Slashdot Mirror
Ask Slashdot: Rescuing a PC That's Been Hit By Scammers?
New submitter malcus writes "My father was hit by scammers the other day and even though he has handed over all computer service tasks to me they were able to sweet-talk him into: (1) Running some 'checks' to confirm the 'grave situation' that his computer was heading for (bad). (2) Start some remote-control program (worse). (3) Giving them his social security number (terrible). When they asked him for his credit card information he stopped and is now probably expecting them to call again. Meanwhile I have told him to dump the computer in holy-water or aqua regis and cut the internet cable. I am heading over to his place later and wonder what measures I should take."
Bow your head and type "Format C:" Amen.
Please do not read this sig. Thank you.
Same as for any other compromised machine.
What operating system? Also check what programs were run...and prepare for worst case: Reinstall.
Install a VM with a godawfully infected version of Windows 98 on it and turn them loose on it... for the lulz.
I had a client do this to his machine. He called an 800 number thinking they were the Yahoo help desk and they performed a similar routine. Oddly enough, they left no traces of their activity and there is no reasonable way to tell if there is an inactive trojan waiting to be launched in the future. Best bet is to copy off the data, wipe, reinstall OS.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
This is why you have backups. Reinstall the OS, restore your backups and do not give him an administrator account this time.
Get him to change all of his passwords, especially banking passwords. Preferably from a network that hasn't seen the computer in question (and of course not on that machine). You know that they've executed foreign code, you have to assume that the machine is pretty much forever compromised.
Back up all the data and then re-install the OS from scratch. Before restoring the data, do a thorough threat scan on it, to make sure there are no nasties lurking in there. If the machine has been rooted, then you simply can't guarantee that anything else you do to clean it up will get rid of all threats. Hope that helps! (I missed a chance there to evangelise on Linux!)
In addition to the wipe and install suggested over 9000 times, your father needs a good talking-to.
It's the only way to be sure.
Everybody's going to tell you the obvious right answer. You wipe the box and start over with a clean install, fully patched, with a firewall and AV. Anything less is really just asking for whatever happens next.
Subsequent to that, you need to have a serious talk with your dad about sharing control over his finances with someone trustworthy (you, maybe). If he's handing out his social security number to any random nutjob who calls him, he's going to give away his life savings to some scammer someday. The time to prevent that is now, not later. I am seriously planning to do that myself, that is put something in place so that when (not if) I'm no longer competent to handle my own affairs, my kids will have the legal ability to seamlessly keep me from bankrupting myself. I have decades before this needs to happen, but the time to do it is when you are of sound, not failing, mind.
I'd also look into putting a fraud warning on his credit report with all three credit bureaus. I'm not going to pretend that's something I know much about, so research it and confirm for yourself what good it will do and what harm before you act. I do think you want to limit the ability of any random goofball who knows your dad's SSN and name from opening credit in his name.
What else were you expecting?
Probably, "as of August 2012 the best forensic analysis boot disk/usb image is ..." and the URL of a web page at SS.gov or maybe some consumer organization most likely titled something like "Your SS number is now public knowledge... what should you do now?"
Some anecdotes of what someone has RECENTLY found in a forensic analysis of something owned like this might be interesting, although not terribly useful.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Disconnect the PC from the internet, so it's only useful for Word/Excel and maybe Turbotax.
Get him an iPad for day-to-day web surfing.
Unless he's a real gamer or his bank is from the 19th century, this should solve most of his problems.
As someone who does forensic analysis, no, the thing you want to do is not tell an untrained amateur how to try to do it, point them at tools, and hope for the best. It's actually time consuming and can be hard. By far the simplest solution is wipe and reinstall. If you want an actual forensic analysis done, unplug the network cable, step away and DO NOT TOUCH THE BOX AGAIN! Then call a pro.
Combofix, believe it or not, specializes in removing all forms of remote control software. Most people don't know that. In fact, it will even destroy gotomeeting related files whether you want it to or not :-P Also, any system setting viewer like even the ancient HijackThis will list all LSP and protocol changes and all startup entries and all browser plugins. Just get rid of anything you can't identify or that google says is a remote control viewer. If malware scanners can't pick up anything bad, a system restore will definitely destroy any legitimate remote control software so between the two, you should disable any control they had.
So, reset all passwords for all significant accounts, add a fraud alert to his credit report or add a third party lockdown solution like Lifelock (even though I hate them) and you should be set.
Do you think your father could do everything he needs by using desktop Linux? If so, you could consider switching him to Ubuntu or some other distro. This could be a good turning point as you need to wipe the machine anyway.
Failing that, you need to treat the entire system as compromised, because it probably is. Do the following:
Bring a Linux live CD and an external hard drive. Boot ONLY into Linux, copy necessary files (documents, photos) over to the external hard drive.
Wipe the computer and reinstall everything from scratch. EVERYTHING. DBAN is your friend here. In fact, if he needs a bigger hard drive anyways, do that - just get a completely new hard drive.
Restore his data files from the backup you just made.
Yes, it's a pain, but at this point the system could contain something that anything short of this wouldn't clear out. (In fact, it's *possible* for malware to make it through even that, but AFAIK those are still just research demos, not in the wild).
One could think that hiring another father is a bit overkill solution...
What many of these scammers do is surf the hardrive for login information for financial institutions, bank and credti card numbers, and anything else they can get to commit financial fraud.
Call and write letters to the credit bureaus, your banks, and every other financial institution one does business with.
And keep a sharp eye out for shenanigans and don't pay any bill that's not yours.
File a police report. The cops won't do anything, but at least you'll have something to fax the debt collectors who may be calling.
It sucks but it's up to the victim to clear their name as best as they can.
The banks and other financial institutions just write off any losses and pass on the costs to the rest of us in the form of higher and more fees.
The other thing they do with the information is create phoney IDs for illegals, get medical care for folks who can't pay, and various other things that require an ID - all in the victim's name and SSN. Folks have been arrested in the past because of someone else using their identity to commit a crime, the warrant goes out, and then the victim gets their lciense plate scanned by a cop, pulled over and taken to jail.
Have fun with that.
Why do people think that?
Because many, many, many organizations treat it exactly like it's a password. You are very right that it should NEVER be treated as an authenticator. You are very wrong that it ISN'T treated as exactly that.
http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline Download it on another machine, boot with it and clean up the mess. I will recommend installing the free Microsoft Security Essentials, and avoid using administrative login. Also not using any browser plugins will help as well.
I can't believe no one has recommended a credit freeze:
http://en.wikipedia.org/wiki/Credit_freeze
really? And you're worried primarily about the state of his computer?
He should be spending some time on the phone with his credit card companies making sure any security features they offer are fully activated, such as enhanced (not easily guessed based on what was on his computer) security questions, subscribing to a few years of identity theft watch, schedule regular pulls of his credit report watching for new plastic, checking accounts, and loans in his name, etc. The ssn by itself has some limits on abuse, but combined with the information on the hard drive (mother's maiden name, address, workplace, etc) it greatly magnifies the risk because it's going to allow additional verification of identity that a lot of places require.
After that, get him a book or something on how to be less of a sucker on the internet and in the world in general, or he'll just do it to himself again.
This could hound him for years to come. Make sure he understands that. If someone DOES manage to take out say, a loan or a card on his ssn, he needs to deal with it swiftly and decisively. Banks and similar organizations are notorious for not wanting to be the fall guy in cases like this, and will often try very hard to stick your dad with some or all of the bill. Don't be terribly surprised if something requires a lawyer to fix or clear off his record.
I work for the Department of Redundancy Department.
forgot to add these notes: install an anti-virus that does boot-time scans, like Avast. It will put itself BEFORE the bootloader for Windows, ergo scan files before they could be loaded into memory and hide themselves easier. Of course, if the AV gets compromised it wouldn't help, but keeping it updated should make it much less likely. A FULLY patched Windows 7 machine is a tough freaking nut to crack (coming again from that experience with the DoD in the above post). Of course, get one update behind and it can be devastating. It is not likely that some ordinary scammers will have serious 0day exploits. But then you're in God's hands if that happens. Also regular backups help, but I know that can be difficult with non-technical people. If he's willing, get him an external drive for backups and tell him to just plug it in at a scheduled time (like saturday mornings?) and to unplug it at the end of the day. Unless it gets infected while the backup drive is attached, could help save a lot of trouble. The Win7 backup feature is pretty good. Not the best, but good. Last item: I realize I've been talking about Win7 a lot, but the same applies to pretty much all OSs. However, if he is on XP then I'd get him off of it, as it has reached end of life support for consumers unless they purchased an extended contract with microsoft (which I don't even know if they sell to non-businesses). NOTE: the above post is mine, I wasn't thinking to log in when I made it as it is early morning here and I need some coffee. It was supposed to be a day off from this kind of stuff haha
The man who cannot imagine a horse galloping on a tomato is an idiot - Andre Breton
According to Microsoft's 10 Immutable Laws of Security, "it's not your computer anymore" and you need to revert to a known-good state. This generally translates into a complete restore from backups or a reinstall. If you have a spare drive, it's probably easiest to just save an entire image of the bad drive (just to make sure you don't lose anything) and do a complete wipe. You can recover any needed data from the backup image (just be careful not to actually run any apps from that backup). A current AV installed on the fresh rebuild may be able to help remove some of the junk from the backup image as well, just make sure it doesn't accidentally "clean up" anything important. That should fix the PC itself, but there are other things you may want to consider as well (as suggested by others here).
Your dad may need some training/assistance regarding finances and private info. You'll want to reset any accounts that were accessed via the tainted PC (and any others you think could have been compromised by the infected PC). If he doesn't specifically need Windows, changing to Ubuntu or similar can inherently stop Windows-specific malware (including crap from well-meaning but incompetent remote techs, e.g. unnecessary software from the ISP). I set a previous girlfriend up with a laptop running Ubuntu, and was able to find Linux versions of pretty much any app she needed for what she wanted to do (web browser, office suite, iPod software, etc.). Linux may not do everything he needs, and it won't stop phone-based social engineering, but it can go a long way to help against malware.
Why is giving out his SS number such an awfuly bad thing? From what I've read, it's no secret, but rather the contrary. It's just misassumed that the SS number should be secret.
I really enjoy my Zorin Linux distribution. It's so Window-like that there's almost no cognitive friction in switching. Comes with Wine pre-installed too, if for some reason, running a windows app is absolutely necessary.
Please do not read this sig. Thank you.
IMO the bigger problem is the social security number. He needs to setup fraud alerts with the credit reporting agencies. http://www.usatoday.com/money/perfi/columnist/block/2005-03-28-ym_x.htm They have links to do it for each of them.
A hacker (or spammer) with access to the PC is probably only a minor inconvenience in the scheme of life, identify theft could be devastating for years to come!
As far as the computer goes, many have already answered that a format and reinstall of the OS is a good cure, and really isn't very hard to do.
Here is an explanation of what to do if your SSN gets compromised, courtesy of the Federal Trade Commission.
WHOA WHOA Wrong Order....
....his insurance.... ...credit rating agencies... ...defensive strategies... ....
The blatant identity theft is a ticking time bomb that will not be easy or painless to redress (especially for someone who readily handed over an SSN for ANY reason)....
The computer can sit there (off) just fine while you stop the bleeding.
1. OBVIOUSLY keep computer not only offline but OFF & OFF-SITE (who knows what he might try to do with it).
2. HELP YOUR FATHER start protecting himself with his....
3. banks....
4.
5.
6.
30. THEN look into addressing the computer problems.
Car analogy:
"My father hit a tree at 50 miles an hour and appears to have a broken collarbone and a punctured lung.... I'm heading over to investigate... Does anyone know if I can use my own AAA membership to get the car towed or should I have my own mechanic work on repairing the vehicle's front end?"
yup.. Even on the XP to Ubuntu upgrades I do, the default Ubuntu sudo for the users account is removed.. In other words, they CANNOT do ANY root-ish thing.. yeah I know, a bit more work for me, which is why I have Teamviewer on each system AND a user account for me which has the sudo creds.. I determine when setting up the machine what things the user is most likely going to need that will trigger a gksu dialog and add the user to those groups, and pre-install most of the apps the user will need from the repositories.. So far has worked swimmingly..
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
Photos, unfortunately, have been used as re-infection vectors.
I imagine that passing a JPEG photo through jpegtran, a tool for lossless rotation, flipping, and remultiplexing of JPEG images, would strip out any format oddities through which a photo file can reinfect a computer. What viruses are you talking about that reinfect a host through JPEG images, and did the reinfection vectors survive jpegtran?
The one thing that's always worried me about saving off the personal data from a clueless victim's hosed Windows box: how do you know there isn't a compromised file in that herd - a malicious pdf labeled '2008 Federal Tax Return', or that jpeg called 'Family Reunion' is not quite what it appears? Scan it all yes, but still that nagging concern never quite goes away.
After you call your bank (including any banks you have loans/credit cards/ with) and let them know what happened, do this:
(stolen shamelessly from usbank's website)
1.Call the major credit bureaus:
Equifax: 800-525-6285 or equifax.com
Experian: 888-397-3742 or experian.com
TransUnion: 800-680-7289 or transunion.com
First, ask that they place a “fraud alert” on your credit file. A fraud alert prevents creditors from changing your accounts – or opening new ones in your name – without proper verification. Then, request a free copy of your credit report. If you see any additional signs of fraud, notify the credit bureau and the creditors whose accounts are affected. After the disputed transactions are resolved, request another copy of your credit report to make sure your file has been updated.
2.Call your other creditors – including your phone and utility companies – and let them know that you’ve been a victim of fraud. Close any accounts that may have been compromised. As a precaution, consider resetting all of your passwords.
3.Inform check security companies about the fraud:
National Check Fraud Center 843-571-2153
SCAN 800-262-7771
TeleCheck 800-710-9898
CrossCheck 707-586-0551
Equifax Check Systems 800-437-5120
International Check Services 800-526-5380
Chexsystems 800-428-9623
CheckRite 800-466-2748
4.File a police report if you think your personal information (driver’s license, address) has been compromised or stolen.
5.Call the Federal Trade Commission (FTC) identity theft hotline at 877-438-4338, or file your complaint online at ftc.gov.
6.Be vigilant, patient and persistent. It can take weeks — or even months — to resolve identity theft. Keep a close eye on all of your statements, review your credit reports regularly, and immediately report any discrepancies.
Why so paranoid? Because with nothing more than your SSN and Address, the bad guys can see your free credit report and know about *every line of credit you have*.
The race is on; here comes Pride in the back stretch.
How about establishing laws such that if some idiot bank gives credit to some random in my name, the default legal position is that the debt is invalid and does not attach to me merely by my denying I opened it. Require the issuer to have actual PROOF that the debt is mine before they can say word one to me (or my credit report) about it.
The credit industry has spun this thing to be "identity theft", but it isn't. My identity is still attached to me, right where I left it. YOU nitwits were defrauded. I was not involved until some creditor attempted to attach a debt to me that was not mine.