Father-in-law called a scammer and gave them access to his laptop
June 10, 2019 7:12 AM Subscribe
My poor father-in-law called a scam phone number from a pop-up window, because he thought his Macbook had been hacked. He proceeded to give them control of the computer. My assumption is that after he gave them access, anything is on the table as far as malicious software installed on his computer, or information they've acquired. He didn't give them any information on the phone, but they presented him with a price table for how much it was going to cost to fix a number of different "problems" they found. What should he do next?
Out an abundance of caution I had him call his bank to keep an eye on things, and told him not to turn on his computer again or use it. Unfortunately he lives an a very remote part of the US where he can't drive down the street to the local computer security shop.
What should he do next? I feel like he should probably ship his laptop to a security firm and have them look it over? At the very least I want him to reinstall his OS, but we need to save his photos, writing, that kind of stuff.
Out an abundance of caution I had him call his bank to keep an eye on things, and told him not to turn on his computer again or use it. Unfortunately he lives an a very remote part of the US where he can't drive down the street to the local computer security shop.
What should he do next? I feel like he should probably ship his laptop to a security firm and have them look it over? At the very least I want him to reinstall his OS, but we need to save his photos, writing, that kind of stuff.
I just cleaned out a friend's computer after an intrusion and the thing I missed initially was changes made to their email account. Specifically rules blind copying an unknown address and changing the 'Reply To' address to another unknown, presumably nefarious receiver. These are insidious because they persist after the cleanup and leave wide open doors for further shenanigans.
Not sure he needs a full wipe but that would definitely bring peace of mind if the effort is worth it. If accounts and such aren't clearly noted and the laptop is older, a full reset can be quite a journey for the less tech-savvy.
Per this link (https://support.apple.com/mac/repair/service) mail in service is available (call them and request a box). Also note their recommendation to enable File Vault and make a thorough backup because sending.
posted by erebora at 7:45 AM on June 10, 2019 [2 favorites]
Not sure he needs a full wipe but that would definitely bring peace of mind if the effort is worth it. If accounts and such aren't clearly noted and the laptop is older, a full reset can be quite a journey for the less tech-savvy.
Per this link (https://support.apple.com/mac/repair/service) mail in service is available (call them and request a box). Also note their recommendation to enable File Vault and make a thorough backup because sending.
posted by erebora at 7:45 AM on June 10, 2019 [2 favorites]
If he has a Mac, it’s possible his photos and writing are all on iCloud and so if the disk is wiped he can re-download them. Check on this for peace of mind.
posted by matildaben at 8:01 AM on June 10, 2019 [2 favorites]
posted by matildaben at 8:01 AM on June 10, 2019 [2 favorites]
The longer-term question is what data they grabbed. If he doesn't already have a credit freeze with the three bureaus, I'd set one up for him (it's easier than it used to be). He will also need to watch for signs that anyone has tried to steal his identity with the IRS.
He should report the scam to the FTC, which has an online form for that. It won't solve his problems individually but they do catch people from time to time.
posted by praemunire at 8:04 AM on June 10, 2019 [3 favorites]
He should report the scam to the FTC, which has an online form for that. It won't solve his problems individually but they do catch people from time to time.
posted by praemunire at 8:04 AM on June 10, 2019 [3 favorites]
Sometimes to have something on in the background, I'll put on a twitch.tv streamer whose whole gig is baiting scammers like this from the safety of VOIP numbers, a voice changer, and a virtual machine so the scammers are tied up and can't scam others.
The good news is most of the time they don't seem to be interested in depositing malware/keylogging on the target computer. I've seen a couple scams:
1) A lot of times they just seem to muck around in the command line/terminal making it seem like they're doing things and then try to charge the unsuspecting person a couple hundred dollars for "fixing" it (essentially clearing the alarming looking popup.) Sometimes, on windows machines, they'll set a "syskey"-- essentially lock the system-- so you can't make changes until the fee is paid.
2) For tax refund scams they claim they're checking to make sure you get an unclaimed tax refund, try to get you to log into your bank account, then edit the html of the page right there in front of you claiming they accidentally sent too much money. Then they try to get the person to go to a store and buy Google Play cards (not sure why they favor those) and send them the difference in cards, claiming they'll lose their job if not.
You'd think they would try to send money directly from the bank account, but I suspect the odds of that getting stopped by the bank anti-fraud division or involving law enforcement are too high, so they don't risk it.
Malware attacks do happen (hence why he uses the virtual machine that's firewalled from anything of value) but mostly what I observe they tend to be low skill/low risk scammers that deal in volume. It doesn't seem to be worth it to spend too much time on any one single target.
Obviously, you'll still want to take precautions as if they do have control of the computer, but I just wanted to give some perspective that these guys often aren't the master hackers we imagine them to be.
Since shipping the computer off might involve them wiping it without properly saving his files, you might consider this plan: have him go to friend's computer to change his banking & email passwords (so we know those accounts are safe from the start), then ship him a drive pre-formatted in Mac file system (Western Digital sells them), have him boot up and copy over his pictures/documents, then boot into Mac Recovery to reinstall the OS. It's just an idea-- obviously you have to judge how much legwork and risk you're comfortable with.
posted by bluecore at 8:10 AM on June 10, 2019 [4 favorites]
The good news is most of the time they don't seem to be interested in depositing malware/keylogging on the target computer. I've seen a couple scams:
1) A lot of times they just seem to muck around in the command line/terminal making it seem like they're doing things and then try to charge the unsuspecting person a couple hundred dollars for "fixing" it (essentially clearing the alarming looking popup.) Sometimes, on windows machines, they'll set a "syskey"-- essentially lock the system-- so you can't make changes until the fee is paid.
2) For tax refund scams they claim they're checking to make sure you get an unclaimed tax refund, try to get you to log into your bank account, then edit the html of the page right there in front of you claiming they accidentally sent too much money. Then they try to get the person to go to a store and buy Google Play cards (not sure why they favor those) and send them the difference in cards, claiming they'll lose their job if not.
You'd think they would try to send money directly from the bank account, but I suspect the odds of that getting stopped by the bank anti-fraud division or involving law enforcement are too high, so they don't risk it.
Malware attacks do happen (hence why he uses the virtual machine that's firewalled from anything of value) but mostly what I observe they tend to be low skill/low risk scammers that deal in volume. It doesn't seem to be worth it to spend too much time on any one single target.
Obviously, you'll still want to take precautions as if they do have control of the computer, but I just wanted to give some perspective that these guys often aren't the master hackers we imagine them to be.
Since shipping the computer off might involve them wiping it without properly saving his files, you might consider this plan: have him go to friend's computer to change his banking & email passwords (so we know those accounts are safe from the start), then ship him a drive pre-formatted in Mac file system (Western Digital sells them), have him boot up and copy over his pictures/documents, then boot into Mac Recovery to reinstall the OS. It's just an idea-- obviously you have to judge how much legwork and risk you're comfortable with.
posted by bluecore at 8:10 AM on June 10, 2019 [4 favorites]
The attackers have full access to that computer, and will continue to do so at any point it is connected to a network. Any information which touched that computer is compromised. Any accounts it had access to are compromised.
Immediately disconnect that computer from the network and power it down.
Cancel all credit cards. Freeze credit. Put up a fraud alert.
Immediately change the password for every online resource your dad has. First priority is the email account and anything else (Facebook, Google...) that might be used as an authenticator by third parties. After that: financial, medical, insurance, government.
All the above is "in the next hour" kind of stuff.
Then: Change the password for everything else, even stuff that doesn't matter. There's more than you think. You'll miss some. It's a process.
Set up a new, unrelated email address under a different domain and start migrating accounts to it.
Set up two-factor auth anywhere you possibly can.
Nuke and pave the computer. Do not let it connect to a network before you do. If you think you can "clean it up", you're wrong. Wipe the drive and hope that they didn't compromise the BIOS or the IME.
If you don't have good, fresh backups, the temptation will be to "rescue" files before the wipe. I won't say "don't" because you will anyway -- but be really careful. Use sneakernet. Don't grab program binaries. Leave anything you can easily re-create or get from somewhere else. Check for malware like your (online) life depends on it.
posted by sourcequench at 8:16 AM on June 10, 2019 [5 favorites]
Immediately disconnect that computer from the network and power it down.
Cancel all credit cards. Freeze credit. Put up a fraud alert.
Immediately change the password for every online resource your dad has. First priority is the email account and anything else (Facebook, Google...) that might be used as an authenticator by third parties. After that: financial, medical, insurance, government.
All the above is "in the next hour" kind of stuff.
Then: Change the password for everything else, even stuff that doesn't matter. There's more than you think. You'll miss some. It's a process.
Set up a new, unrelated email address under a different domain and start migrating accounts to it.
Set up two-factor auth anywhere you possibly can.
Nuke and pave the computer. Do not let it connect to a network before you do. If you think you can "clean it up", you're wrong. Wipe the drive and hope that they didn't compromise the BIOS or the IME.
If you don't have good, fresh backups, the temptation will be to "rescue" files before the wipe. I won't say "don't" because you will anyway -- but be really careful. Use sneakernet. Don't grab program binaries. Leave anything you can easily re-create or get from somewhere else. Check for malware like your (online) life depends on it.
posted by sourcequench at 8:16 AM on June 10, 2019 [5 favorites]
There are lots of good advice above, but I'll add another point. Get 2FA enabled on all the accounts that support it.
posted by WizKid at 11:42 AM on June 10, 2019 [1 favorite]
posted by WizKid at 11:42 AM on June 10, 2019 [1 favorite]
This thread is closed to new comments.
I would consider at least changing your passwords, especially to your email and to your financial information. Consider getting a new credit card. This is truly a pain, but better safe than sorry. FWIW these scams are awful and I've almost fallen for several myself at times. It's also important to let your father in law know that this can happen to anyone. I recently listened to a podcast where several computer security employees were targeted by phishing scams. These people thought there was no way they would give out their passwords, etc. They were wrong.
posted by xammerboy at 7:26 AM on June 10, 2019 [5 favorites]