Background
Sadly i have spent too much time repairing desktop and laptop PC's that have been attacked in one way or another. Ransom ware, adware, trojan horse etc. The problem described here was a particularly sinister one where they used the laptop camera as a possible means to blackmail someone. The owner, a friend of my Mother's had a problem with her laptop and home router and had been in touch with her Internet Service Provider(ISP), a well known UK provider over a period of months to sort the problem. A few months after this contact had started someone claiming to be from her ISP phoned and said they would help her solve the problem. They seemed very knowledgeable about the type of problems she had so she worked with them.
They asked her to do the following, an approach i have heard of and had to deal with on many occasions:
1. Download software from a website. This is very often a trial version of remote access software from a legitimate source.
2. Run the software and supply the password generated by the software to the 'support technician'.
3. The 'Support Technician' (Fraudster) takes control of the machine and claims to show you the errors on the machine...very often simply the event logs of the PC. The Fraudster will draw the users attention to the warning and error conditions.
4. On completion of the 'repairs' the fraudster tells the user that they want to pay them £200 compensation for all the inconvenience they have experienced and asks them to log on to their on-line banking. At the same time the fraudster sets a password on the PC which will be required when the PC is next restarted.
5. The fraudster can see what the user is typing and can use it to log on to the account on another PC and steal money from the account.
Alternatively, the 'fraudster' simply locks the PC setting a password and demands payment, telling the user the password will be provided when payment has been received.
When i examined the PC i found that the fraudster had remotely used the laptop camera to take photos of my Mum's friend without her knowing. When my Mum's friend became suspicious and refused to log into her online banking account the fraudster ended the remote session and made no further contact.
They asked her to do the following, an approach i have heard of and had to deal with on many occasions:
1. Download software from a website. This is very often a trial version of remote access software from a legitimate source.
2. Run the software and supply the password generated by the software to the 'support technician'.
3. The 'Support Technician' (Fraudster) takes control of the machine and claims to show you the errors on the machine...very often simply the event logs of the PC. The Fraudster will draw the users attention to the warning and error conditions.
4. On completion of the 'repairs' the fraudster tells the user that they want to pay them £200 compensation for all the inconvenience they have experienced and asks them to log on to their on-line banking. At the same time the fraudster sets a password on the PC which will be required when the PC is next restarted.
5. The fraudster can see what the user is typing and can use it to log on to the account on another PC and steal money from the account.
Alternatively, the 'fraudster' simply locks the PC setting a password and demands payment, telling the user the password will be provided when payment has been received.
When i examined the PC i found that the fraudster had remotely used the laptop camera to take photos of my Mum's friend without her knowing. When my Mum's friend became suspicious and refused to log into her online banking account the fraudster ended the remote session and made no further contact.
This is the message that my mother's friend was confronted with when she next started her laptop. She contacted me. I checked the internet and found a long list of know passwords that have been used but none of these worked.
This is a standard feature of Windows that can be enabled as part of securing the laptop. The fraudsters enabled it when they had remote access to the laptop.
The 'sledgehammer' approach is to reset the laptop by re-installing the operating system however that wipes the users data files and i was keen to preserve these.
The alternative approach was to use the 'Boot to last known working configuration' windows startup option.
Fortunately i was able to reboot the PC to a previous known state and then check out what restore points were available.
This is a standard feature of Windows that can be enabled as part of securing the laptop. The fraudsters enabled it when they had remote access to the laptop.
The 'sledgehammer' approach is to reset the laptop by re-installing the operating system however that wipes the users data files and i was keen to preserve these.
The alternative approach was to use the 'Boot to last known working configuration' windows startup option.
Fortunately i was able to reboot the PC to a previous known state and then check out what restore points were available.
Once the PC had rebooted i was able to see what restore points were available.
Fortunately my Mum's friend had maintained her laptop quite well and had installed Microsoft's security and maintenance patches. This meant that there were a number of restore points available.
Before starting the restore process i backup up all data to DVD and verified it was accessible on another PC.
I knew when the fraudsters had been in contact with my Mum's friend so i selected the last but one restore point based on the dates.
Fortunately the system restored successfully. The laptop was then rebooted successfully without any requirement to enter a password to complete the boot process.
The Windows Update process was then run to install all the latest security patches.
This recovery turned out to be relatively straight forward and fortunately my Mum's friend did not lose any data so it was a happy outcome which could have been so much worse.
The moral of the story is to keep your laptop, desktop etc up to date and that small investment in time could save a much larger amount of time at a later date!