Ask Slashdot: Rescuing a PC That's Been Hit By Scammers?

New submitter malcus writes "My father was hit by scammers the other day and even though he has handed over all computer service tasks to me they were able to sweet-talk him into: (1) Running some 'checks' to confirm the 'grave situation' that his computer was heading for (bad). (2) Start some remote-control program (worse). (3) Giving them his social security number (terrible). When they asked him for his credit card information he stopped and is now probably expecting them to call again. Meanwhile I have told him to dump the computer in holy-water or aqua regis and cut the internet cable. I am heading over to his place later and wonder what measures I should take."

Wipe and reinstall.

[Gordonjcp]

Same as for any other compromised machine.

oddly enough

[alphatel]

I had a client do this to his machine. He called an 800 number thinking they were the Yahoo help desk and they performed a similar routine. Oddly enough, they left no traces of their activity and there is no reasonable way to tell if there is an inactive trojan waiting to be launched in the future. Best bet is to copy off the data, wipe, reinstall OS.

Re:Back it up and nuke it! Then scan the backup.

[vlm]

Given the price of drives and the rate of change, you're better off just buying a new $50 drive and upgrading him. Then take the old drive, stick it in an external enclosure, and play around with it on a linux host. Unless his old PC is so old it can't be easily upgraded. Can you still buy PATA from retail stores or is it all SATA now, for example?

Re:Just the obvious

[RivenAleem]

The 'hurt' caused by the loss of data might also shock him up enough to be more careful.

obvious

[slashmydots]

Combofix, believe it or not, specializes in removing all forms of remote control software. Most people don't know that. In fact, it will even destroy gotomeeting related files whether you want it to or not :-P Also, any system setting viewer like even the ancient HijackThis will list all LSP and protocol changes and all startup entries and all browser plugins. Just get rid of anything you can't identify or that google says is a remote control viewer. If malware scanners can't pick up anything bad, a system restore will definitely destroy any legitimate remote control software so between the two, you should disable any control they had.

So, reset all passwords for all significant accounts, add a fraud alert to his credit report or add a third party lockdown solution like Lifelock (even though I hate them) and you should be set.

Re:Just the obvious

[Lord+Lode]

Yes, but make sure you back up any photos and other irreplaceable bits of information first!

Do not back up anything that's executable though.

Re:Just the obvious

[RogueyWon]

That's definitely the first thing he needs to do, but there's more besides:

1) Change all passwords. Either do it from a different PC or from that PC AFTER it has been wiped and confirmed clean.

2) Get a few credit checks over the next few months. Depending on how much information the father has actually given away (and it may be more than he's willing to admit), he may have given the scammers enough to do a thorough identity theft job on him. Picking up any attempts at this as early as possible will be important.

3) Some urgent parental re-education. Using a stout stick if necessary.

Oh, and when going to do the disinfection, if you're taking a personal machine with you, make damned sure before you go that it is NOT set to automatically connect to wireless networks. I got stung with this one a few weeks ago when disinfecting an uncle's PC.

He'd picked up one of those ransomware fake-AV trojans that basically renders Windows unusable. I'd figured it was going to be a wipe-and-reinstall job (which indeed it was), but had taken an old laptop with me in case I needed a "clean" PC for anything. This laptop had been my secondary PC until I replaced it with an iPad and I was going to use my trip "up north" as an opportunity to hand it over to the parents, who would make more use of it than I would. It'd just been flattened itself and had a fresh (though updated) Vista install on it. It also has a network share on it, that I'd used to copy a few drivers and other files over from my desktop to save redownloading them.

Anyway, like a fool I boot the thing up as soon as I get in there, forgetting two important things:

1) The laptop will default to connecting to any wireless network it can find and get onto; and

2) My uncle, being a complete idiot, has an unsecured wireless network.

So the laptop connects immediately to his wireless network - and gets infected within seconds by the trojan on his PC via the open network share. Fortunately, I had the Vista disc with me to do an immediate wipe and reinstall on the laptop as well, but it was still frustrating.

Re:Just the obvious

[Adriax]

Yank the HD.
Slave it to another machine.
Save what you need to.
Format it.
Toss it back into the original machine.
If he can handle it, install your favorite flavor of linux. If not, reinstall windows.
Make sure his account lacks the privileges to get into that much trouble in the future.
Start researching identity theft countermeasures.

Victims are stuck cleaning up the mess.

What many of these scammers do is surf the hardrive for login information for financial institutions, bank and credti card numbers, and anything else they can get to commit financial fraud.

Call and write letters to the credit bureaus, your banks, and every other financial institution one does business with.

And keep a sharp eye out for shenanigans and don't pay any bill that's not yours.

File a police report. The cops won't do anything, but at least you'll have something to fax the debt collectors who may be calling.

It sucks but it's up to the victim to clear their name as best as they can.

The banks and other financial institutions just write off any losses and pass on the costs to the rest of us in the form of higher and more fees.

The other thing they do with the information is create phoney IDs for illegals, get medical care for folks who can't pay, and various other things that require an ID - all in the victim's name and SSN. Folks have been arrested in the past because of someone else using their identity to commit a crime, the warrant goes out, and then the victim gets their lciense plate scanned by a cop, pulled over and taken to jail.

Have fun with that.

Re:Just the obvious

[Joce640k]

Bow your head and type "Format C:" Amen.

Even better ... make him buy a new hard disk, that way you can be sure that:
a) He spends some money (more likely to pay attention in the future).
b) You didn't lose any data files - they're all on the old disk somewhere.

Re:Just the obvious

[ArsenneLupin]

Family members won't let family members use windows...

Re:Just the obvious

[RogueyWon]

The permissions on the share were read/write (though not for the whole of drive c). And it was basically a fresh Vista install that I'd run windows update on, but not been as thorough about as I should have been. My own fault, but that doesn't make it any less frustrating. Some of the ransomware stuff doing the rounds at the moment is absolutely vicious in how it will spread itself and protect itself from removal.

credit freeze

I can't believe no one has recommended a credit freeze:
http://en.wikipedia.org/wiki/Credit_freeze

gave them his ssn?

[v1]

really? And you're worried primarily about the state of his computer?

He should be spending some time on the phone with his credit card companies making sure any security features they offer are fully activated, such as enhanced (not easily guessed based on what was on his computer) security questions, subscribing to a few years of identity theft watch, schedule regular pulls of his credit report watching for new plastic, checking accounts, and loans in his name, etc. The ssn by itself has some limits on abuse, but combined with the information on the hard drive (mother's maiden name, address, workplace, etc) it greatly magnifies the risk because it's going to allow additional verification of identity that a lot of places require.

After that, get him a book or something on how to be less of a sucker on the internet and in the world in general, or he'll just do it to himself again.

This could hound him for years to come. Make sure he understands that. If someone DOES manage to take out say, a loan or a card on his ssn, he needs to deal with it swiftly and decisively. Banks and similar organizations are notorious for not wanting to be the fall guy in cases like this, and will often try very hard to stick your dad with some or all of the bill. Don't be terribly surprised if something requires a lawyer to fix or clear off his record.

MS says reinstall

[InvisiBill]

According to Microsoft's 10 Immutable Laws of Security, "it's not your computer anymore" and you need to revert to a known-good state. This generally translates into a complete restore from backups or a reinstall. If you have a spare drive, it's probably easiest to just save an entire image of the bad drive (just to make sure you don't lose anything) and do a complete wipe. You can recover any needed data from the backup image (just be careful not to actually run any apps from that backup). A current AV installed on the fresh rebuild may be able to help remove some of the junk from the backup image as well, just make sure it doesn't accidentally "clean up" anything important. That should fix the PC itself, but there are other things you may want to consider as well (as suggested by others here).

Your dad may need some training/assistance regarding finances and private info. You'll want to reset any accounts that were accessed via the tainted PC (and any others you think could have been compromised by the infected PC). If he doesn't specifically need Windows, changing to Ubuntu or similar can inherently stop Windows-specific malware (including crap from well-meaning but incompetent remote techs, e.g. unnecessary software from the ISP). I set a previous girlfriend up with a laptop running Ubuntu, and was able to find Linux versions of pretty much any app she needed for what she wanted to do (web browser, office suite, iPod software, etc.). Linux may not do everything he needs, and it won't stop phone-based social engineering, but it can go a long way to help against malware.

Re:Just the obvious

[johnw]

I did much the same for my father. He was continually getting his Windows PC totally overloaded with malware (possibly assisted by grandsons from another branch of the family who liked to play on it).

After recovering it a couple of times I simply scrubbed it and installed Debian. It does everything he needs and has reduced the support calls to pretty much nothing.

He is quite unaware of what operating system he is using - he just needs to be able to access the web, read his e-mails and write some letters.

Yes, the computer is the smallest problem

[daemonenwind]

After you call your bank (including any banks you have loans/credit cards/ with) and let them know what happened, do this:
(stolen shamelessly from usbank's website)
1.Call the major credit bureaus:
Equifax: 800-525-6285 or equifax.com
Experian: 888-397-3742 or experian.com
TransUnion: 800-680-7289 or transunion.com
First, ask that they place a “fraud alert” on your credit file. A fraud alert prevents creditors from changing your accounts – or opening new ones in your name – without proper verification. Then, request a free copy of your credit report. If you see any additional signs of fraud, notify the credit bureau and the creditors whose accounts are affected. After the disputed transactions are resolved, request another copy of your credit report to make sure your file has been updated.

2.Call your other creditors – including your phone and utility companies – and let them know that you’ve been a victim of fraud. Close any accounts that may have been compromised. As a precaution, consider resetting all of your passwords.
3.Inform check security companies about the fraud:
National Check Fraud Center 843-571-2153
SCAN 800-262-7771
TeleCheck 800-710-9898
CrossCheck 707-586-0551
Equifax Check Systems 800-437-5120
International Check Services 800-526-5380
Chexsystems 800-428-9623
CheckRite 800-466-2748

4.File a police report if you think your personal information (driver’s license, address) has been compromised or stolen.

5.Call the Federal Trade Commission (FTC) identity theft hotline at 877-438-4338, or file your complaint online at ftc.gov.

6.Be vigilant, patient and persistent. It can take weeks — or even months — to resolve identity theft. Keep a close eye on all of your statements, review your credit reports regularly, and immediately report any discrepancies.

Why so paranoid? Because with nothing more than your SSN and Address, the bad guys can see your free credit report and know about *every line of credit you have*.

The race is on; here comes Pride in the back stretch.