Join 3,512 readers in helping fund MetaFilter (Hide)


Black Hats May Have Had Remote Access to My Home Network
January 18, 2014 7:04 AM   Subscribe

My SO became desperate for some encryption software, and couldn't wait for me to answer a text. She Binged, and downloaded something questionable that wasn't Adobe. She then clicked on a link in the questionable software and found a tech support number. She called the number, and turned remote access of the computer over to questionable tech support, that wanted more info to have her pay for tech support. She refused, but did grant remote access to the computer. My main concern is that some unknown actor had remote access for possibly as long as several hours. There was almost no data on the netbook, which was purchased just a few weeks ago. But my SO had a USB drive plugged in that had a lot of sensitive data on it. How FUBAR are we?
posted by anonymous to Computers & Internet (9 answers total)
 
Maybe not at all, maybe totally. Depends on the laziness of the remote call centre drone. Your safest bet is to behave as if your sensitive data, as well as the computer that was remotely accessed and probably any others on the same LAN, have all been completely compromised.
posted by flabdablet at 7:12 AM on January 18 [2 favorites]


Once you've cleaned up the mess, give each of you your own user accounts, and don't give her admin rights.
posted by flabdablet at 7:17 AM on January 18 [5 favorites]


If we could know what the software was, that would help. And was the remote access over the regular Windows remote support thing? There's not really enough information to give you a concrete answer. And Adobe don't even make encryption software, do they?

Anyway, Seconding flabdalet, you need to assume it's totally compromised. Including whatever was on the stick.
posted by derbs at 7:33 AM on January 18 [2 favorites]


And was the remote access over the regular Windows remote support thing?

Whenever I toy with these clowns they generally want me to use TeamViewer or LogMeIn.
posted by flabdablet at 8:00 AM on January 18 [2 favorites]


The point of the exercise was probably to get the extra payment for support and they aren't interested in your data, but things might have been left behind to cause further support calls. Do not use the new software.

If you don't know who had access I would completely scrub the computer's hard disk and reinstall from scratch. I would also (if possible) try to download a BIOS/firmware installer from the manufacturer and reflash the firmware too, but that's possibly a bit extreme.

Also change all passwords that might have been remembered by the web browser - these are usually easy to view by anyone logged in.

With hindsight it may look as if your SO was foolish but some professional scammers are very good at what they do and know how to take advantage of people. If your SO refused to pay them the scam probably failed from the scammer's point of view.
posted by BinaryApe at 8:44 AM on January 18 [1 favorite]


Name the software - without that info it's impossible to comment on what may have happened.

Use the contact form and get a mod to add that info.

You may, if you haven't already, wish to run a full antivirus, anti hijacking, anti spyware, anti malware sweep.
posted by Hobo at 9:38 AM on January 18


The point of the exercise was probably to get the extra payment for support and they aren't interested in your data, but things might have been left behind to cause further support calls. [...] If your SO refused to pay them the scam probably failed from the scammer's point of view.

I agree with this. Having a fixed business identity and tech support phone number doesn't pass the sniff test for being an illegal identity theft operation--the risk/effort to reward ratio is just way off. Most identity theft (that I'm aware of--please disabuse me of this notion if you know better) relies on automated or semi-automated acquisition, through skimmers, bulk phishing emails, or gaining access to a business's servers to harvest information from their customer database. Social engineering is certainly a thing, but the idea of establishing a sham business (with live operators who dig through your files looking for something to steal, or add you to a botnet or whatever) around an actual piece of software as a kind of honeypot to attract marks is not a twist I've heard of, yet.

Additionally, does googling the company turn up anyone alleging theft? In this day and age, I can search for an unfamiliar number and determine whether or not it's a telemarketer before the phone is done ringing. If this company is systematically stealing the identities of their customers, it's very likely that someone has written about it somewhere on the internet.

If they are out to scam you, it's far more likely they're running some kind of shady-but-quasilegal business billing you for the tech support, or even some kind of undisclosed recurring service fee once they have your credit card on file. If you didn't give it to them voluntarily, you're probably in the clear. If you did, watch your statements like a hawk and be prepared to initiate some chargebacks. It's also always possible that your tech was a lone bad actor, but now we're looking at improbabilities among improbabilities.

That said, I'm a paranoid guy myself, and I consider behaviors like changing passwords, keeping windows and antivirus/malware software up to date, using non-admin accounts, using multi-factor authentication when possible, and generally not having a head-in-the-sand attitude toward my financial statements/credit reports to be normal. If you aren't doing these things, you should be anyway.
posted by pullayup at 9:50 AM on January 18 [1 favorite]


I want to stress that the "actual software" point is key--if your wife ended up installing something that's obviously not what it said on the tin, or your computer was "locked" because you're under "suspicion of illegal content downloading and distribution" pending a payment of $200 to the "FBI" etc., all of my advice is out the window. You should nuke the drive from orbit, call one of the reporting agencies and put a fraud alert on your credit report, and start watching any compromised accounts like a hawk.
posted by pullayup at 10:07 AM on January 18


What was the website and phone number?
posted by AppleTurnover at 2:52 PM on January 18


« Older I am programmer who has done d...   |  I am job hunting, and my caree... Newer »

You are not logged in, either login or create an account to post comments