*

Offline Rama Set

  • *
  • Posts: 5143
  • Round and round...
    • View Profile
Does this look legit?
« on: September 17, 2018, 05:53:31 PM »
Hey hive mind,

I have a friend who is so bad with computers that she makes me look like Parsifal.  She had used a tech company in India names TeckPCSupport to help her printer and macbook compatible.  A year later a guy called unsolicited from the same company.  He had an Indian accent and his name is Tony Martin, and he said that her computer had been compromised and offered to help her work through it.  Her terminal app, under the control of Tony Martin pulled up the following message:



As she was telling me the story, a few things struck me as odd:
  • If she had been compromised, it is odd that her computer was being monitored by someone without her consent.
  • It seems odd that Terminal would say something specific as "Ransomware has been uploaded"

What do you guys think, was she swindled?

BREAKING NEWS: She called the tech company she had enlisted to fix her printer and gave them the number that Tony Martin had given her and they were like, "lol wut?  Nah, yoo got fuked"

If she just got scammed, is this a situation where she formats her computer and changes all her passwords?
« Last Edit: September 17, 2018, 06:00:25 PM by Rama Set »
You don't get races of anything ... accept people.

*

Offline Parsifal

  • Administrator
  • *****
  • Posts: 5219
  • A couple of bums
    • View Profile
Re: Does this look legit?
« Reply #1 on: September 17, 2018, 06:12:20 PM »
Uh, that's just something someone typed into the terminal prompt. Is there any actual evidence that anything is wrong with her computer, or did this guy just take her money and write some meme shit on her screen?
How the hell am I supposed to be a moron if I keep educating myself?  >:(

*

Offline junker

  • Planar Moderator
  • *****
  • Posts: 8419
  • Boom
    • View Profile
Re: Does this look legit?
« Reply #2 on: September 17, 2018, 06:13:33 PM »
If I had to guess, I would say that nothing has happened (no way to confirm obvs). But based on the gibberish, there isn't any way a payload was delivered from what is visible. Safe bet is always to nuke it and start fresh when someone gets access, though (since there may be more to it than this screenshot). The memester tried to run 'scan' which doesn't exist and Terminal tells you so. He then ran 'Say' which will literally just output what is typed after the command to the speakers with the robot voice. I assume he ran that to make it appear more legit.

Tell your friend to not let any randos who dial her up to access her computer...
Please make sure to check out these resources to ensure that your time at tfes.org is enjoyable and productive.

1. The Rules

2. The FAQ

3. The Wiki

You're doing God's work, junker.

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 8354
  • (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Re: Does this look legit?
« Reply #3 on: September 17, 2018, 06:14:41 PM »
Against better judgement, I'll assume that this is a sincere question and not a troll.

She was 100% swindled, these types of scammers are very common nowadays. They either solicit calls through malicious websites, or make unsolicited calls and try to convince their victims that their flux capacitors are broken and that it must be immediately fixed through a remote session.

There are red flags all over the place here, including your screen photo which clearly indicates that the command the scammer ran was not found on the system. And the actual "output" in the terminal just doesn't look like something that would come out of any scanning software. Most likely, the scammer had this copied and pasted it into the terminal to make it look legit.

It's really disheartening that people fall for it, and even more depressing that there are people out there who would prey on others' lack of tech aptitude.

For educational purposes, it might be useful to show her some of Jim Browning's stuff - he's one of many people on YouTube trying to either waste these people's time or to minimise the impact of their activities. It might not be the most thrilling of content, but awareness of these sort of things is becoming pretty important.

Anyway, whether or not she needs to Reset Absolutely Everything™ depends entirely on what the scammer did while he had access to the machine. I suspect that we won't be able to find that out reliably. Without that knowledge, we can only speculate:
  • These guys are after money, and usually nothing else. If they already got their money, that might be the end of it.
  • However, we're basically dealing with some random guy who had presumably unlimited access to your friend's computer, and we don't know what he did. Personally, I would consider that a reason to go completely fucking paranoid and wipe everything, or at least reset any important passwords.
  • If payment was involved, it's important to find out how that took place. Was it a credit/debit card? Did they process the number? If so, they could potentially use it to steal money in the future. If it was some bullshit like them asking for an iTunes card, then her financial details should be more or less safe.

I'd say either try to find out more about what happened during their interaction to better inform decisions, or go full martial law on her computer and banking stuff just to be safe.
« Last Edit: September 17, 2018, 06:18:31 PM by Pete Svarrior »
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Facebook and Twitter!


*mic stays stationary and earth accelerates upwards towards it*

*

Offline Rama Set

  • *
  • Posts: 5143
  • Round and round...
    • View Profile
Re: Does this look legit?
« Reply #4 on: September 17, 2018, 06:20:12 PM »
Against better judgement, I'll assume that this is a sincere question and not a troll.

That’s p. harsh. I just wanted to confirm it since all of my alarm bells are going off, but I don’t know a ton about this shit.

Quote
She was 100% swindled, these types of scammers are very common nowadays. They either solicit calls through malicious websites, or make unsolicited calls and try to convince their victims that their flux capacitors are broken and that it must be immediately fixed through a remote session.

There are red flags all over the place here, including your screen photo which clearly indicates that the command the scammer ran was not found on the system. And the actual "output" in the terminal just doesn't look like something that would come out of any scanning software. Most likely, the scammer had this copied and pasted it into the terminal to make it look legit.

It's really disheartening that people fall for it, and even more depressing that there are people out there who would prey on others' lack of tech aptitude.

For educational purposes, it might be useful showing her some of Jim Browning's stuff - he's one of many people on YouTube trying to either waste these people's time or to minimise the impact of their activities. It might not be the most thrilling of content, but awareness of these sort of things is becoming pretty important.

Anyway, whether or not she needs to Reset Absolutely Everything™ depends entirely on what the scammer did while he had access to the machine. I suspect that we won't be able to find that out reliably. Without that knowledge, we can only speculate:
  • These guys are after money, and usually nothing else. If they already got their money, that might be the end of it.
  • However, we're basically dealing with some random guy who had presumably unlimited access to your friend's computer, and we don't know what he did. Personally, I would consider that a reason to go completely fucking paranoid and wipe everything, or at least reset any important passwords.
  • If payment was involved, it's important to find out how that took place. Was it a credit/debit card? Did they process the number? If so, they could potentially use it to steal money in the future. If it was some bullshit like them asking for an iTunes card, then her financial details should be more or less safe.

I'd say either try to find out more about what happened during their interaction to better inform decisions, or go full martial law on her computer and banking stuff just to be safe.

Thanks for this.

Thanks to Junker and Parsifal too.
You don't get races of anything ... accept people.

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 8354
  • (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Re: Does this look legit?
« Reply #5 on: September 17, 2018, 06:22:40 PM »
That’s p. harsh. I just wanted to confirm it since all of my alarm bells are going off, but I don’t know a ton about this shit.
I'm sorry if I've caused any offence. Basically, your alarm bells were so right that I had trouble believing you'd need to confirm it. Don't take it as an insult - it's the kind of stuff many people would troll about. In retrospect, it does make me sound like an asshole.

Ooh, also, if any money was exchanged, it might be worth contacting the authorities. I don't know how shit works in America, but there might be ways to stop the payment from being processed.
« Last Edit: September 17, 2018, 06:25:36 PM by Pete Svarrior »
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Facebook and Twitter!


*mic stays stationary and earth accelerates upwards towards it*

Re: Does this look legit?
« Reply #6 on: September 17, 2018, 06:46:11 PM »
100% bonafide scam.

You don't need to do anything to fix the Mac. Its fine. As someone mentioned its a terminal prompt entry. They likely ran the tree command or whatever the mac equivalent is, and whilst it was executing, typed that into the prompt so it would print "Danger you've been hacked" or whatever after the tree command competed.



Here's a guy doing it on PC.

They run a directory list command. Tell you it is scanning ... it isn't, its listing ... type something in and at the end of the script it says your PC is compromised and at that point you give them money to 'fix it' ... but there is nothing to fix.
« Last Edit: September 17, 2018, 06:49:38 PM by Baby Thork »
Rate this post.      👍 6     👎 1

Re: Does this look legit?
« Reply #7 on: September 17, 2018, 06:48:56 PM »
Regarding payment ... if you used Paypal or credit card ... you can inform them and get a refund. You are insured against online crime.

If however you went and bought an iTunes card or some other stupid as hell form of payment and scratched it off to give them the number ... well stupid is as stupid does and you learned an important lesson.
Rate this post.      👍 6     👎 1

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 8354
  • (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Re: Does this look legit?
« Reply #8 on: September 17, 2018, 06:51:01 PM »
You don't need to do anything to fix the Mac. Its fine. As someone mentioned its a terminal prompt entry. They likely ran the tree command or whatever the mac equivalent is, and whilst it was executing, typed that into the prompt so it would print "Danger you've been hacked" or whatever after the tree command competed.
You do not know that's everything that happened. Yes, nothing in the photo itself is malicious, but we haven't seen everything that happened. It is not uncommon for these scammers to try and gain access to your online banking, and they could have hypothetically installed a more persistent way of accessing the machine remotely.

Is it likely? Not very. Is it wise to assume? I'd argue not.
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Facebook and Twitter!


*mic stays stationary and earth accelerates upwards towards it*

*

Offline Rama Set

  • *
  • Posts: 5143
  • Round and round...
    • View Profile
Re: Does this look legit?
« Reply #9 on: September 17, 2018, 06:53:56 PM »
My worry is that she gave away information or allowed access to parts of the computer that could be compromising. If I were her, I would have gone full paranoid, indeed I told her to Air gap her computer right away. Better safe than sorry.
You don't get races of anything ... accept people.

Re: Does this look legit?
« Reply #10 on: September 17, 2018, 07:03:04 PM »
I've seen a hundred of these scams on youtube. I dunno ... just like watching the scammers get wrecked by someone using a virtual machine on them.

I've never seen them install anything. They aren't sophisticated. They usually only have one alternative when things aren't going well and you won't pay ... and that used to be to syskey you in a rage quit (before microsoft removed it due to these scammers using it). Then they'd demand money to unlock the machine. I think nowadays they try to delete your system32 folder.
But they don't infect the machine as they haven't a clue how to undo that ... and of course they want to give you "life time support" meaning they can keep shearing their sheep.

Also Mac has a better user mechanism than windows making it much harder to start infecting it. Personally I wouldn't lose any sleep over it, as they got what they wanted ... your money. If they hadn't ... once they gained access via teamviewer or equivalent ... they'd have done the damage in that window.

« Last Edit: September 17, 2018, 07:07:04 PM by Baby Thork »
Rate this post.      👍 6     👎 1

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 8354
  • (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Re: Does this look legit?
« Reply #11 on: September 17, 2018, 07:13:22 PM »
I've never seen them install anything. They aren't sophisticated.
You can find videos of scammers installing remote access tools on victim machines, or even going as far as to get someone to register for online banking with their own credentials. Without knowing what happened to Rama's friend, it would be idiotic to assume. Hence my suggestion of either trying to find out, or assuming the worst.
« Last Edit: September 17, 2018, 07:19:33 PM by Pete Svarrior »
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Facebook and Twitter!


*mic stays stationary and earth accelerates upwards towards it*

Re: Does this look legit?
« Reply #12 on: September 17, 2018, 07:19:44 PM »
The real question is: if he did fix it for some fee, what did he DO to fix it?  Cause that's where, if I were a scammer, I'd do the actual install.
"Yes.  I am installing this special fix to your computer.  The website is super secret so as to not be hacked by hackers to learn secrets.  That is why it is hard to type."
Usually the ones I get are "I am from Microsoft.  We have detected a virus on your computer and would like to help you fix it."
Normally I'm cool with going on and on but
1. it's usually a british number so it'll run up the phone bill.2. I've been busy lately.  It's annoying.

Re: Does this look legit?
« Reply #13 on: September 17, 2018, 07:20:52 PM »
Indian scammers ... not so much. Russian scammers ... start again. Reformat the PC, hoover your room, wipe down your bathroom tiles and go ask your doctor for an enema. But the Indians tend to work off a script.

Via remote access ... they were given permission ... they weren't given passwords. Indian scammers don't use wireshark or anything else to get info on you. They just aren't very technical. And unless you had a folder marked "Bank details" on your desktop which you watched them open in front of you ...

You can go all 'better to be safe than sorry' ... but its a Unix machine. You can't gain entry without a password or a permission. And this user is obviously a novice who couldn't even get their network printer to talk to their mac ... so cleaning everything and doing fresh installs ... what are they going to do? Ask someone at the Genius bar to nuke it for just $700? I think the best advice is don't lose any sleep over it ... but hey, its a forum ... a place where we all give opinions.
Rate this post.      👍 6     👎 1

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 8354
  • (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Re: Does this look legit?
« Reply #14 on: September 17, 2018, 07:23:40 PM »
Thork, focus very hard on what I'm saying. I'll even make it bold for you. I am suggesting that we should find out what happened, and that making assumptions without proper knowledge is stupid. Telling me that your assumptions are super great because you've watched 100 hours of YouTube is unhelpful, especially when I already showed you an example of the script not being as simple as you assert.
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Facebook and Twitter!


*mic stays stationary and earth accelerates upwards towards it*

Re: Does this look legit?
« Reply #15 on: September 17, 2018, 07:31:36 PM »
Its an apple machine.

Assuming this user is as non-tech as the OP described ... they use it with their user account. Not a root account or admin account or whatever Mac say. To install anything that needs to execute, you have to enter a password. You can't just install malicious scripts in the same way you can on a windows PC. And I think even if it was a windows PC the risk is tiny.

But read this in bold ... what are they going to do? Ask someone at the Genius bar to nuke it for just $700.

Your bank is the place to go 'clean the problem' especially if you entered your 3 digit security number with the guy watching. However we don't know the payment mechanism. But I really don't think the machine is the thing to worry about.
Rate this post.      👍 6     👎 1

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 8354
  • (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Re: Does this look legit?
« Reply #16 on: September 17, 2018, 07:34:24 PM »
Its an apple machine.
TeamViewer works perfectly fine on Apple machines. Your computer's security is only good for as long as you don't push the "please don't secure my computer anymore" button. You do not know that this button has not been pushed.

But read this in bold ... what are they going to do? Ask someone at the Genius bar to nuke it for just $700.
That depends entirely on what actually happened. Until we have this knowledge, it would be idiotic to speculate. Rama's first step of airgapping the machine is perfectly sensible in the meantime.

Just a minor correction, though: As much as I dislike Apple, a Genius Bar appointment to whack a fresh OS install on the machine costs $0, not $700.
« Last Edit: September 17, 2018, 07:36:58 PM by Pete Svarrior »
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Facebook and Twitter!


*mic stays stationary and earth accelerates upwards towards it*

*

Offline Parsifal

  • Administrator
  • *****
  • Posts: 5219
  • A couple of bums
    • View Profile
Re: Does this look legit?
« Reply #17 on: September 17, 2018, 07:35:17 PM »
Assuming this user is as non-tech as the OP described ... they use it with their user account. Not a root account or admin account or whatever Mac say. To install anything that needs to execute, you have to enter a password. You can't just install malicious scripts in the same way you can on a windows PC.

This is wrong on so many levels. Just stop.
How the hell am I supposed to be a moron if I keep educating myself?  >:(

Re: Does this look legit?
« Reply #18 on: September 17, 2018, 07:38:57 PM »
Ok ... so you are giving advice to this novice user ... someone who is already in the hole for a couple hundred dollars.

What advice are you going to give them that they can realistically be expected to perform?


My advice is "odds are tiny, don't worry about it". They can do that. What would you have them do?
Rate this post.      👍 6     👎 1

*

Offline junker

  • Planar Moderator
  • *****
  • Posts: 8419
  • Boom
    • View Profile
Re: Does this look legit?
« Reply #19 on: September 17, 2018, 07:40:36 PM »
This thread has turned into something worse than what was originally described in the OP...
Please make sure to check out these resources to ensure that your time at tfes.org is enjoyable and productive.

1. The Rules

2. The FAQ

3. The Wiki

You're doing God's work, junker.