You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
So...we have an elderly relative staying with us who is recuperating from bypass surgery.
He let slip the other day that he's "got a problem" with his laptop PC - namely that it was apparently hijacked while he was "looking at the internet" (and by that, I assume that he was looking at adult sites somewhere, so his own embarrassment is a huge factor in this) and he's had to pay a lot of money to whoever it was who allegedly hijacked his laptop. He's apparently paying a monthly fee to retain access to his data.
I don't know the full story here, obviously there's a scam of some sort happening, so I want to try and get to the bottom of it. Any help would be hugely appreciated.
I'd love to help but we're going to need a considerable amount more detail than "something happened" if we're to get to the bottom of it. Out of the gate I would:
1) Disconnect it from the network.*
2) Backup whatever "data" he has. (What even is this?)
3) Stop paying.
4) Contact the bank's fraud department.
Once triaged, then we can worry about what to do with it.
(* - point of note here, malware can and often will spread laterally, an infected machine inside your perimeter is a clear and present danger to everyone else on your network)
As Cougar says, if they currently have access to the data then just back it up to a hard drive then run a malware scan on that drive from another good computer. If they already have Microsoft office 365 and the files are in OneDrive then they will already be virus scanned. If all is good then just flatten the computer and rebuild it once you know what programs they had installed, then reload the files or if they are stored in OneDrive/Google Drive then just reconnect it to the cloud
If they received the initial demand via email then see if that address is in haveibeenpwned.com. If so then it is likely that someone was just phishing with an email/pwd that was publicly available and they have been caught. In that case there may actually be nothing wrong with the machine. Ask if they just paid or if they also installed something. If they just paid then run an check on the machine using something like the Microsoft virus scanner Microsoft Safety Scanner Download - Windows security | Microsoft Docs
If they actually installed anything then you need to get a full list of any places they have a login, amazon, email, bank etc and go through and change everything.
First we need more detail on how they were contacted to make payment e.g. a website popup, email etc
Thanks both.
1) Disconnect it from the network.
On that basis, I'm currently running Malwarebytes on our main PC and have asked that the offending machine is turned off an disconnected from our home wifi.
2) Backup whatever “data” he has. (What even is this?)
No idea, am almost afraid to ask but I'm going to grasp that nettle shortly.
3) Stop paying.
Agreed.
4) Contact the bank’s fraud department.
Agreed.
This is a very delicate matter, there's a reason why our elderly relative hasn't contacted the bank's fraud dept or reported anything so I'm going as gently as possible.
If they received the initial demand via email then see if that address is inhaveibeenpwned.com. If so then it is likely that someone was just phishing with an email/pwd that was publicly available and they have been caught. In that case there may actually be nothing wrong with the machine.
That had crossed our minds too. I'm going to make further inquiries and will report back as soon as.
It's probably the good old 'We've got photos of you from your webcam and will send them to all your contacts if you don't pay us' which can be sent out to a random list of victims irrespective of what you've been up to on the internet.
Unless he's actually been in a 'chatroom' and a 2 way video call... Presumably you'll find out if/when he stops paying...
No idea, am almost afraid to ask but I’m going to grasp that nettle shortly.
If it's his grumble supply then as much as it pains me to suggest it, he can always download it again. Ten years worth of family photographs, not so much.
It’s probably the good old ‘We’ve got photos of you from your webcam and will send them to all your contacts if you don’t pay us’
Yep that one's been around the block a few times and can be ignored.
Are we just treating this a an IT issue? Blackmail and extortion are actually quite a serious crimes - you’re allowed to contact the police.
Ask him to show you the emails/ messages and the website where he put in payment details (don’t go to the website just get the link). The messages will identify the scam. By the sound of it it could be a tech support scam in which case probably no malware.
Hang on.
He’s apparently paying a monthly fee to retain access to his data.
Did he ever lose it?
It’s probably the good old ‘We’ve got photos of you from your webcam and will send them to all your contacts if you don’t pay us’
Along with your "password" which came from a data breach. I've had a few of those emails, the password is one I commonly used but not for well over a decade. Likely from the Yahoo! breach. Well, one of them.
You really need to find out what's actually happened, otherwise it's guesswork.
Okay, sooo...
Malwarebytes has picked up nine files that have been identified as Malware/Spyware.
These have been cleaned out, next steps is to move his family photos etc onto a memory stick, scan the stick with Malwarebytes and then reinstall the entire OS and start again from scratch.
Are we just treating this a an IT issue? Blackmail and extortion are actually quite a serious crimes – you’re allowed to contact the police.
The issue here is that we've a seventy-nine year old man in the house who is recuperating from a quadruple heart bypass op. He's *obviously* been looking at teh pron, but he's not exactly going to say "I've been looking at teh pron". He's adamant that he wants "no fuss" given his health and definitely doesn't want to talk to the law. Believe me, I'd tried this angle.
I'm having to be v.v.gentle with him, he's clamming up and stammering bless him.
You really need to find out what’s actually happened, otherwise it’s guesswork.
Absolutely this - MrsPJM is working on this - given that the gentleman in question is her uncle.
You should probably just do him a favour and download all your "specialist movies" to his photo memory stick. No need for future downloads. 👍
Are we just treating this a an IT issue? Blackmail and extortion are actually quite a serious crimes – you’re allowed to contact the police.
Whilst correct I wouldn't expect anything useful to be accomplished. If they won't even deal with folk getting ripped off on PayPal even with contact details then the chances of them dealing with something done by God knows who are even more remote.
The scam will be the webcam / sextortion scam described at https://blog.avast.com/scam-alert-dont-fall-for-extortion-ploy and https://www.theguardian.com/technology/askjack/2019/jan/17/phishing-email-blackmail-sextortion-webcam
MrsPJM is working on this – given that the gentleman in question is her uncle.
We need to know "I had an email" or "I clicked on a link on a web page." What he was doing at the time is immaterial, I'm more interested in his mouse hand than the other one. We just need an audit trail.
Malwarebytes has picked up nine files that have been identified as Malware/Spyware.
MBAM should've dropped a log file onto the desktop. Can you send it to me please?
I'm starting to get somewhere...
We need to know “I had an email” or “I clicked on a link on a web page.” What he was doing at the time is immaterial, I’m more interested in his mouse hand than the other one. We just need an audit trail.
"I had something pop up to tell me my computer was frozen and I had to call a phone number".
MBAM should’ve dropped a log file onto the desktop. Can you send it to me please?
Working on it, there is no log file on the desktop, but I'm trying to find something useful...
Got it - have PM'd you Cougar.
Thank you so much for this, getting info on exactly what happened is like pulling teeth.
Check his downloads, search the drive for video files, have a look in his temporary files, that should give you an idea of what he has been looking at and where. This may help identify the type of scam. I used to have to do this all the time with my father in law (God rest his soul).
His biggest fear was his daughter finding out what he had been looking at. He handed over quite a lot of money to scammers to prevent this. Fortunately Lloyd's fraud department were very understanding and refunded a good chunk. The police were not interested in the blackmail angle.
Fortunately Lloyd’s fraud department were very understanding and refunded a good chunk.
Was that as a result of you calling them? I'm surprised but very impressed that they did this
Yes we reported it to the bank and the police. The bank took action and got most of the money back. The police gave us a crime number to give to the bank.
Was a couple of years ago 2017? things may have changed.
From that MBAM log, there is a reasonably high chance that the 'hacker' has a copy of the password cache from his browser. I'm not immediately seeing the laptop itself as a threat, however I'd suggest changing passwords (from a known clean PC) on anything he cares about that he's likely to have clicked "remember my password" on previously. First stop, any email addresses where "recover my password" is likely to send requests. Second, the banks. Yes, in that order, the email is critical. Do it now. Why are you still here? Go away.
Changed it? Right. It also suggests crypto payments, which would tie in with the speculative email idea floated by others above.
Sorry this is all "maybe" but the report from MBAM is kinda generic. There's too many of these things which are almost-but-not-quite the same to be 100% sure.
Clean PC. Email password. Allez maintenant, vite.
Awesome Cougar, am on it.
Excellent advice from others already but just to add my thoughts…
If the device was frozen and a message appeared on the screen then that suggests that something was downloaded in the first instance, probably from a website. If he rang the number then it’s highly likely they accessed the machine using remote control software while he was on the phone and could have taken copies of any files inc browser cache, at this time. Typically they set some Windows services to manual startup or disable them so it looks like the machine has frozen.
As suggested by others it’s critical that you change passwords on any email accounts that are in use and also check that email forwarding has not been set up on them. Also configure MFA/2FA on anything that will allow it (banks often require this anyway these days but worth doing on anything else that supports it at this point).
Get a list of anything that has payment details saved in it - online shopping for example and then change the passwords/ delete any saved payment details - they can be setup again later.
Going forward consider configuring the DNS settings to something like Quad9 (9.9.9.9) or OpenDNS on either the device or ideally the router where he lives. A quick Google will give you info on this but me or others in here will also be able to help.
He’s *obviously* been looking at teh pron
Bit risky for an old guy recovering from heart surgery?
also check that email forwarding has not been set up on them.
That's a very good catch, I forgot about that.
I used to work in financial crime/fraud prevention and nine times out of ten these things are usually just scams and its unlikely that any data or machine has actually been compromised, however the advice regarding passwords, emails, and cleaning up the computer are all very sensible and should be taken irrespective.
The police really won't give a shit as this stuff is very common but you can report it via https://www.actionfraud.police.uk/ and you'll get a crime reference number.
The next step will be to speak to the bank and let them know that he's fallen victim to a scam and give them that action fraud reference number. He will need to grant you authority for dealing with the bank on his behalf. When contacting them make it clear that he is elderly, is recovering from an operation, and is a victim of a confidence scam. These factors will make it more likely that he'll get a refund.
How he's actually made the payments will impact whether its possible, or how easy it is, to recover the money. Card payments will be easiest if its fairly recent, however if he's made a bank transfer then he may not get the money back.
If they don't refund then you can log a complaint, and if they reject the complaint then you can escalate the complaint to the Financial Ombudsman Service. They may overturn the complaint and force the bank to refund.
Bit risky for an old guy recovering from heart surgery?
I'm pretty sure that the pron browsing predated the bypass operation, although provided that it featured people of legal age who've given their prior consent then it's no business of mine. If the above conditions are met then fair play and all that.
So, thanks to everyone in this thread we're getting somewhere. We've reinstalled the OS as a clean install, Defender (and Malwarebytes) has been run through the memory stick before we contemplate copying anything back and all passwords have been changed.
Bit risky for an old guy recovering from heart surgery?
Also, genuine chortle here.
You might just be best asking him outright if he has been at the grot. Offer him your onlyfans login to keep him going.
You might just be best asking him outright if he has been at the grot. Offer him your onlyfans login to keep him going.
Or offer him access to your only fans content