Ask Slashdot: Rescuing a PC That's Been Hit By Scammers? 320
New submitter malcus writes "My father was hit by scammers the other day and even though he has handed over all computer service tasks to me they were able to sweet-talk him into: (1) Running some 'checks' to confirm the 'grave situation' that his computer was heading for (bad). (2) Start some remote-control program (worse). (3) Giving them his social security number (terrible). When they asked him for his credit card information he stopped and is now probably expecting them to call again. Meanwhile I have told him to dump the computer in holy-water or aqua regis and cut the internet cable. I am heading over to his place later and wonder what measures I should take."
Just the obvious (Score:5, Insightful)
Bow your head and type "Format C:" Amen.
A stern son-to-father lecture (Score:4, Insightful)
Wipe, reinstall, serious talk about his finances (Score:5, Insightful)
Everybody's going to tell you the obvious right answer. You wipe the box and start over with a clean install, fully patched, with a firewall and AV. Anything less is really just asking for whatever happens next.
Subsequent to that, you need to have a serious talk with your dad about sharing control over his finances with someone trustworthy (you, maybe). If he's handing out his social security number to any random nutjob who calls him, he's going to give away his life savings to some scammer someday. The time to prevent that is now, not later. I am seriously planning to do that myself, that is put something in place so that when (not if) I'm no longer competent to handle my own affairs, my kids will have the legal ability to seamlessly keep me from bankrupting myself. I have decades before this needs to happen, but the time to do it is when you are of sound, not failing, mind.
I'd also look into putting a fraud warning on his credit report with all three credit bureaus. I'm not going to pretend that's something I know much about, so research it and confirm for yourself what good it will do and what harm before you act. I do think you want to limit the ability of any random goofball who knows your dad's SSN and name from opening credit in his name.
Re:Format and reinstall (Score:5, Insightful)
As someone who does forensic analysis, no, the thing you want to do is not tell an untrained amateur how to try to do it, point them at tools, and hope for the best. It's actually time consuming and can be hard. By far the simplest solution is wipe and reinstall. If you want an actual forensic analysis done, unplug the network cable, step away and DO NOT TOUCH THE BOX AGAIN! Then call a pro.
Re:This is why backups exist. (Score:5, Insightful)
everyone wants restore, no one make backups...
Re:Just the obvious (Score:5, Insightful)
Re:A stern son-to-father lecture (Score:4, Insightful)
Social Security number (Score:4, Insightful)
Why is giving out his SS number such an awfuly bad thing? From what I've read [wikipedia.org], it's no secret, but rather the contrary. It's just misassumed that the SS number should be secret.
personal and technical responses (Score:2, Insightful)
There's (at least) two sides to this:
Personal:
Credit agencies: So, this is a tech site, but before getting down-and-dirty with trying to fix his computer I would strongly suggest contacting the credit bureaus and put a hold on things. This will protect him from someone trying to open a new credit account in his name.
Credit cards and Banks: Depending on your level of paranoia, have him contact his credit card companies and banks and ask them to issue new cards. Of course, that may in turn require updating any pre-authorized billing he may have set up.
Authorities: Consider contacting the police and/or your Attorney General. They may be interested to hear a report of this.
Technical:
Forensics. If there's any question about needing to retain documentation about this, consider pulling the compromised drive and storing it. If access to existing data is necessary, put in an external enclosure, mount it read-only under Linux, and copy data from it.
Passwords: change passwords on all on-line accounts from a non-compromised system.
History: Look in whatever history information you can get. Take a look at his browser history, firewall log, command line history, registry, etc. This may help you to assess what level of damage you're dealing with.
Clean or Fresh? One can probably get away with formatting the drive and reinstall. But, in full paranoia mode, have him buy a new PC (cost of this provides reinforcement of prior warnings that were ignored.) Restore data from malware-scanned backups or from read-only access from pulled drive. I've read reports about malware hiding in USB keyboards and printers, so a reformat and restore onto the original machine may not be sufficient.
Family:
Possibly the hardest part of this is the fact that you're dealing with a parent. They were (hopefully) patient when you were learning all about the world as a child. It's helpful to try and bring an attitude of patience and tolerance to this situation. Let him face the consequences of his actions by having him make the phone calls to banks, credit agencies, etc. Let him pay for the cost of a new drive or PC. (Negative reinforcement) But also thank him for being honest with you about what he had done. Better this than to find out later he'd been scammed out of thousands of dollars because he was afraid to tell you what he had done. (Positive reinforcement.)
Finally: good luck!
Re:Just the obvious (Score:1, Insightful)
Are you sure you because because infected by the Fake AV because of an open share or did it simply drop a file on the share and your AV pick it up as an infected file on your system?
There are a lot of windows 7 updates concerning code execution via network too. In the recent-past several years, the fake AV's floating around were using Java and Flash zero day exploits and spread mostly through an infected banner add or website but also had infect-able files it dropped on network shares too. I've had to deal with them off and on from a small corporate perspective and have never seen it actually infect another system via file share outside of just dropping files on a share.
Re:Just the obvious - WRONG ORDER (Score:5, Insightful)
The blatant identity theft is a ticking time bomb that will not be easy or painless to redress (especially for someone who readily handed over an SSN for ANY reason)....
The computer can sit there (off) just fine while you stop the bleeding.
1. OBVIOUSLY keep computer not only offline but OFF & OFF-SITE (who knows what he might try to do with it).
2. HELP YOUR FATHER start protecting himself with his....
3. banks....
4.
5.
6.
30. THEN look into addressing the computer problems.
Car analogy:
"My father hit a tree at 50 miles an hour and appears to have a broken collarbone and a punctured lung.... I'm heading over to investigate... Does anyone know if I can use my own AAA membership to get the car towed or should I have my own mechanic work on repairing the vehicle's front end?"
Re:Just the obvious (Score:4, Insightful)
I would also suggest switching Dad to Linux. While not totally immune to attack, whatever the scammers had him do would probably have had no effect on Linux if the steps could even be duplicated on a Linux box.
The post about contacting the FBI is also a good one. Find out if they are interested in any forensics BEFORE wiping the OS.