Scammer logged into machine unassisted

mwc104

Prominent
Mar 27, 2017
4
0
510
0
I have an elderly client who has had someone hi-jack her PC twice now. They will call her saying they are from MS and then begin messing around on her PC. I asked her if they call first and then walk her through a process to get them connected? She said she did not do that either time.

After the first incident roughly 2 months ago, I had her bring me the laptop and I scanned and cleaned it with everything available (hitman, malwarebytes, avg on boot, combofix, adwcleaner, etc....). The machine worked great and no signs of lingering infections. Well, she calls me a couple days ago saying she got hi-jacked again! I asked what happened and apparently said they were from MS again and they were right back on her PC without any assistance from her. I'm not quite sure how they are getting on without her assistance and even after I cleaned everything up. That's how the scams usually work is they call saying they are from MS and the machine is infected and they need the customer to help connect them.

Does anyone know if it's possible that they could have changed something in the router or modem to allow them access to machines on their network? I have not had a chance to go to the woman's house, but after having cleaned that machine and finding no traces anywhere where they could use to remote into her machine, I'm kind of lost. I was going to do a file backup and factory restore but I'm afraid it will keep happening. I kind of feel like I'm not getting the whole story from her...

*The only other thing I can think of is possibly she is typing in a wrong address to a website and it runs a script that connects the scammer. She has said she broke her wrist a long time ago and has troubles carrying things...maybe it affects her typing too...?? It's just strange that they can connect without her help and then call her as soon as they get on...
 

James Mason

Honorable
Jan 2, 2014
106
0
10,710
25
Ehhh, If you can, I would backup any pictures/documents she has on there, and just wipe the hard drive and reinstall windows.
Get her a good AV, turn on the firewall, get her an adblocker (and maybe install FF and Chrome and install adblockers onto it already), disable the Microsoft Remote Assistance thing (which could be how they get in), disable remote desktop as well. Also disable any built in admin/guest accounts.

If you REALLY want to be sure, get a new HDD as well.

If she doesn't have a password to login to windows, that might make it easy for them to get in.
Grandma emails are a deadly thing, and those ISP email boxes (that she probably uses) aren't protected at all really.
 

mwc104

Prominent
Mar 27, 2017
4
0
510
0


I have it installed on her Chrome browser. That is her default browser she likes to use. I told her after the first time if they did it again, to go over to the router and remove the power cord and bring me the laptop so I can see what they were in the middle of doing, but she didn't listen apparently XD
 

mwc104

Prominent
Mar 27, 2017
4
0
510
0


Disabling all the remote assistance features was the first thing I did when I worked on it last time. Also, her account is the only account on the machine. Nothing listed under computer management Local Users other than the Administrator account which is hidden/inactive and her account. Her firewall didn't have anything out of the ordinary allowed. No special DNS addresses on the TCP/IPv4 or 6....

It's just strange to me how they are getting in. It's like, she has to be doing something to get them on and either doesn't realize it or isn't telling me. I was just curious if it were possible to put something into the router to allow them on. She said she has a buffalo router.

It's also a bit weird that they connect and then call vs call and try to get her to connect them. It's like they have her IP and telephone recorded down and are going to keep trying to get money out of her.
 

jaslion

Honorable
Dec 17, 2012
529
1
11,210
114


One thing that may be happening is that they are hard bashing the router to get in. Does she have adsl or vdsl internet? If so a scammer can connect through a call to the router. Then discover this and try to forcefully get through it.
 

mwc104

Prominent
Mar 27, 2017
4
0
510
0


Actually, yes. They are on a local telephone companies DSL service...

What's the solution to preventing this? I thought about calling the provider and asking them to give her a new IP (if they can) and then resetting her modem and router and then setting up all the security with different passwords.
 

mdd1963

Distinguished
folks will very rarely ever admit to allowing access to scammers...

As though it's believable that they just magically connected while talking to said scammer on the phone....

CLient is 'mistaken'; they darn well granted full access...

Nuke and pave, and be done with it....
 
Thread starter Similar threads Forum Replies Date
SHIRO-XIV Antivirus / Security / Privacy 1
G Antivirus / Security / Privacy 3
C Antivirus / Security / Privacy 3
F Antivirus / Security / Privacy 1
C Antivirus / Security / Privacy 1
C Antivirus / Security / Privacy 5
G Antivirus / Security / Privacy 1
F Antivirus / Security / Privacy 2
D Antivirus / Security / Privacy 2
H Antivirus / Security / Privacy 3
D Antivirus / Security / Privacy 4
C Antivirus / Security / Privacy 3
G Antivirus / Security / Privacy 8
sfootie Antivirus / Security / Privacy 1
M Antivirus / Security / Privacy 6
T Antivirus / Security / Privacy 3
Gamersam2012 Antivirus / Security / Privacy 4
T Antivirus / Security / Privacy 1
H Antivirus / Security / Privacy 10
A Antivirus / Security / Privacy 4

ASK THE COMMUNITY