to call me if she has questions first before doing anything.

HOWEVER. A confirmation of malware would mean that the attack vector changes significantly. If a confirmation they actually actively did data harvesting or otherwise intend to go after her and her son's IDs or financials. I would escalate. I have already:

* changed all card numbers, the router and ISPs passwords,

* placed notes of breach in all accounts, ect.

* confirmed no suspiscious activity on investments and also secured them to the best I could via that companies policy without needing a 3day verified letter to execute a transfer or change in postion of the portfolio.

* replaced debit cards

* reset investments login.

[ I am aware that allowing her to use the likely compromised hard drive is a risk. but, I believe that between the security measures I have taken and the holiday weekend, I have some time to consider how I fix the issue technically ]

But if I actually found proof of maliscious code, it wouldn't be likely they were going to continue scamming: it would be a near certainty.

if the attack vector becomes securing any hole in America's horrible financial system, I would have to also set up account/credit monitoring, consider a credit freeze and take further measures. These are things I would possibly do to some extent for myself if this was my own system/life.

however I am a technical user with a background in finance and tech, and I worked at a fintech startup where we were trying to sell to banks. So i am not an expert, but have MUCH more knowledge about the industry than the victim here. So I am doing cost/ben on how much I need to do here (also of my own time to some extent) to secure everything while still allowing her not to need to do 2 factor authentication and call her bank everytime she needs to buy groceries. She is 80, so for her demographic she is highly technical. Compared to even a 65 year old, she is certainly not and does not have the technical or peripheral knowledge to execute/do tasks we would consider basic:

* make a change from win 7 - win 10

* use a password manager not already set up in chrome

* understand seperation of technological concerns. for example, she didn't want to change to win 10 because her passwords are prefilled for her in Google Chrome, and the new operating system would require her to not have them. I am aware of how chrome accounts work, this is an example.

I don't think it is currently possible for a stick of ram to hold a virus. Where are you getting this info?
i am not a security professional and i am recalling what i have read before. as mentioned some malware targets the bootloader and is persistantly loaded at startup. i am not sure what is technically correct, so maybe someone will chime in, but i don't believe ram is typically cleared after shutdown. i think it is called memory only malware. either way, i have 2 comparible 4gb ram sticks and there is only one on the pc now. so i would simply swap it for newer sticks i have to get more ram if simply performance as the storage is HDD.
The bootloader resides in the hard drive so if the bootloader is infected, it will get transferred to ram at boot. Ram cannot contain a virus, you are wasting your time by replacing it.
If you don't do a complete wipe then this isn't fixing a one time security problem, it's fixing constant problems. Everything she ever does on that computer is now public for all intents and purposes. Unless she literally never does anything that you wouldn't feel comfortable doing in front of a malicious stranger then you HAVE to wipe it.
I feel really bad for you, and for her. Is there any chance she had a document (government application, tax forms etc) with social on there? Did she store anything online in dropbox and google drive and were those passwords stored?

I would do the following:

-- Cancel all credit cards

-- Change all bank accounts

-- Put a credit lock on her social security number

-- Change all passwords, prioritizing any kind of banking software or software with access to wires and accounts

-- Change all the email and online files

After doing that you can file a few forms with the local police and this federal ID theft site.

Then when the credit people start calling in a few months (hopefully the credit lock will prevent this), you can present the information.

yes. She is not my grandma, very close family friend. Her son is my fathers very good friend. I edited above, but there is a folder called [ his name ] which was on desktop. she can't recall if it is usually there but had full credit report and also several job apps, sales agreements, and other fin data. he now runs branch of a financial firm, so he is concerned. Some files were in formats I didn't have ability to read(not nefarious just some older microsoft format or something) and I didn't want to go his full private data, but needless to say, I personally would be super uncomfortable if I knew they took this data, if it was my data, i would be concerned.

edit: also, thanks for the compassion, cheers. ;)

After doing this, on the technical side:

1. Disconnect the hard disk, and image it using a clean host machine. Since the attackers had full admin-access, you'll want an image in case they deleted anything (and to perform forensics if you care).

2. Wipe the hard disk and re-install Windows 10, there is no other best practice here. As others have said, there are too many places to hide trojans and malware, and all bets are off now that the machine was compromised.

hahah thanks. It's funny, i look at it the same way. I am fairly technical. I feel confident I could fix the issue technically(install new reformatted HD & RAM, security programs, ect) but I am more concerned with:

* Was this the whole attack? Or was this stage 1, and they are going to sell/use data for identity theft.

* Use contacts info to try and scam friends/family

* Worth reporting to build narrative for the future if needed to prove identity theft leter?

* What a 'typical' scammer business model is

* If there is a simple way to check if they have active malware installed.

I could never be comfortable with the old hardware, but I would suggest credit monitoring ect if I could verify 100% they either downloaded all the data or backdoored it. I could do this on mac/linux and probably figure it out on windows, i just don't want to freak her out. Do you think it is worth trying to tcpdump and look at the sys logs and stuff and trying to diagnose that they did more than just scam? If I knew they did, I would get lifelock for her or something, but when the friendly support rep(the hacker) told her there were 26 hackers currently on her computer and he was fixing it for her, she was obviously super concerned.

You can always re-use the hard-drive after you've created an image of it - but the image gives everyone peace of mind if you ever need to recover/investigate something after the hard-drive is wiped.

This way you can also put the image on a flash drive or Blu-Ray so you don't have to keep physical possession of hard drive/data which sounds like it is important.

I believe tcpdump only helps you if the attack is ongoing, since this is after-the-fact, having an image you can analyze later is probably your best bet.

yeah that was my thought. I don't have a sata, but I do have a compatible HD with a windows install laying around, so I put as much of her data as I could into the cloud and maxed out a MS OneCloud 5gb for backup, then swapped drives. she couldn't handles the windows 10 upgrade, so I had to swap back, but I was thinking that keeping the drive as a backup/diagnostics would be best bet.

Also, I wanted to replace the ram chips incase they persisted malware to them, but I was holding off to see how serious everyone on here thought it was. What is the windows equiv of stuff like:

    $ tcpdump
    $ ps aux
ect. and the system level process directories like

    /Library/PrivilegedHelperTools
    /Library/LaunchDaemons
ect. I guess, i'll just take a peak now. It would be worth spending an hour or so if I could know without a reasonable doubt that they did install malware. If I can't find something obvious, I'll still do clean install.
Definitely no need to replace RAM. Reading cold RAM chips is a valid attack, but it doesn't apply in your case. :)
Oh yeah, and email her friends and family asking them not to wire money to her in Ireland when the scammer claims she has gone on a trip there and has fallen ill in a few months.
Typo in title: assess :)
Some links, from HN. None were particuarly helpful. But if anyone finds this later in the same situation, I will try and make it a bit easier for them as this sucks.

1. What to do about ID theft (2 comments / 2009) 2. MS Phone scam(1c, 2014, not very useful) 3. Phone Scammers(3c, 2013) 4. Guardian link about Indian callcenters/phone scamming(0c, article)

1. https://news.ycombinator.com/item?id=695415 2. https://news.ycombinator.com/item?id=9241168 3. https://news.ycombinator.com/item?id=8136782 4. http://www.guardian.co.uk/world/2010/jul/18/phone-scam-india...

edit: will add more useful info, as I find them

https://news.ycombinator.com/item?id=7868166

A link to a BBC Radio programme that contains a bit about a woman who responded to telephone scammers. She lost £15,000.

oh man. That is terrible but helpful. That is similar to what happened and it was ($260 CAD, but we are US based), so it sounds like this is ongoing, and exactly what i wanted to know. They will likely call again to retarget her as it was successful the first time.
Get Grandma a Chromebook.

It won't stop 100% of all scams, but it does eliminate a whole class of malware.

I converted my 88-year-old father to Chromebooks 3 years ago. He loves it, and my support calls have tapered off :-)

Wiping the hard drive is pretty good, but I wouldn't even trust that. It's possible to hide malicious code in many other places which would survive a wipe of the HDD. I've heard of malware which can be installed into the graphics card firmware, or the BIOS, and I imagine that anywhere else which can be written to is a possible location to hide.

Personally, I'd chuck the computer away and buy a new one, but I'm paranoid.

Back in Win XP days, I caught a nasty virus that installed itself in the master boot record of the hard drive. I formatted the partition, reinstalled everything, and the damn thing kept coming back. Paranoia made me switch to Linux for a while after that.
Is it possible that an OS could be the one loading Linux, and thus would effect your Linux instance?

edit: I used to get really paranoid after using Windows for an extended period of time. Still do sometimes, but learned to live with it. I feel like I have no control over what services are listening on 0.0.0.0, the firewall is completely unusable compared to iptables.

Vonklaus - the link you posted with the details is coming up with errors in viewing for me, FYI.

Technically, you've clearly got an understanding of the fix, so I won't waste a lot of time on that. I wanted to speak to the rest though, as I've had personal experience with identity theft in the past few years. Really, anyone should just operate from the assumption that their SSN is compromised. Too many places have used them and too many places either don't even realize when they've been hacked or hide that fact when it's discovered. Her son should do the stuff written below whether they actually got his info from that folder or not. (Also, they did freeze the payment they made to the scammers, right?)

First off, do check if your local police have a place to file a report online. My local police dept. has a website where you can report identity theft and immediately get a report number and printout. If someone uses their information to file a fraudulent tax return, they'll need that report as part of their package to substantiate the issue to the IRS. If you want to do IC3, too, that's fine--but get the traditional police report (and don't wait until some problem comes up as a result of the breach). It is a good idea to build a narrative with corroborating evidence--the IRS was apologetic to me, but having a evidence of a reported incident and efforts to follow up is a nice preventive to potential pushback at a later date from a private entity that wasn't careful.

I'd also recommend filing a tax return early, as soon as they receive their W2. Fraudsters try to get their fake returns in before the legitimate one, because the IRS will issue their refund without questions unless you've already filed.

Getting access changed for all of their accounts is a first step, but I would recommend also getting 2-factor set up for any account it's available for. 2-factor makes any future breaches that much easier to mitigate. Additionally, they should check any account settings for additional recovery emails or in email accounts settings for any forwarding addresses added to the account. All the remediations in the world don't help much if they can still trigger a change in a few months by getting the password reset sent to fuckingscammers@dickheads.com. This should additionally include making sure that anyone they have an account with has a fraud notice and ID check that doesn't rely on information in their credit report. For instance, my security question answer to "What is your mother's maiden name?" is to the effect of "a(DH?BMBNOrcumb#72tT". Use a password manager to keep those straight (I just keep them in the Notes field and cut and paste as necessary).

The son should have a fraud freeze with the credit agencies, so that they can't use the experian report to create new accounts, and he should make sure he's changed his passwords (if there was a folder of his on the computer with his job search files, it is also likely he's used it for browsing and there could have been passwords saved somewhere). I'm not sure what his concern is professionally, but he could contact his company's information security office about potential safeguards.

I've had no other identity theft issues from my information being out there aside from the fraudulent tax return, which makes sense. The IRS cut the douches a check for $8582, which, had they not fat-fingered the 16-digit prepaid Visa card number they tried to have it deposited onto, would have been a much more lucrative payoff than trying to run a couple of fraudulent credit card charges that Visa would quickly flag. Once you've triaged actual account access, keeping the credit agencies locked down is really the main thing to keep an eye on, since that would flag any attempt to use the information further. They should be reasonably vigilant, but my experience has not been that this was an apocalyptic meltdown of my financial identit...

thank you for posting this.

i realized this earlier in the day, your comment only became visible to me in the last 10 mins pr so. i noticed replies ceased several hours ago and emailed HN support.

the link had been flagged by several users and was restored by dang a few minutes ago. i dont have infor but i assume it was the horrible title which i submitted after charring out on mobile 3 or 4 times, amd i didnt want to rewrite/lost the original post which has since been restrictured.

thanks again dang, and also i appreciate this write up as there wasn't much on HN about dealing with this. it ia clearly written up exatensively in the media but there is so much spam and incorrect info i looked here for better reaources and experiences like yours as there are technical, financial and privacy considerations and as any good security professional knows, missing even one thing can have huge consequences.

You're definitely welcome. My folks have been through this recently, as well. Smart practices like using a password manager to segregate all accounts with different passwords can help to protect ourselves from poor security practices by other parties, like banks or vendors, and making sure they never link a bank account directly to a pay vendor rather than a credit or debit card (looking at you, Venmo). The main thing for the folks you're working with (aside from dipping that hard drive in bleach) is to protect access to their existing asset accounts and then keep a fraud alert on their credit. I think leaving those avenues of attack open is where the identity theft horror stories come from (or just basic overtrustfulness from people like the women in the BCC article below), so closing those off is a good idea even if you don't know there has specifically been a breach.

On a side note, the amusing part about having my identity stolen is that identity management at the enterprise level is what I do professionally, so I am well aware of the flaws in identity management that make id theft exploitable and now have a really good story to drag out when someone gives me pushback. Also, when the IRS guy was apologizing to me about all the inconvenience, I stopped him and said "don't apologize, I think this is hilarious. I have his refund check, he'll never get it, and I know he's trying to find out what happened because every time he pretends to be me and files an inquiry with you guys, the IRS response letter gets sent to my address since that's what's on the return. I'm probably the only person in America who laughs maniacally when I see a letter from the IRS in my mailbox."

For those who are so inclined, I found the approach the guy in this article took to be pretty intriguing, and have a to-do project of figuring out how to do this in a virtual machine:

http://www.computerworld.com/article/3030216/windows-pcs/fed...

For incident analysis, I would clone the drive and obtain a list of files created or modified in 24 hours. I would do this under my Linux recovery environment. I would also undelete all files. One of those files will likely be the log of file transfers that happened using commercially available remote support software. Logmein and Citrix may have additional logs available if you are ever able to find the right person.

Cached website is likely recoverable from the disk image. I used that technique a few times to get into some clients' accounts with their consent.

Anyway, assume total compromise and apply nuclear option. It is possible to track down the perpetrators because they use toll free numbers.

this is helpful. there was a total dump of Chrome on the desktop, which I thought was pretty bad, but if i understand correctly what youve said, that would indicate an attempt to get the accounts right there.

Either way, for sure has to be totally reformatted, super shitty thing to do to someone. there is being a skilled hacker and social engineer and then there is scamming an old lady. thanks for info.

This is the reason I feel chromebooks are the way to go.