PSA to help people avoid getting scammed

sneakyimp

Serious question here folks. Have you or your parents or loved ones ever been scammed out of money by some fraudster on the Internet or over the phone or whatever? Someone close to me was victimized yesterday. I'm thinking I might try to put together some kind of public service to help our less-savvy friends to avoid losing their shirts. Any anecdotes about how money was scammed would be appreciated. Any REALLY BIG POINTS that should be made would also be appreciated.

In the case of my recently victimized friend, the machine was compromised somehow. Not sure if it was ransomware or just something to bog down the machine to the point of unusability. As this friend attempted to get the machine to work, the computer spoke to him. The fraudster claimed to be 'microsoft' and offered to help, asking for a phone number. My clueless friend fell for it and gave out their phone number because the person did not sound like they were from India or otherwise speak with a foreign accent. My clueless friend ended up paying the fraudster $250 to have the computer 'fixed.'

I told my clueless friend to contact every financial institution with whom they do business and get a new account number. I told my clueless friend to contact Experian/TransUnion/Equifax and put a fraud alert on their identity. I told them never to turn that computer on again.

In terms of prevention, a couple of things come to mind:
NEVER click the links in those emails that say anything about Trump, Obama, etc. This is probably the primary vector by which these exploits propagate -- either infected files, installers, or a link to some drive-by exploit hosted on a website.
NEVER trust anyone who contacts you first. These are always the criminals.

Any thoughts on how to simplify or improve the "rules of prevention" would be much appreciated. Fixing the problem after the fact is a nightmare.

sneakyimp

I'm wondering if we might distill some minimal list from these various anecdotes...

Anecdote #2:

A fake IRS agent called me other day - for a second I bought it - but when he tried to get money over the phone I realized it was a scam
He had my name, I don't recall whether he had my social security number or not.
He said I was going to be arrested for tax evasion and that sheriff was on the way to get me
He sounded foreign.
I google the phone number and it came up ad middle eastern dudes trying to con you to pay them.
Then I called the number back and it would not pick up.
It was a number with a Washington DC area code so that made it seem more real. 202 657 5926

Anecodote #3:

I know an internet-savvy 70-year-old who entered his paypal password into a fraudulent "phishing" email link. The scam was that the email said there was a problem with his Paypal account. That's the sort of thing that would make him (and others like him, I suppose) log in right away, so he just used the bogus link in the email

cretaceous

I act the idiot when they phone and keep them on the line for as long as I can, while trying to figure out what they want me to do.
Got nearly 10 minutes the other day.

Your friend's computer can be cleaned up, it just may take a while, or re-format it.
I took about 5 hours to recover a PC a year or so ago - it became a battle of will!

But how will you get this info to people when they need it?

NogDog

cretaceous;11052657 wrote:
...
But how will you get this info to people when they need it?

A link to a web page sent in spam email. That way only the people who really need to see it will, in fact, see it. 🙂 (Only half in jest)

sneakyimp

cretaceous;11052657 wrote:
I act the idiot when they phone and keep them on the line for as long as I can, while trying to figure out what they want me to do.
Got nearly 10 minutes the other day.

I do this too. I really enjoy making these people miserable. And chewing their time is a bit like how fail2ban works. The more time I chew up, the less time they have to sponge money off other gullible people. Something really weird about talking to a criminal though -- not that all of them are willful criminals. I expect most don't realize that they are doing something illegal.

cretaceous;11052657 wrote:
Your friend's computer can be cleaned up, it just may take a while, or re-format it.
I took about 5 hours to recover a PC a year or so ago - it became a battle of will!

I have thought a lot about this and tend to think that yes it can be cleaned up until usable, but I disagree that it's really "clean." I tend to think you need to get a new hard drive and reinstall OS. I'm even suspicious of the BIOS getting infected. I expect I'll just buy mobo, hard drive, chip, and RAM to replace my friend's machine entirely. Overkill?

cretaceous;11052657 wrote:
But how will you get this info to people when they need it?

I live in Los Angeles and know numerous directors, actors, editors, etc. I expect that the only way to propagate this type of information effectively is to create a video which gets the big ideas across in an entertaining way. Any time I get the slightest bit too technical, I can see their eyes glaze over. I'd really like to distill this down to the security-for-dummies level. I mean simple. Like 3 tips and that's about it.

sneakyimp

NogDog;11052663 wrote:
A link to a web page sent in spam email. That way only the people who really need to see it will, in fact, see it. 🙂 (Only half in jest)

No this is actually a good point. How do we safely propagate this message? I'm thinking youtube. It's pretty safe AFAIK. Google's seems to have largely avoided security problems and exploits. I expect the video would be propagated via social media.

Seems to me a little bit of the training should be about how to distinguish reputable links from bad ones, but I think even that is a bit too much for your typical senior citizen or gullible pre-teen.

Weedpacket

sneakyimp wrote:
I do this too. I really enjoy making these people miserable.

One thing to think about is that "these people" are often just as clueless as the people they're calling. They're sitting in a cubical farm somewhere with a couple of hundred others doing the same thing - which is following one of several different companies' scripts that they were handed at the beginning of the workday alongside a long list of numbers to call.

That said, I often reply to "go into your computer" with grunting and clanking noises followed by "I can't – I don't fit."

Derokorian

Weedpacket;11052681 wrote:
That said, I often reply to "go into your computer" with grunting and clanking noises followed by "I can't – I don't fit."

Similarly, I like to say - "I can't there's no door, I have windows"

Oh and then there's "Go to My Computer"... obviously I know what it means, but I like to ask for their address because their computer is not here.

As for the original problem - Another anecdote: I was talking to my mom a while back and she said "oh btw I renewed my subscription for the antivirus" when asked why she did that, she said she had gotten an email that it was going to expire and to click here to renew. Well she did, and put in her credit card info. I told her that was a scam, it was the middle of july and I installed the anti-virus without using her email at Christmas time (also the AV name used was Norton, I had installed AVG - so it wasn't even the same program that was on her PC). I then told her to cancel her card - she told me I was being paranoid and didn't. A few weeks later she told me that there was a few thousand dollars of unknown charges on her card and that she was being issued a new one. She said she didn't know how it happened - I reminded her of how I had told her to cancel and she was like "That can't really be what happened, all I did was renew my license." To put it in perspective, my mom and my step-dad were both C-level executive for a fortune 100 company... they are very smart people, that just didn't think something like that could really be true. They also use AOL.

As an aside, every single person I know who has fallen victim to an email based phishing scam, still uses AOL. Nothing against AOL, but the pattern exists - maybe the email spam wouldn't be so bad, target everyone using AOL and send a message about renewing something (like anti-virus, why not) and when they click its just a page that says "You have fallen victim to a phishing attack. Under real conditions, this page would ask you for personal information to renew an account you do not have. Here is a list of helpful hints and bits of knowledge that can help you avoid such attacks in the future."

The best advice I have ever given anyone WRT. avoiding phishing (PS, why is it spelled with a ph???) is that whenever you get an email asking you to log in (even if you expected the email) is to open a new tab or window (if i can get through to them, an incognito window) and type in the address of the site you're going to (or use a bookmark). This will prevent phishing, because one of two things will then happen: 1) you successfully log into your account that has no problems, or 2) you successfully log into your account and are walked through the process of fixing whatever problems it has.

Weedpacket

Derokorian wrote:
(PS, why is it spelled with a ph???)

Probably by association with "phreak", from "phone phreaking".

Bonesnap

sneakyimp;11052649 wrote:
* NEVER click the links in those emails that say anything about Trump, Obama, etc. This is probably the primary vector by which these exploits propagate -- either infected files, installers, or a link to some drive-by exploit hosted on a website.

I guess it's good to be Canadian. Never seen these but I can imagine how people would fall for something like this.

sneakyimp;11052649 wrote:
* NEVER trust anyone who contacts you first. These are always the criminals.

Definitely, and I have 2 anecdotes to share further down.

sneakyimp;11052649 wrote:
Any thoughts on how to simplify or improve the "rules of prevention" would be much appreciated. Fixing the problem after the fact is a nightmare.

I'm not sure there really is, to be honest. And it sucks. But I think it's largely a generation thing. These attacks tend to affect those who did not grow up in the "information age". It's similar to the group that "uses Internet Explorer". Now that the Internet is ubiquitous, IE's share is dropping drastically and showing no real signs of slowing down. There are of course outliers - but I'd be willing to bet that most people who fall for computer-related scams (whether via email or phone) are "older" and don't know much about computers.

cretaceous;11052657 wrote:
I act the idiot when they phone and keep them on the line for as long as I can, while trying to figure out what they want me to do.
Got nearly 10 minutes the other day.

Any time a telemarketer or someone calls me and tries to sell me anything, I stop them immediately and let them know I am willing to hear out everything they have to say, but only if they do it in a Sean Connery voice. Try it next time, it can be hilarious. Sometimes they just hang up, sometimes they do it. It's amazing.

sneakyimp;11052673 wrote:
I have thought a lot about this and tend to think that yes it can be cleaned up until usable, but I disagree that it's really "clean." I tend to think you need to get a new hard drive and reinstall OS. I'm even suspicious of the BIOS getting infected. I expect I'll just buy mobo, hard drive, chip, and RAM to replace my friend's machine entirely. Overkill?

Dude, yes, this is way overkill. I mean come on. I like to take a scorched Earth approach and format the drive, too, but what you're talking about is scorched galaxy. Malware infections at the hardware level are incredibly rare, and sophisticated. Attackers aren't going to go to the trouble of doing all that just to scam $250 out of people. These are the sort of attacks that are intended to cause physical damage (CIH) or take down nuclear weapons programs (Stuxnet). Format your friend's drive, do it a couple times if it makes you feel better, but there's no reason to literally replace the entire computer.

Weedpacket;11052685 wrote:
Probably by association with "phreak", from "phone phreaking".

Huh. I always thought it was related to "fishing" because it's essentially casting out many times hoping someone will "take the bait", but it only "looks like fishing", which is why it's spelled with PH because the result is it looks like the real thing, but really not.

Story 1:
I fell for a phishing email scam myself, but realized my mistake immediately after entering my credentials. Many years ago when I still lived with my parents I was pretty active on eBay, selling mostly old video games and consoles (my own plus snatching what I could from garage sales). I made some decent money during one summer. Since then I haven't really used eBay. But then one day a friend wanted me to list a couple items for them so I put them up. Well randomly I received an email from eBay letting me know that my auction had finished and to click the link to log in and see what the final value was. It was incredibly timed, as I don't receive auction-related emails from eBay when I am not using it, and my auction was scheduled to end that day. So clicked the link, entered my credentials, and hit enter. The page just reloaded, and immediately I knew what happened. I looked up at the address bar and - yup - some random URL. I immediately logged into my account and changed my password. Haven't noticed any ill effects (this happened maybe 2-3 years ago now).

Story 2:
This is much more recent, about a week or two ago. I received a phone call on my cell from a number I didn't recognize. I was at work so I definitely didn't take it. The person left a voice mail so I checked it later. The voice mail stated they were from a local bank (remember in Canada we have few banks with many branches - so there's like a handful of banks it could be) and provided a name, number, and extension to call back on because they had "good news". They also mentioned the intersection of where the branch was located. The thing is, there is no branch of that bank at the intersection that was stated, not to mention that I don't have an account with that bank (though I do have a credit card with them), and I have never stepped foot in one of their branches in my city. So I have just left it alone and haven't heard anything since. I haven't even bothered to Google the number.

Scam? Maybe. I have received phone calls from the credit card department before of the bank and they have never mentioned anything about branches before or anything related, so I don't think it was a credit card-related phone call. Additionally the voice mail didn't mention my credit card and was very vague, so it was either a) a scam or b) someone in some department trying to sell "insurance" or some kind of useless "offer" (hence their version of "good news"). In either case I am better off not bothering.

sneakyimp

Weedpacket;11052681 wrote:
One thing to think about is that "these people" are often just as clueless as the people they're calling. They're sitting in a cubical farm somewhere with a couple of hundred others doing the same thing - which is following one of several different companies' scripts that they were handed at the beginning of the workday alongside a long list of numbers to call.

Agreed that some of the employees are clueless. I myself was roped into a suspicious development project once. If they seem to mean well, I like to try and gently inform them that they are part of a criminal enterprise.

Weedpacket;11052681 wrote:
That said, I often reply to "go into your computer" with grunting and clanking noises followed by "I can't – I don't fit."

Nice one.

sneakyimp

Derokorian;11052683 wrote:
Another anecdote: I was talking to my mom a while back and she said "oh btw I renewed my subscription for the antivirus" when asked why she did that, she said she had gotten an email that it was going to expire and to click here to renew. Well she did, and put in her credit card info. I told her that was a scam, it was the middle of july and I installed the anti-virus without using her email at Christmas time (also the AV name used was Norton, I had installed AVG - so it wasn't even the same program that was on her PC). I then told her to cancel her card - she told me I was being paranoid and didn't. A few weeks later she told me that there was a few thousand dollars of unknown charges on her card and that she was being issued a new one. She said she didn't know how it happened - I reminded her of how I had told her to cancel and she was like "That can't really be what happened, all I did was renew my license." To put it in perspective, my mom and my step-dad were both C-level executive for a fortune 100 company... they are very smart people, that just didn't think something like that could really be true. They also use AOL.

This is precisely the issue I'm pressing home with my friend now. CHANGE YOUR ACCOUNT NUMBER OR YOU WILL REGRET IT. The friend does not believe me no matter how firmly I state it. So frustrating.

Derokorian;11052683 wrote:
The best advice I have ever given anyone WRT. avoiding phishing (PS, why is it spelled with a ph???) is that whenever you get an email asking you to log in (even if you expected the email) is to open a new tab or window (if i can get through to them, an incognito window) and type in the address of the site you're going to (or use a bookmark). This will prevent phishing, because one of two things will then happen: 1) you successfully log into your account that has no problems, or 2) you successfully log into your account and are walked through the process of fixing whatever problems it has.

Yes, this. When I say DON'T TRUST LINKS IN EMAIL this is what I mean. You may always type in "bankofamerica.com" in a browser, but NEVER trust that a link in an email will actually go to the URL which is shown in the email. Unfortunately, it's hard to explain the concept of an <A> tag's HREF versus the visible text of the link. Hoping to find some way to get this point across in a way that even really slow folks can understand.

sneakyimp

Bonesnap;11052695 wrote:
I guess it's good to be Canadian. Never seen these but I can imagine how people would fall for something like this.

As you rightly point out, it's a generational thing. Mostly people are blithely unaware at how email actually gets transmitted across the interwebs.

Bonesnap;11052695 wrote:
I'm not sure there really is, to be honest. And it sucks. But I think it's largely a generation thing. These attacks tend to affect those who did not grow up in the "information age". It's similar to the group that "uses Internet Explorer". Now that the Internet is ubiquitous, IE's share is dropping drastically and showing no real signs of slowing down. There are of course outliers - but I'd be willing to bet that most people who fall for computer-related scams (whether via email or phone) are "older" and don't know much about computers.

I'm optimistic that some set of simple rules can be constructed that will help even simpletons avoid the problem. Any wording suggestions or paraphrasing of or commentary on my 'rules of prevention' are welcome.

Bonesnap;11052695 wrote:
Any time a telemarketer or someone calls me and tries to sell me anything, I stop them immediately and let them know I am willing to hear out everything they have to say, but only if they do it in a Sean Connery voice. Try it next time, it can be hilarious. Sometimes they just hang up, sometimes they do it. It's amazing.

I've seen some priceless pics of "Nigerian" scammers doing the craziest stuff. I think it was on 419eater. Afraid to go there now on account of this fit of malware paranoia.

Bonesnap;11052695 wrote:
Dude, yes, this is way overkill. I mean come on. I like to take a scorched Earth approach and format the drive, too, but what you're talking about is scorched galaxy. Malware infections at the hardware level are incredibly rare, and sophisticated. Attackers aren't going to go to the trouble of doing all that just to scam $250 out of people. These are the sort of attacks that are intended to cause physical damage (CIH) or take down nuclear weapons programs (Stuxnet). Format your friend's drive, do it a couple times if it makes you feel better, but there's no reason to literally replace the entire computer.

Once malware of any type comes into existence, it's trivial for it to be transmitted to every criminal organization in the world in a heart beat. I'm not so sure that BIOS hacks are all that rare any more. I've also repeatedly been a victim of identity theft this year thanks to two data breaches at bit institutions that I deal with. The cost of a low-end mobo and chip (maybe a few hundred bucks) is considerably less than the cost of the cleanup effort when your bank account gets stolen. I've easily spent a couple of weeks worth of time this year trying to clean up ID theft. The computer's several years old anyway.

Bonesnap;11052695 wrote:
Story 1:
I fell for a phishing email scam myself, but realized my mistake immediately after entering my credentials. Many years ago when I still lived with my parents I was pretty active on eBay, selling mostly old video games and consoles (my own plus snatching what I could from garage sales). I made some decent money during one summer. Since then I haven't really used eBay. But then one day a friend wanted me to list a couple items for them so I put them up. Well randomly I received an email from eBay letting me know that my auction had finished and to click the link to log in and see what the final value was. It was incredibly timed, as I don't receive auction-related emails from eBay when I am not using it, and my auction was scheduled to end that day. So clicked the link, entered my credentials, and hit enter. The page just reloaded, and immediately I knew what happened. I looked up at the address bar and - yup - some random URL. I immediately logged into my account and changed my password. Haven't noticed any ill effects (this happened maybe 2-3 years ago now).

Yeah it's super easy to fall for this -- and this is probably the single biggest point I want to get across in my 'rules of prevention.'

Bonesnap;11052695 wrote:
Story 2:
This is much more recent, about a week or two ago. I received a phone call on my cell from a number I didn't recognize. I was at work so I definitely didn't take it. The person left a voice mail so I checked it later. The voice mail stated they were from a local bank (remember in Canada we have few banks with many branches - so there's like a handful of banks it could be) and provided a name, number, and extension to call back on because they had "good news". They also mentioned the intersection of where the branch was located. The thing is, there is no branch of that bank at the intersection that was stated, not to mention that I don't have an account with that bank (though I do have a credit card with them), and I have never stepped foot in one of their branches in my city. So I have just left it alone and haven't heard anything since. I haven't even bothered to Google the number.

At the risk of sounding even more crazy and paranoid, I strongly believe that this type of scam is seriously on the rise. It really makes a lot of sense for criminals because there's almost no risk of physical injury in this type of crime. I'd be willing to bet that there's going to be a huge rush of crime from meatspace into cyberspace. I predict these scams become more and more rampant in the next few years.

Bonesnap;11052695 wrote:
Scam? Maybe. I have received phone calls from the credit card department before of the bank and they have never mentioned anything about branches before or anything related, so I don't think it was a credit card-related phone call. Additionally the voice mail didn't mention my credit card and was very vague, so it was either a) a scam or b) someone in some department trying to sell "insurance" or some kind of useless "offer" (hence their version of "good news"). In either case I am better off not bothering.

This stuff infuriates me. I always make time to call the a-holes back and hassle them or try to find out more information I can report to law enforcement. Invariably, I report the phone numbers to donotcall.gov (a US thing). This seems to have the blessed side effect of reducing the number of marketing calls that I receive.

So I learned more about my friend's problem:
1) Someone claiming to be from microsoft contacted my friend. Method of contact (voice speaking through the computer speakers? chat dialog? skype call?) is unclear
2) supposed microsoft contact gives my friend a number to call for company "pro-tekt" : 844 802 2081
3) pro-tekt charges my friend $225 on a credit card and installs "stopzilla."

I've been sniffing around to try and find out if stopzilla is legit and it seems at best to be one of those dodgy/ineffectual anti-malware solutions. I strongly suspect that it is in fact part of the scam. I have encouraged my friend to report this to law enforcement but I suspect a) they won't give a **** and b) the "protection racket" that this scam really is sounds just enough like your typical malware problem that law enforcement won't even accept that a crime has in fact taken place.

Can anyone suggest some reliable way to determine if stopzilla is in fact malware?

laserlight

sneakyimp wrote:
Can anyone suggest some reliable way to determine if stopzilla is in fact malware?

Otherwise benign crapware that takes up resources to fail at what it is supposed to do might as well be malware.

cretaceous

Anyone claiming to be from Microsoft and phoning you up out of kindness, will be installing malware.
They (I mean 'they' arent even 'stopzilla', are they?) don't have any reputation to protect, so why should they stop at $250.
But hijackthis and others will help clean a PC, if you have the patience.
There are some paid for services that will remove specifically named worms etc - but yes, gets very hard to know who is legit and who is a crook.

sneakyimp

laserlight;11052757 wrote:
Otherwise benign crapware that takes up resources to fail at what it is supposed to do might as well be malware.

Agreed. I guess the tricky bit is that I suspect stopzilla to be crapware (and possibly malware) but I don't have any proof. I was wondering if there might be some Consumer Reports or Better Business Bureau type organization or registry that would classify crapware/malware as such. I certainly have no desire to install it and run it and see what it actually does. This seems like a much-needed service to me.

cretaceous wrote:
Anyone claiming to be from Microsoft and phoning you up out of kindness, will be installing malware.

TOTALLY. The idea of microsoft calling anyone to help them with their computer problems is so utterly absurd it's laughable. However, law enforcement agencies (e.g., FBI or local law enforcement) do not appear to consider this activity as criminal. The racket works something like this:
1) Malware infects computer, reports to some criminal organization
2) Criminal organization (or some intermediary) contacts user via the infected machine claiming to be from Microsoft and tells user to call some phone number of some ostensibly legitimate "security firm"
3) Upon calling, the user is offered "help" by some person and shaken down for the actual money. Is this person a criminal? Is this firm ("pro-tekt" in the case of my friend) part of the scam?

Note that if you call law enforcement and tell them your computer told you to call the firm in step 3, they are very unlikely to consider this a crime because the user a) called the party and b) volunteered their credit card information in exchange for help. I'd bet almost anything that party #3 pays some share of the money back to the parties in #2 and #1.

laserlight;11052757 wrote:
They (I mean 'they' arent even 'stopzilla', are they?) don't have any reputation to protect, so why should they stop at $250.

I have no information at all about the relation of these parties or their relation to the developers of stopzilla. Stopzilla is almost certainly crapware, but is it malware? What is the relation of all these parties? I can prove nothing.

laserlight;11052757 wrote:
But hijackthis and others will help clean a PC, if you have the patience.

I've gone through this process numerous times before and the machine inevitably gets re-infected very quickly. I seriously doubt that it's possible to "clean up" a malware-infected machine completely. Once it gets infected, I believe that it stays infected.

laserlight;11052757 wrote:
There are some paid for services that will remove specifically named worms etc - but yes, gets very hard to know who is legit and who is a crook.

I've done a lot of this cleanup myself but the malware/crapware/bloatware is so damn persistent it's just not worth it to clean up -- especially when the computer operator is likely to continue their high-risk browsing habits. It's sort of like trying to keep your old crappy car running when the repair bills cost you monthly more than you'd pay for a brand new car. At a certain point, it's more cost-effective to replace the machine.

dalecosp

sneakyimp;11052795 wrote:
The racket works something like this:
1) Malware infects computer, reports to some criminal organization
2) Criminal organization (or some intermediary) contacts user via the infected machine claiming to be from Microsoft and tells user to call some phone number of some ostensibly legitimate "security firm"
3) Upon calling, the user is offered "help" by some person and shaken down for the actual money. Is this person a criminal? Is this firm ("pro-tekt" in the case of my friend) part of the scam?

You then mention automobiles.

I'm thinking I'll open a garage that specializes in headlights and taillights. And then I'll go to the mall after dark with a crowbar and smash a few headlights and taillights. After all, the cops won't do anything, right?

#irony

sneakyimp

dalecosp;11052819 wrote:
You then mention automobiles.

I'm thinking I'll open a garage that specializes in headlights and taillights. And then I'll go to the mall after dark with a crowbar and smash a few headlights and taillights. After all, the cops won't do anything, right?

#irony

Law enforcement is a bureaucracy like any other -- except perhaps in that they are lethally armed -- and trying to elicit interest that probably contravene policy is well nigh hopeless. I'm thinking social media campaign. We need a good hashtag. Thoughts, anyone?