Computer scam - and success!

[geekette]

Hopefully no one here will fall for this, but just in case you or someone you know gets caught by this scam, here's something to keep in the back of your mind.

This morning, my sister (being awakened from sleep) answered a call from "Unknown" (red flag) and talked to a guy with a thick Indian accent (red flag) who said he was from Microsoft in California (red flag) and her computer was being hacked (red flag).

He had her run a command that showed her some (perfectly normal) errors in a log file and then convinced her to allow him to remotely access her computer (red flag) and only then asked for her credit card to fix the computer (red flag).

At that point she was awake enough to say she needed to talk to her husband and asked for a number to call them back. He refused and eventually hung up on her. But the damage was done. He'd slapped a "syskey" password on her system, so she couldn't boot without it. Asshole.

DH and I drove over, and after much web searching and putzing around, attempts at booting in Safe Mode (fail), attempting to create a Windows 10 USB boot drive (fail), DH read some comments on a rambling youtube video about the same scam, and found that often the password is quite simple. In this case, it was 456.

Success!

[FIRE me]

Ha, sounds like what happened to a computer based training workstation where I work. I had missed a training session due to being on vacation.

They have a lone workstation in a quiet corner for make up training.

I came in early before the start of my shift only to be told that I couldn't use it because someone put a password on it weeks ago. And the IT guy hadn't figured out that to do about it.

If I had known it was that easy, I'd have offered to fix it for a $100 flat fee.

From the Wikipedia article linked to in your post:
http://www.top-password.com/blog/how-to-reset-forgotten-syskey-startup-password-with-freeware/

[geekette]

I'm pretty sure my DH saw that article, but it's only good for long gone XP.

Apparently these scammers are often lazy and usually just hit a few keys to create a password.  It would be harder to crack if they just banged their hands on the keyboard and hit enter.

[Lis]

A family friend went through something very similar (allowing a random call to get remote access), except after he threatened to call the police, the scammer told him they were using his computer to hack the FBI and he would be arrested if the police found out. Friend hung up (with the scammer still connected to his computer) and called another friend of his, who was both a cop and computer savvy. That guy ended up saving the day, but Friend did spend hours and headaches changing his passwords, canceling credit cards, etc. It's a lesson he's not likely to forget.

[bagap]

Hopefully no one here will fall for this, but just in case you or someone you know gets caught by this scam, here's something to keep in the back of your mind.

This morning, my sister (being awakened from sleep) answered a call from "Unknown" (red flag) and talked to a guy with a thick Indian accent (red flag) who said he was from Microsoft in California (red flag) and her computer was being hacked (red flag).

He had her run a command that showed her some (perfectly normal) errors in a log file and then convinced her to allow him to remotely access her computer (red flag) and only then asked for her credit card to fix the computer (red flag).

At that point she was awake enough to say she needed to talk to her husband and asked for a number to call them back. He refused and eventually hung up on her. But the damage was done. He'd slapped a "syskey" password on her system, so she couldn't boot without it. Asshole.

DH and I drove over, and after much web searching and putzing around, attempts at booting in Safe Mode (fail), attempting to create a Windows 10 USB boot drive (fail), DH read some comments on a rambling youtube video about the same scam, and found that often the password is quite simple. In this case, it was 456.

Success!

Glad things worked out for your sister, this is crazy! 

I don't know what's scarier...that scammers are bold enough to call you and do this or that unsuspecting people actually fall for it :( 

I think everyone is out to scam me when I get ANY unsolicited offer so I think this level of paranoia is actually self-protective somehow.

[dramaman]

I've had those scammers call me. Same accent. The fellow said he was from Windows, which immediately threw up a red flag as Windows is an Operating System, not a company. He and I argued quite a while as I tried to pull as much information out of him as possible regarding what he was up to.

Eventually I just told him my computer was a Mac and he cursed and hung up.

I now have voip phone service that sends any non white listed non local area codes to voicemail. I periodically comb through my phone logs, find the scammer robocall attempts and then blacklist them so that they get a disconnected message when they attempt to call.

I've adopted a suspicious attitude of ANYONE who contacts me out of the blue. I once had a Vanguard rep give me a call about one of my account transactions and I refused to give him any info and instead get his info and called Vanguard myself.

[Cathy]

As a matter of first principles, no password mechanism can possibly lock you out of a computer to which you have physical access. However, if the attacker encrypts all your files (as in the well-known CryptoLocker malicious software), then, if properly implemented by the attacker, your files are probably actually lost. You could still use the computer though. Encrypting all files takes hours to days and is not a fast operation.

However, the bigger concern here is that once an attacker is able to run arbitrary code on your machine, you are thoroughly owned. There is nothing you can realistically do to "clean up" at that point. Removing the local password may have solved the instant problem, but the attacker may have installed any number of malicious programs that are still running. The attacker may also have installed a rootkit kernel module or other persistence technique. If an attacker is able to run arbitrary code on your machine, you have to erase everything and do a fresh install. In theory, you should probably re-flash the firmware on all hardware devices as well (although firmware attacks aren't all that common in real life, so that step might not be necessary).

[GuitarStv]

Yet another benefit to running Ubuntu at home instead of MS.

[Cathy]

Yet another benefit to running Ubuntu at home instead of MS.

Not at all. If an attacker can persuade you to run arbitrary code of their choosing on your machine, you can be owned just as thoroughly on Ubuntu as on Windows. The attack described in OP was not in any way specific to Windows. The attack literally involved the attacker nicely asking "please let me run arbitrary code on your computer"; and the victim merely complied. That could have happened exactly the same on Mac OS X, Ubuntu, FreeBSD, Android, or any other operating system.

[dramaman]

Yet another benefit to running Ubuntu at home instead of MS.

Not at all. If an attacker can persuade you to run arbitrary code of their choosing on your machine, you can be owned just as thoroughly on Ubuntu as on Windows. The attack described in OP was not in any way specific to Windows. The attack literally involved the attacker nicely asking "please let me run arbitrary code on your computer"; and the victim merely complied. That could have happened exactly the same on Mac OS X, Ubuntu, FreeBSD, Android, or any other operating system.

True, but not many scammers are going to call you and claim that your Ubuntu computer has been hacked.

[Le Poisson]

I LOVE when these guys call.

I get very concerned about the virus and put the phone down while I go to turn on the computer to check on the virus. Then I pick up again just long enough to let them know I am finding the sticky note with the password on it, but I'll be right back.

Then I let them know the password isn't working, and I can't get the computer to turn on, but thank god they called because yesterday I noticed it was working funny. Can they help me with the password? Oh - lookit that, the caps lock key was on! Just a minute, I need to top up my coffee. Be right back...

So far my record for time to turn on the computer is 45 minutes without losing the 'tech support' guy.

Of course once the computer finally gets turned on, the bug (did I mention it was acting up yesterday? Let me tell you all about what happened...) makes it so the tech support guy has to walk me through all sorts of strange things that are happening. Impersonating the noises the computer made and having the guy repeat them back is a good time. Eventually, once I'm tired of the game; miracle of miracles, whatever it was the tech support guy said to do to turn it on fixes the computer - thanks 'microsoft' those guys sure know their stuff! Buh-bye, hangup.