
Ask HN: Grandma's computer compromised by scammer, how to assess risk? - vonklaus
EDIT: I apologize for removing initial desc., I uploaded a document I sent to her son which explains, what i could grok about what happened. I edited the markdown file quickly and uploaded it to gdocs. I put bullets of major stuff. the public link for more info with some pics is here:<p>https:&#x2F;&#x2F;drive.google.com&#x2F;file&#x2F;d&#x2F;0B3-pXTFbLBkHUldDQ1JVSnNvd00&#x2F;view?usp=sharing<p>I apologize for adding link but this is a quicker explanation with a few images rather than max the char limit. Notable things:<p>* probably pop-up initiated 200+ redirects broke back button.<p>* she called scammers(decent&#x2F;good job copying look of chrome maliscious warning except with phone number and login)<p>* there are 3 hours before i arived where she was speaking with them intermittenly and she downloaded logmein.com, citrix software and gave them full access to computer.<p>* phone num lead me to website which is now 100% gone and &quot;alex smith&quot; had a seriously thick foreign accent as she described it.<p>EDIT [2.1]<p>There was a dir called [sons name] on the desktop (she thinks it might have been there always but not sure) with:<p>* 5 year old full Experian credit report<p>* some old job applications(a super quick look didn&#x27;t show his full SS but I only looked <i>very</i> quickly, did see last 4)<p>* info about a p&amp;s of some land he sold.<p>and he got the job 4 years ago now. Is branch manager of a financial companies office. He is concerned his information could have been downloaded and he is at risk. Trying to assess what I should tell him. Downplayed risk <i>a bit</i> short term so he doesn&#x27;t flip on his mom, but understandably he is concerned about professional &amp; personal ramifications.<p>edit 3:<p>I called te non-emg police line(haha first time ever) and asked if it was worth reporting in case needed to build narrative for ID theft in future. They said to do ic3.gov. I am more concerned with getting the paperwork incase i neeed to build narrative, than actually expecting them to find the people.
======
projectramo
I feel really bad for you, and for her. Is there any chance she had a document
(government application, tax forms etc) with social on there? Did she store
anything online in dropbox and google drive and were those passwords stored?

I would do the following:

\-- Cancel all credit cards

\-- Change all bank accounts

\-- Put a credit lock on her social security number

\-- Change all passwords, prioritizing any kind of banking software or
software with access to wires and accounts

\-- Change all the email and online files

After doing that you can file a few forms with the local police and this
federal ID theft site.

Then when the credit people start calling in a few months (hopefully the
credit lock will prevent this), you can present the information.

~~~
optimiz3
After doing this, on the technical side:

1\. Disconnect the hard disk, and image it using a clean host machine. Since
the attackers had full admin-access, you'll want an image in case they deleted
anything (and to perform forensics if you care).

2\. Wipe the hard disk and re-install Windows 10, there is no other best
practice here. As others have said, there are too many places to hide trojans
and malware, and all bets are off now that the machine was compromised.

~~~
vonklaus
hahah thanks. It's funny, i look at it the same way. I am _fairly_ technical.
I feel confident I could fix the issue technically(install new reformatted HD
& RAM, security programs, ect) but I am more concerned with:

* Was this the whole attack? Or was this stage 1, and they are going to sell/use data for identity theft.

* Use contacts info to try and scam friends/family

* Worth reporting to build narrative for the future if needed to prove identity theft leter?

* What a 'typical' scammer business model is

* If there is a simple way to check if they have active malware installed.

I could never be comfortable with the old hardware, but I would suggest credit
monitoring ect if I could verify 100% they either downloaded all the data or
backdoored it. I could do this on mac/linux and probably figure it out on
windows, i just don't want to freak her out. Do you think it is worth trying
to tcpdump and look at the sys logs and stuff and trying to diagnose that they
did more than just scam? If I _knew_ they did, I would get lifelock for her or
something, but when the friendly support rep(the hacker) told her there were
26 hackers currently on her computer and he was fixing it for her, she was
obviously super concerned.

~~~
optimiz3
You can always re-use the hard-drive after you've created an image of it - but
the image gives everyone peace of mind if you ever need to recover/investigate
something after the hard-drive is wiped.

This way you can also put the image on a flash drive or Blu-Ray so you don't
have to keep physical possession of hard drive/data which sounds like it is
important.

I believe tcpdump only helps you if the attack is ongoing, since this is
after-the-fact, having an image you can analyze later is probably your best
bet.

~~~
vonklaus
yeah that was my thought. I don't have a sata, but I do have a compatible HD
with a windows install laying around, so I put as much of her data as I could
into the cloud and maxed out a MS OneCloud 5gb for backup, then swapped
drives. she couldn't handles the windows 10 upgrade, so I had to swap back,
but I was thinking that keeping the drive as a backup/diagnostics would be
best bet.

Also, I wanted to replace the ram chips incase they persisted malware to them,
but I was holding off to see how serious everyone on here thought it was. What
is the windows equiv of stuff like:

    
    
        $ tcpdump
        $ ps aux
    

ect. and the system level process directories like

    
    
        /Library/PrivilegedHelperTools
        /Library/LaunchDaemons
    

ect. I guess, i'll just take a peak now. It would be worth spending an hour or
so if I could know without a reasonable doubt that they did install malware.
If I can't find something obvious, I'll still do clean install.

~~~
wiseleo
Definitely no need to replace RAM. Reading cold RAM chips is a valid attack,
but it doesn't apply in your case. :)

------
vonklaus
Some links, from HN. None were _particuarly_ helpful. But if anyone finds this
later in the same situation, I will try and make it a bit easier for them as
this sucks.

1\. What to do about ID theft (2 comments / 2009) 2\. MS Phone scam(1c, 2014,
not very useful) 3\. Phone Scammers(3c, 2013) 4\. Guardian link about Indian
callcenters/phone scamming(0c, article)

1\.
[https://news.ycombinator.com/item?id=695415](https://news.ycombinator.com/item?id=695415)
2\.
[https://news.ycombinator.com/item?id=9241168](https://news.ycombinator.com/item?id=9241168)
3\.
[https://news.ycombinator.com/item?id=8136782](https://news.ycombinator.com/item?id=8136782)
4\. [http://www.guardian.co.uk/world/2010/jul/18/phone-scam-
india...](http://www.guardian.co.uk/world/2010/jul/18/phone-scam-india-call-
centres)

edit: will add more useful info, as I find them

~~~
DanBC
[https://news.ycombinator.com/item?id=7868166](https://news.ycombinator.com/item?id=7868166)

A link to a BBC Radio programme that contains a bit about a woman who
responded to telephone scammers. She lost £15,000.

~~~
vonklaus
oh man. That is terrible but helpful. That is similar to what happened and it
was ($260 CAD, but we are US based), so it sounds like this is ongoing, and
exactly what i wanted to know. They will likely call again to retarget her as
it was successful the first time.

------
facorreia
It seems that it would be safer to block that credit card entirely and request
a new number.

The OS should also be reinstalled from scratch, after backing up any pictures
or documents and reformatting the disk.

~~~
vonklaus
I cancelled all cards and did what i could for the finance company. putting a
freeze or security on her investment account required her to have to go to a
bank(or other official notary accepted by the firm) and verify her identity
and then mail a letter to the company to authorize transfer. so all the
accounts were cancelled/cards reordered but freezing her account would be a
huge impediment as she makes transfers every few weeks to live. the cards/ect
from initial breach i am not particularly worried about. but to your second
point:

> The OS should also be reinstalled from scratch, after backing up any
> pictures or documents and reformatting the disk.

I removed both ram cahces and replaced them as well as the harddrive with
another entirely reset windows 10 install i had laying around.

HOWEVER, she is reasonably tech savvy for 80 uses computer everyday, ect, but
she was having trouble adapting and begged me to put win7 back on. I simply
swapped hard drives back, so there has been 0 diagnostics run on the current
drive except a single full system scan done by the microsoft virus program,
although, again, she said they installed it (it does look like real MS) but
maybe they just added an exception. I figured I would do damage control, and
let her use current OS for now(told her not to do online shopping haha) while
I try to assess full risk.

~~~
vessenes
This is a terrible thing to do; there's no way she won't be back in their
system at some point. Seriously. If need be, buy her a chromebook and walk her
through what she needs to learn. But, Windows 7, and previously compromised
together is not any kindness.

~~~
vonklaus
thanks. This was my concern. I have mitigated short term risk (next 2 weeks
ish) so I am just trying to assess whether it is worth freaking her out and
dumping the whole system. i already did but as an 80 y/o she didn't adjsut
super well to having hackers breach her PC, have all new passwords for her
stuff, and trying to use a new OS. So i removed the HD with windows 10, and
put the old original HD back in with win7. wanted to know how serious others
thought risk was before I escalated.

------
wstrange
Get Grandma a Chromebook.

It won't stop 100% of all scams, but it does eliminate a whole class of
malware.

I converted my 88-year-old father to Chromebooks 3 years ago. He loves it, and
my support calls have tapered off :-)

------
danieljscott
Wiping the hard drive is pretty good, but I wouldn't even trust that. It's
possible to hide malicious code in many other places which would survive a
wipe of the HDD. I've heard of malware which can be installed into the
graphics card firmware, or the BIOS, and I imagine that anywhere else which
can be written to is a possible location to hide.

Personally, I'd chuck the computer away and buy a new one, but I'm paranoid.

~~~
dracul104
Back in Win XP days, I caught a nasty virus that installed itself in the
master boot record of the hard drive. I formatted the partition, reinstalled
everything, and the damn thing kept coming back. Paranoia made me switch to
Linux for a while after that.

~~~
_RPM
Is it possible that an OS could be the one loading Linux, and thus would
effect your Linux instance?

edit: I used to get really paranoid after using Windows for an extended period
of time. Still do sometimes, but learned to live with it. I feel like I have
no control over what services are listening on 0.0.0.0, the firewall is
completely unusable compared to iptables.

------
wiseleo
For incident analysis, I would clone the drive and obtain a list of files
created or modified in 24 hours. I would do this under my Linux recovery
environment. I would also undelete all files. One of those files will likely
be the log of file transfers that happened using commercially available remote
support software. Logmein and Citrix may have additional logs available if you
are ever able to find the right person.

Cached website is likely recoverable from the disk image. I used that
technique a few times to get into some clients' accounts with their consent.

Anyway, assume total compromise and apply nuclear option. It is possible to
track down the perpetrators because they use toll free numbers.

~~~
vonklaus
this is helpful. there was a total dump of Chrome on the desktop, which I
thought was pretty bad, but if i understand correctly what youve said, that
would indicate an attempt to get the accounts right there.

Either way, for sure has to be totally reformatted, super shitty thing to do
to someone. there is being a skilled hacker and social engineer and then there
is scamming an old lady. thanks for info.

------
_RPM
Just re install the OS if the goal is to get it back to a safe state.

~~~
vonklaus
I could never, myself, be comfortable not doing that as someone who was at
best a total scammer and at worst a hacker/affiliated with hackers and
carders, had full system and admin access for several hours. However, i did
what I could because she didn't like the clean win 10 frsh install, but my
chief concern is not the computer right now as I can fix it.

My chief concern is more the shape of the attack/this sort of scam. I don't
know what a "typical" attack is, a scam or they follow on by bundling up the
data and selling it to the more specialized identity theft/hackers online.

I am not super familiar with windows (mac/linux) so I wouldn't be as
comfortable using powershell to look at internal processes. I didn't want to
freak her out, but I do want to know if it would be "normal" for this type of
scam to include downloading the hard drive data and selling it/using it to
commit ID theft ect.

~~~
devopsproject
There is a reason windows experts recommend full wipes: They know there are
lots of places for nasty stuff to hide and it is not worth the time to try and
find it all. Set your ego aside and wipe it.

~~~
emodendroket
Yeah, it is probably possible to recover, but it just doesn't make sense to
spend the kind of time it would take to be sure.

~~~
vonklaus
I have 2 clean compatible ddr3 ram caches and a new HD which I originally
installed post breach (what I would do if my system) but I swapped back to
orig hardware short term as she couldn't figure out new OS. Do you think it is
likely that they installed backdoor(maliscious code)? I am not super familiar
with PC but i would want to run the tcpdump equiv for powershell ect. I am
just not familiar enough to know wheere files/daemons/ect are and how to
diagnose it. Even if I would never reuse this HD, I would like to verify what
happened. For me it would be i guess the same result but it would be better to
know: if the computer was likely running malware or certainly running malware.

in terms of actual actionable steps, they would really be the same fix.
however, if i found active system processes sending data to random IPs, i
would obviously excalate my concerns.

~~~
emodendroket
Who knows, man? If you aren't a Windows system administration/Windows
internals wizard you can't really hope to untangle it all.

~~~
vonklaus
thanks. i am capable, but i don't want to "untangle" it. I would always treat
that system as maliscious. I just want to know if i should _confirm_ it was
maliscious. I could, in fact, run some program diagnostics. The impediment is
less technical skill than a cost/benefit of me taking her computer back and
freaking her out more.

~~~
emodendroket
I don't understand the distinction you are making. If you are capable of
identifying all the malicious software that's most of the way toward removing
it.

~~~
vonklaus
I want to clarify, securing a system from this caliber of attack is fairly
trivial:

* replace/reformat hardrive

* replace RAM sticks for good measure, as I have them already.

* config firewall

* put on standard windows security settings, remove remote access to computer, ect. lock it down.

* shes a grandmother. so essentially, just put a fuckton of addons on chrome and delete/hide other browsers. highest chrome security settings, httpseverywhere, adblock plus(not putting uBlock on, consider target user), ghostery, ect.

* explain some high level steps to her about protecting herself, all popups are scams ect

* if possible block incoming calls from 800, 900, international, and business numbers. Possible, but could impact her UX of life.

* tell her to call me if she has questions first before doing anything.

HOWEVER. A confirmation of malware would mean that the attack vector changes
_significantly_. If a confirmation they actually actively did data harvesting
or otherwise intend to go after her and her son's IDs or financials. I would
escalate. I have already:

* changed all card numbers, the router and ISPs passwords,

* placed notes of breach in all accounts, ect.

* confirmed no suspiscious activity on investments and also secured them to the best I could via that companies policy without needing a 3day verified letter to execute a transfer or change in postion of the portfolio.

* replaced debit cards

* reset investments login.

[ I am aware that allowing her to use the likely compromised hard drive is a
risk. but, I believe that between the security measures I have taken and the
holiday weekend, I have some time to consider how I fix the issue technically
]

But if I actually found proof of maliscious code, it wouldn't be likely they
were going to continue scamming: _it would be a near certainty_.

if the attack vector becomes securing any hole in America's horrible financial
system, I would have to also set up account/credit monitoring, consider a
credit freeze and take further measures. These are things I would _possibly_
do to some extent for myself if this was my own system/life.

however I am a technical user with a background in finance and tech, and I
worked at a fintech startup where we were trying to sell to banks. So i am not
an expert, but have MUCH more knowledge about the industry than the victim
here. So I am doing cost/ben on how much I need to do here (also of my own
time to some extent) to secure everything while still allowing her not to need
to do 2 factor authentication and call her bank everytime she needs to buy
groceries. She is 80, so for her demographic she is highly technical. Compared
to even a 65 year old, she is certainly not and does not have the technical or
peripheral knowledge to execute/do tasks we would consider basic:

* make a change from win 7 - win 10

* use a password manager not already set up in chrome

* understand seperation of technological concerns. for example, she didn't want to change to win 10 because her passwords are prefilled for her in Google Chrome, and the new operating system would require her to not have them. I am aware of how chrome accounts work, this is an example.

~~~
devopsproject
I don't think it is currently possible for a stick of ram to hold a virus.
Where are you getting this info?

~~~
vonklaus
i am not a security professional and i am recalling what i have read before.
as mentioned some malware targets the bootloader and is persistantly loaded at
startup. i am not sure what is technically correct, so maybe someone will
chime in, but i don't believe ram is typically cleared after shutdown. i think
it is called memory only malware. either way, i have 2 comparible 4gb ram
sticks and there is only one on the pc now. so i would simply swap it for
newer sticks i have to get more ram if simply performance as the storage is
HDD.

~~~
stillusingvb6
The bootloader resides in the hard drive so if the bootloader is infected, it
will get transferred to ram at boot. Ram cannot contain a virus, you are
wasting your time by replacing it.

------
xbmcuser
This is the reason I feel chromebooks are the way to go.

------
brerlapn
Vonklaus - the link you posted with the details is coming up with errors in
viewing for me, FYI.

Technically, you've clearly got an understanding of the fix, so I won't waste
a lot of time on that. I wanted to speak to the rest though, as I've had
personal experience with identity theft in the past few years. Really, anyone
should just operate from the assumption that their SSN is compromised. Too
many places have used them and too many places either don't even realize when
they've been hacked or hide that fact when it's discovered. Her son should do
the stuff written below whether they actually got his info from that folder or
not. (Also, they did freeze the payment they made to the scammers, right?)

First off, do check if your local police have a place to file a report online.
My local police dept. has a website where you can report identity theft and
immediately get a report number and printout. If someone uses their
information to file a fraudulent tax return, they'll need that report as part
of their package to substantiate the issue to the IRS. If you want to do IC3,
too, that's fine--but get the traditional police report (and don't wait until
some problem comes up as a result of the breach). It is a good idea to build a
narrative with corroborating evidence--the IRS was apologetic to me, but
having a evidence of a reported incident and efforts to follow up is a nice
preventive to potential pushback at a later date from a private entity that
wasn't careful.

I'd also recommend filing a tax return early, as soon as they receive their
W2. Fraudsters try to get their fake returns in before the legitimate one,
because the IRS will issue their refund without questions unless you've
already filed.

Getting access changed for all of their accounts is a first step, but I would
recommend also getting 2-factor set up for any account it's available for.
2-factor makes any future breaches that much easier to mitigate. Additionally,
they should check any account settings for additional recovery emails or in
email accounts settings for any forwarding addresses added to the account. All
the remediations in the world don't help much if they can still trigger a
change in a few months by getting the password reset sent to
fuckingscammers@dickheads.com. This should additionally include making sure
that anyone they have an account with has a fraud notice and ID check that
doesn't rely on information in their credit report. For instance, my security
question answer to "What is your mother's maiden name?" is to the effect of
"a(DH?BMBNOrcumb#72tT". Use a password manager to keep those straight (I just
keep them in the Notes field and cut and paste as necessary).

The son should have a fraud freeze with the credit agencies, so that they
can't use the experian report to create new accounts, and he should make sure
he's changed his passwords (if there was a folder of his on the computer with
his job search files, it is also likely he's used it for browsing and there
could have been passwords saved somewhere). I'm not sure what his concern is
professionally, but he could contact his company's information security office
about potential safeguards.

I've had no other identity theft issues from my information being out there
aside from the fraudulent tax return, which makes sense. The IRS cut the
douches a check for $8582, which, had they not fat-fingered the 16-digit
prepaid Visa card number they tried to have it deposited onto, would have been
a much more lucrative payoff than trying to run a couple of fraudulent credit
card charges that Visa would quickly flag. Once you've triaged actual account
access, keeping the credit agencies locked down is really the main thing to
keep an eye on, since that would flag any attempt to use the information
further. They should be reasonably vigilant, but my experience has not been
that this was an apocalyptic meltdown of my financial identity and taking
reasonable precautions while hardening their accounts should give them some
peace of mind. I've heard mixed reports of Lifelock's effectiveness, but if
they're anxious types Lifelock won't _hurt_ them--it just might not be more
than a placebo against worry.

~~~
vonklaus
thank you for posting this.

i realized this earlier in the day, your comment only became visible to me in
the last 10 mins pr so. i noticed replies ceased several hours ago and emailed
HN support.

the link had been flagged by several users and was restored by dang a few
minutes ago. i dont have infor but i assume it was the horrible title which i
submitted after charring out on mobile 3 or 4 times, amd i didnt want to
rewrite/lost the original post which has since been restrictured.

thanks again dang, and also i appreciate this write up as there wasn't much on
HN about dealing with this. it ia clearly written up exatensively in the media
but there is so much spam and incorrect info i looked here for better
reaources and experiences like yours as there are technical, financial and
privacy considerations and as any good security professional knows, missing
even one thing can have huge consequences.

~~~
brerlapn
You're definitely welcome. My folks have been through this recently, as well.
Smart practices like using a password manager to segregate all accounts with
different passwords can help to protect ourselves from poor security practices
by other parties, like banks or vendors, and making sure they never link a
bank account directly to a pay vendor rather than a credit or debit card
(looking at you, Venmo). The main thing for the folks you're working with
(aside from dipping that hard drive in bleach) is to protect access to their
existing asset accounts and then keep a fraud alert on their credit. I think
leaving those avenues of attack open is where the identity theft horror
stories come from (or just basic overtrustfulness from people like the women
in the BCC article below), so closing those off is a good idea even if you
don't know there has specifically been a breach.

On a side note, the amusing part about having my identity stolen is that
identity management at the enterprise level is what I do professionally, so I
am well aware of the flaws in identity management that make id theft
exploitable and now have a really good story to drag out when someone gives me
pushback. Also, when the IRS guy was apologizing to me about all the
inconvenience, I stopped him and said "don't apologize, I think this is
hilarious. I have his refund check, he'll never get it, and I know he's trying
to find out what happened because every time he pretends to be me and files an
inquiry with you guys, the IRS response letter gets sent to _my_ address since
that's what's on the return. I'm probably the only person in America who
laughs maniacally when I see a letter from the IRS in my mailbox."

For those who are so inclined, I found the approach the guy in this article
took to be pretty intriguing, and have a to-do project of figuring out how to
do this in a virtual machine:

[http://www.computerworld.com/article/3030216/windows-
pcs/fed...](http://www.computerworld.com/article/3030216/windows-pcs/fed-up-
with-bogus-computer-support-calls-man-turns-tables-on-scammers.html)

