Hi All,

My adventure in defeating an active hacker.

A couple of days ago, I came toe to toe with a hacker. Now
in all my years (29) of doing this, I have cleared out a lot
viruses, and rescued several hacked computers, but this was
the first time I came toe to toe with a hacker.

The customer had fallen for a phishing attack and had called
the criminal on the phone with the Hindi accent. The customer
allowed the criminal to set up remote support and started doing
weird things to the customer’s computer. The customer eventually
wised up and power off his machine.

A few days later, the customer noticed that occupationally his
screen go blue with white lettering telling him not to power
off while updates were being installed. He lost total mouse
and keyboard control. And during the process, a bunch of gift
cards suddenly got ordered on his Amazon account. So he got
new credit cards and had all the stray charged removed. Did
not help. Kept happening. So he called me.

I have unattended Go To Assist remote support with this
customer. Logging in and started looking around, the customer
said, he is doing it right not. Okay, the criminal’s screen
block did not show up on Go To Assist, although his mouse
and keyboard blocks did. I watched him go to the customers
open Amazon account. Apparently he could see what was going
on and waited for the customer to get past the two factor
authentication. Now Go To Assist has a function to send
<ctrl><alt<del> to the remote computer (doing that yourself
activates your local computer, not the remote computer, hence
the Go To Assist function). So every time the criminal tried
the order something, I popped him with a <ctrl><alt><del>.
You could almost hear the cussing in Hindi.

I told the customer what I was doing to him and we both had a
good laugh at the criminals expense. The criminal was pretty
good at pressing cancel. I eventually send a reboot and the
criminal gave up for long enough (probably busy steal things
from other victims) to find his remote control software (ScreenConnect.ClientService.exe), kill the process, and erase
it from everywhere on his drive and his registry.

I installed additional security features:

1) got rid of his Microsoft spy account and replaced it with
a new local account without that idiotic four digit security
hazard pin number. Now he have to sign in with an actual
strong password on a local account. (It is something he
will remember.)

2) removed the old Windows profile. Anything still running,
which triggers a file lock error, is a give away, which is
how I caught his remote software running in appdata.

3) had him get another new credit card number as the criminal
could have easily watched him enter the new one into his
Amazon account.

4) create a new Amazon password.

5) remove auto login to his Amazon account from all his browsers.

6) verified that his Amazon two factor authentication was set
up and working properly

7) checked for root kits

8) scanned him from dust to daylight with three different
antivirus programs.

9) told him for the time being to turn off his computer when
he is not watching it.

10) told him if the installing updates screen comes back to
power off and call me immediately.

11) emptied his trash


I also scoured sysinternals/autoruns but did not find his
remote software (maybe I missed it, but I do not think so).
And yes, all his M$ updates were up to date.

It’s a living,
-T

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/2/23 14:42, Carlos E. R. wrote:

On 2023-12-02 23:27, T wrote:

Hi All,

My adventure in defeating an active hacker.

...

9) told him for the time being to turn off his computer when
he is not watching it.

10) told him if the installing updates screen comes back to
power off and call me immediately.

11) emptied his trash

Happy ending :-)

It took about an hour for all the adrenaline to go down!
But I was chuckling underneath sending the criminal all
those <ctrl><alt><Del>'s.

Those criminals, which are an infinitesimal port of India's
population, give India a bad, undeserved rap.

The Indians who have moved here that I know are stand up
folks. And the Indians I have dealt with in the Open
Source movement are some of the sharpest tacks in the
box I have come across. (Tech support, not so much.)
I can see why the general Indian population hates these
criminals so much.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-12-02 23:27, T wrote:

Hi All,

My adventure in defeating an active hacker.

...

9) told him for the time being to turn off his computer when
he is not watching it.

10) told him if the installing updates screen comes back to
power off and call me immediately.

11) emptied his trash

Happy ending :-)

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ed Cryer wrote:

[snip]

Your listing of the things that had to be done to save the day is a good stern warning to others. Those little devils can wreak such havoc on
naive users. I've heard of people so traumatised by similar attacks that
they keep away from all devices and the Net. Some are even made afraid
to use ATMs, and they'll go into their bank's branch office and ask an assistant to get their cash.

Given that banks are closing branches wholesale how long before we see
the criminals setting up spoof high street banks?


--
Graham J

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VCB3cm90ZToNCj4gT24gMTIvMi8yMyAxNDo0MiwgQ2FybG9zIEUuIFIuIHdyb3RlOg0KPj4g T24gMjAyMy0xMi0wMiAyMzoyNywgVCB3cm90ZToNCj4+PiBIaSBBbGwsDQo+Pj4NCj4+PiBN eSBhZHZlbnR1cmUgaW4gZGVmZWF0aW5nIGFuIGFjdGl2ZSBoYWNrZXIuDQo+Pg0KPj4gLi4u DQo+Pg0KPj4+IDkpIHRvbGQgaGltIGZvciB0aGUgdGltZSBiZWluZyB0byB0dXJuIG9mZiBo aXMgY29tcHV0ZXIgd2hlbg0KPj4+IGhlIGlzIG5vdCB3YXRjaGluZyBpdC4NCj4+Pg0KPj4+ IDEwKSB0b2xkIGhpbSBpZiB0aGUgaW5zdGFsbGluZyB1cGRhdGVzIHNjcmVlbiBjb21lcyBi YWNrIHRvDQo+Pj4gcG93ZXIgb2ZmIGFuZCBjYWxsIG1lIGltbWVkaWF0ZWx5Lg0KPj4+DQo+ Pj4gMTEpIGVtcHRpZWQgaGlzIHRyYXNoDQo+Pg0KPj4gSGFwcHkgZW5kaW5nIDotKQ0KPj4N Cj4gDQo+IA0KPiBJdCB0b29rIGFib3V0IGFuIGhvdXIgZm9yIGFsbCB0aGUgYWRyZW5hbGlu ZSB0byBnbyBkb3duIQ0KPiBCdXQgSSB3YXMgY2h1Y2tsaW5nIHVuZGVybmVhdGggc2VuZGlu ZyB0aGUgY3JpbWluYWwgYWxsDQo+IHRob3NlIDxjdHJsPjxhbHQ+PERlbD4ncy4NCj4gDQo+ IFRob3NlIGNyaW1pbmFscywgd2hpY2ggYXJlIGFuIGluZmluaXRlc2ltYWwgcG9ydCBvZiBJ bmRpYSdzDQo+IHBvcHVsYXRpb24sIGdpdmUgSW5kaWEgYSBiYWQsIHVuZGVzZXJ2ZWQgcmFw Lg0KPiANCj4gVGhlIEluZGlhbnMgd2hvIGhhdmUgbW92ZWQgaGVyZSB0aGF0IEkga25vdyBh cmUgc3RhbmQgdXANCj4gZm9sa3MuwqAgQW5kIHRoZSBJbmRpYW5zIEkgaGF2ZSBkZWFsdCB3 aXRoIGluIHRoZSBPcGVuDQo+IFNvdXJjZSBtb3ZlbWVudCBhcmUgc29tZSBvZiB0aGUgc2hh cnBlc3QgdGFja3MgaW4gdGhlDQo+IGJveCBJIGhhdmUgY29tZSBhY3Jvc3MuwqAgKFRlY2gg c3VwcG9ydCwgbm90IHNvIG11Y2guKQ0KPiBJIGNhbiBzZWUgd2h5IHRoZSBnZW5lcmFsIElu ZGlhbiBwb3B1bGF0aW9uIGhhdGVzIHRoZXNlDQo+IGNyaW1pbmFscyBzbyBtdWNoLg0KDQpX ZWxsIGRvbmUsIFQuDQoNCllvdXIgbGlzdGluZyBvZiB0aGUgdGhpbmdzIHRoYXQgaGFkIHRv IGJlIGRvbmUgdG8gc2F2ZSB0aGUgZGF5IGlzIGEgZ29vZCANCnN0ZXJuIHdhcm5pbmcgdG8g b3RoZXJzLiBUaG9zZSBsaXR0bGUgZGV2aWxzIGNhbiB3cmVhayBzdWNoIGhhdm9jIG9uIA0K bmFpdmUgdXNlcnMuIEkndmUgaGVhcmQgb2YgcGVvcGxlIHNvIHRyYXVtYXRpc2VkIGJ5IHNp bWlsYXIgYXR0YWNrcyB0aGF0IA0KdGhleSBrZWVwIGF3YXkgZnJvbSBhbGwgZGV2aWNlcyBh bmQgdGhlIE5ldC4gU29tZSBhcmUgZXZlbiBtYWRlIGFmcmFpZCANCnRvIHVzZSBBVE1zLCBh bmQgdGhleSdsbCBnbyBpbnRvIHRoZWlyIGJhbmsncyBicmFuY2ggb2ZmaWNlIGFuZCBhc2sg YW4gDQphc3Npc3RhbnQgdG8gZ2V0IHRoZWlyIGNhc2guDQoNCkVkDQoNCg==

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-12-03 00:00, T wrote:

On 12/2/23 14:42, Carlos E. R. wrote:

On 2023-12-02 23:27, T wrote:

Hi All,

My adventure in defeating an active hacker.

...

9) told him for the time being to turn off his computer when
he is not watching it.

10) told him if the installing updates screen comes back to
power off and call me immediately.

11) emptied his trash

Happy ending :-)

It took about an hour for all the adrenaline to go down!
But I was chuckling underneath sending the criminal all
those <ctrl><alt><Del>'s.

I imagine.

Those criminals, which are an infinitesimal port of India's
population, give India a bad, undeserved rap.

The Indians who have moved here that I know are stand up
folks.  And the Indians I have dealt with in the Open
Source movement are some of the sharpest tacks in the
box I have come across.  (Tech support, not so much.)
I can see why the general Indian population hates these
criminals so much.

We even get those fake M$ support calls here in Spain, in English. They probably know who might speak English. The last one was over a year ago
or two. I faked a mighty laugh for a few second and hung up. Maybe they
took note not to try call me again :-D

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Graham J wrote:

Ed Cryer wrote:

[snip]

Your listing of the things that had to be done to save the day is a
good stern warning to others. Those little devils can wreak such havoc
on naive users. I've heard of people so traumatised by similar attacks
that they keep away from all devices and the Net. Some are even made
afraid to use ATMs, and they'll go into their bank's branch office and
ask an assistant to get their cash.

Given that banks are closing branches wholesale how long before we see
the criminals setting up spoof high street banks?

The internet has become indispensable. I don't think you can live any
kind of worthwhile life in modern society without it. It's all done
online; and someone who tries to get by without it is gonna create great
toil and trouble for himself.
You just have to become Net-savvy.

Ed

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/3/23 03:24, Carlos E. R. wrote:

We even get those fake M$ support calls here in Spain, in English. They probably know who might speak English.

They have a list of numbers. They do not care what you speak.
It is the volume of calls they are after. They probably do not
even know what country you are in.

The last one was over a year ago
or two. I faked a mighty laugh for a few second and hung up. Maybe they
took note not to try call me again 😂

Things I have tried and my customer's have tried that did not work

insulting them in Hindi,
asking them how the weather is in Pakistan (an extreme insult),
shaming them,
hanging up on them,
tiring of them having to bury them out back,
asking them if their family knows what they are doing,
etc.

The only thing that I have found that stops them is to put on
you best stupid looking face (helps with the voice) and telling
them in dumb, halting tones "But I don't own a computer.
I hate the things". The criminals will challenge you once
and tell you their records show you own a made up brand name
such as Dell. Then response with "How did that happen? Would
you fix that for me?". They will agree and remove you from
their list. When you say goodbye, make sure and seal the
deal with "You're such a nice man." Works every time.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

T <T@invalid.invalid> wrote:

On 12/3/23 07:34, Ed Cryer wrote:

Graham J wrote:

Ed Cryer wrote:

[...]

And get rid of your Debit cards. There is no fraud
protection on them. And when hacked, they have access
to your banking too. Use credit cards instead. And get
them from a separate institution so they can not
link your cards to your accounts.

This - debit cards versus credit cards - has recently been discussed
at length in this very group and the conclusion was that the (non) risk
of debit cards is very different in different countries.

Graham and Ed live in the UK.

I live in The Netherlands where debit cards are much *more* secure
than credit cards. For any transaction, you need the actual card ((a
copy of) the info on the card is *not* enough) *and* the PIN code. (For
a credit card, you just need (a copy of) the info on the card.)

Moral: Don't give country-dependent advice in a world-wide group.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/3/23 07:34, Ed Cryer wrote:

Graham J wrote:

Ed Cryer wrote:

[snip]

Your listing of the things that had to be done to save the day is a
good stern warning to others. Those little devils can wreak such
havoc on naive users. I've heard of people so traumatised by similar
attacks that they keep away from all devices and the Net. Some are
even made afraid to use ATMs, and they'll go into their bank's branch
office and ask an assistant to get their cash.

Given that banks are closing branches wholesale how long before we see
the criminals setting up spoof high street banks?

The internet has become indispensable. I don't think you can live any
kind of worthwhile life in modern society without it. It's all done
online; and someone who tries to get by without it is gonna create great
toil and trouble for himself.
You just have to become Net-savvy.

Ed

I do all my banking in person for a number of reasons. The
biggest is receipts. I can prove things in writing.
No one challenges me. I also like the human factor of
everyone knowing me and I knowing them. I get to ask
them how their day is going and they get to ask me
about their computer problems. It is humanizing.
I write out instructions of what I want done (they
call me the "list guy") and do not mind double checking
me and I them. (You would not believe the number
of folks that do not even know their account numbers
[I know mine by heart] that have the tellers look
them up for them.)

It also does not help that I assist customers that get
their banking hacked. Two months ago, I helped a
lady who got hacked for 40,000.00 U$D. (And
again right in front of the bamk person trying to
straighten out her accounts on the bank's monitor.)

Needless to say, I do not do online banking. I
have seen it destroy too many people.

Now if security is an issue, you really should not
be using Windows. Windows is a kluge and a security
nightmare. (Note to incensed fanbois over
that last statement: bite me!)

For better security, you should consider OSx, or
better yet, Fedora Linux with SELinux, which is
security hardened.

The downside is the lack of applications in Linux
and OSx, but there is always virtual machines
of Windows for that as long as you do no security
things over Windows.

That being said, the human factor is probably about 95%
of the problem. It is far easier to trick someone than
to write malicious code.

If you get your banking hacked. Immediate have the bank
shutdown your accounts. DO NOT USE your computer again.
Have your drive wiped with zeros and start over. The
inconvenience is worth protecting your life savings.

If doing a lot of on-line purchases, consider getting a
very low limit card from a separate institution for
Internet purchases. Mine have been hacked three times.
The bad guys try to put through a $5000 change and the
card automatically gets shut down.

And get rid of your Debit cards. There is no fraud
protection on them. And when hacked, they have access
to your banking too. Use credit cards instead. And get
them from a separate institution so they can not
link your cards to your accounts.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote:

T <T@invalid.invalid> wrote:

On 12/3/23 07:34, Ed Cryer wrote:

Graham J wrote:

Ed Cryer wrote:

[...]

And get rid of your Debit cards. There is no fraud
protection on them. And when hacked, they have access
to your banking too. Use credit cards instead. And get
them from a separate institution so they can not
link your cards to your accounts.

This - debit cards versus credit cards - has recently been discussed
at length in this very group and the conclusion was that the (non) risk
of debit cards is very different in different countries.

Graham and Ed live in the UK.

I live in The Netherlands where debit cards are much *more* secure
than credit cards. For any transaction, you need the actual card ((a
copy of) the info on the card is *not* enough) *and* the PIN code. (For
a credit card, you just need (a copy of) the info on the card.)

Moral: Don't give country-dependent advice in a world-wide group.

An interesting distinction. And one that makes sense even under UK
banking regulations, which I suppose are the same here and there.
I can only tell you what my bank tells me.

I've had a debit card almost since I was born. But many moons ago a
financial adviser in my bank told me a credit card was far more
advisable for online dealings; so I got one.
The only thing I use my debit card for is drawing cash from an ATM; and
I even pay cash at supermarket checkouts, where card-payers hold up the
queue and have women stare daggers at them from behind their packed
trollies.
For everything else I use the credit card; reading out the number over
the phone, purchases from Ebay etc.
The debit card transactions are debited from my account instantaneously;
the credit ones take a few days to register, and I have a direct debit
set up to settle the balance from my current account once a month. I
never have to pay a penny of interest.

I was once told by my bank that they would honour scams against the
credit card but not the debit card. I have friends who have been scammed
and their bank has honoured the loss.

Ed

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/3/23 13:08, Ed Cryer wrote:

I was once told by my bank that they would honour scams against the
credit card but not the debit card. I have friends who have been scammed
and their bank has honoured the loss.

It is totally at the bank's discretion. It is the
law with credit cards.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-12-03 23:06, T wrote:

On 12/3/23 13:08, Ed Cryer wrote:

I was once told by my bank that they would honour scams against the
credit card but not the debit card. I have friends who have been
scammed and their bank has honoured the loss.

It is totally at the bank's discretion.  It is the
law with credit cards.

The law varies per country.

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-12-03 18:57, T wrote:

On 12/3/23 03:24, Carlos E. R. wrote:

We even get those fake M$ support calls here in Spain, in English.
They probably know who might speak English.

They have a list of numbers.  They do not care what you speak.

They can not scam a typical Spaniard in English, they must speak Spanish fluently.

It is the volume of calls they are after.  They probably do not
even know what country you are in.

The last one was over a year ago or two. I faked a mighty laugh for a
few second and hung up. Maybe they took note not to try call me again 😂

Things I have tried and my customer's have tried that did not work

   insulting them in Hindi,
   asking them how the weather is in Pakistan (an extreme insult),

:-)

   shaming them,
   hanging up on them,
   tiring of them having to bury them out back,
   asking them if their family knows what they are doing,
   etc.

The laugh worked :-)

The only thing that I have found that stops them is to put on
you best stupid looking face (helps with the voice) and telling
them in dumb, halting tones "But I don't own a computer.
I hate the things".

Yes, that should work.

The criminals will challenge you once
and tell you their records show you own a made up brand name
such as Dell.  Then response with "How did that happen?  Would
you fix that for me?".  They will agree and remove you from
their list.  When you say goodbye, make sure and seal the
deal with "You're such a nice man."   Works every time.

:-)

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/3/23 14:09, Carlos E. R. wrote:

They can not scam a typical Spaniard in English, they must speak Spanish fluently.

Just out of curiously, would that be the beautiful
Castilian Spanish or a local dialect?

Mexico being our neighbor, we have a lot of Mexico
Spanish spoken around here. There is nothing wrong
with it, but it lacks the aesthetic beauty of
Castilian Spanish.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/3/23 14:12, Carlos E. R. wrote:

It is totally at the bank's discretion.  It is the
law with credit cards.

The law varies per country.

Indeed.

I do forget sometimes that this is an International forum.
Most of the English as a second language speakers here
have such a good command of English that I forget this
is such a forum. A lot of time the command second language
speakers exhibit here, including you Carlos, is better
than my own.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-12-04 04:14, T wrote:

On 12/3/23 14:09, Carlos E. R. wrote:

They can not scam a typical Spaniard in English, they must speak
Spanish fluently.

Just out of curiously, would that be the beautiful
Castilian Spanish or a local dialect?

{chuckle}

Mine is a mix. Castille, Madrid, Andalusian, south-east...

Mexico being our neighbor, we have a lot of Mexico
Spanish spoken around here.  There is nothing wrong
with it, but it lacks the aesthetic beauty of
Castilian Spanish.

Oh, thank you :-)

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-12-04 04:08, T wrote:

On 12/3/23 14:12, Carlos E. R. wrote:

It is totally at the bank's discretion.  It is the
law with credit cards.

The law varies per country.

Indeed.

I do forget sometimes that this is an International forum.
Most of the English as a second language speakers here
have such a good command of English that I forget this
is such a forum.  A lot of time the command second language
speakers exhibit here, including you Carlos, is better
than my own.

We have our telltale mistakes, but they are different than yours ;-)

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/3/23 19:30, Carlos E. R. wrote:

Just out of curiously, would that be the beautiful
Castilian Spanish or a local dialect?

{chuckle}

Mine is a mix. Castille, Madrid, Andalusian, south-east...

Now I have to know if you speak the beautiful oxford
English the Germans speak and that you never hear
from a Yank or a Brit (including me)?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-12-04 06:01, T wrote:

On 12/3/23 19:30, Carlos E. R. wrote:

Just out of curiously, would that be the beautiful
Castilian Spanish or a local dialect?

{chuckle}

Mine is a mix. Castille, Madrid, Andalusian, south-east...

Now I have to know if you speak the beautiful oxford
English the Germans speak and that you never hear
from a Yank or a Brit (including me)?

Another mix.

I got my accent from my father, who had a different English accent than
most Spaniards, from Britain where I stayed four months, and from Canada
where I stayed 2 years :-)

The USA I only visited for a few hours, a bus from airport to airport in
New York :-D

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/4/23 08:38, Joerg Walther wrote:

T wrote:

Now I have to know if you speak the beautiful oxford
English the Germans speak and that you never hear
from a Yank or a Brit (including me)?

Usually it's American English these days, at least with young people,
but of course that may change in the coming years since the American
Dream seems slowly to be turning into its opposite.

-jw-

I served in Germany in the 70's. It always
surprised me that most German children could
speak three languages. I especially loved
to hear then pronounce "Hamburger" (Ham-Booger).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)