It’s all too easy for less tech-savvy people to be sucked in by scams. Lee explains what to look for and how he helped a customer who fell victim.
It’s all too easy for less tech-savvy people to be sucked in by scams. Lee explains what to look for and how he helped a customer who fell victim
Scams are like fine wines, in that they mature with age but still cost a fortune and leave a bitter aftertaste. Back in 2019 ( see issue 299, p117), I told you about the £28,000 that Basil almost donated to sophisticated telephone fraudsters. A few weeks before Christmas, I encountered version 2.0 of “The Basil Scam”, but it took me a while to realise what I was dealing with.
When Paul phoned, he was extremely frustrated. His laptop was only a year old and had been a present for his wife Sylvia. They were both computer virgins, having actively avoided technology during their careers before shying away from it during retirement. Their sudden submersion in tech was instigated by their grandchildren, who had grown up and scattered to the four corners of the earth, working and studying.
Scamming is a growth industry perpetrated by professionals who manipulate technically and psychologically. This sophisticated technique is known as “social engineering” (see Norton’s definition at pcpro.link/319se) and ensures that victims believe the lies they’re being fed. People who have little technical experience, such as Paul and Sylvia, can be easily hooked, so when the scammer on the phone purported to be from Virgin Media’s technical department, Paul believed them. And why wouldn’t he? The scammers knew Paul was a Virgin customer, as well as his address, phone number and email address. They even told him the name of his neighbour who was apparently having the same problem.
How is this possible? Scammers grab data from data breaches and other publicly accessible sources to create customer profiles that can be sold on so other scammers can attempt to empty your bank account. I recommend popping your email address into haveibeenpwned.com to see where your data has been secreted.
The story this time was that Paul’s router had a virus, so every connected device needed cleaning up. What followed was four or five hours of remote control, waiting for updates and other forms of buttering up. The next morning, Paul started his laptop, which only displayed a “locked” graphic. Paul grabbed a mobile phone, but the PIN code no longer worked. Panic had really taken hold by the time he managed to call us.
Most scammers use legitimate tools to hoodwink users, and the software that had locked Paul’s laptop is called Lock My PC from FSPro Labs. Its intended use is to disable a PC when left unattended. A visit to the FSPro’s site ( fspro.net/lock-pc) reveals that it’s acutely aware that its product is being abused and it has published details of how to unlock the free version. You can uninstall Lock My PC once you’re back into the machine, but it asks for a code during this process. What isn’t obvious is that this code is the same one that was used to unlock the software. If all else fails, Revo Uninstaller ( revouninstaller. com) will help you out.
Paul was unaware of what had been happening to his machine in part because he doesn’t have a high level of technical understanding – but mainly because he wasn’t there. Paul casually mentioned that he’d confirmed his debit card details to the scammer (for security clearance) then given him access to the machine before going out shopping. As the person being paid to sort this mess out, it’s critical that I fill in the blanks because scammers aren’t doing this for japes and giggles. Now I knew the scammer had his bank details, it was imperative that we knew what else he’d been up to.
Ersatz update
Once I had access to the desktop, I could see two thumbnails that were scans of Paul’s driving licence. Edge’s internet history was empty because even scammers refuse to use it, but everything I needed was stored within Google Chrome.
The scammer had visited updatefaker.com, which allows you to “fake a system update, it’s the perfect way to prank your friends, family members or colleagues”. We can all see the joke, right? Being driven insane that the PC is updating just minutes before a crucial board meeting and after the stressful and animated calls to tech support, your hilarious colleagues reveal their side-splitting jape – the machine wasn’t really updating at all! You’ve been hooked by their amazing prank and, as you charge across their desks, loudly congratulating the “hooking prankers” on such a wheeze, you’re dragged out of the nearest fire escape by security. All thanks to Update Faker – may all its DDoS attacks land at once. I’ll come back to it in a moment.
Chrome was signed into an unknown email account – takaluus@ gmail.com – which I could access because the scammer had considerately stored the password within the browser. Various emails corroborated with the internet history and one would imagine that everything in this browser was being synced to another instance of Chrome somewhere else.
“It’s critical that I fill in the blanks because scammers aren’t doing this for japes”
Champing at the Bitcoin
Next in the history was a trip to buy.bitcoin.com. The scammer had stored this password too, so I was able to access the account’s transactional history and see a
thwarted attempt to purchase £324.77 of Bitcoin. This had been blocked by 3D Secure (3DS), a technology that was originally developed by Visa. As is typical in these cases, it appears that banking institutions remain the only entities capable of stopping the crime.
Foiled by 3DS, the scammer switched to plan B, which is where Update Faker came in. The scammer visited the site to trigger an animation mimicking a computer update. He put the browser into full-screen mode, which provides a useful distraction whilst they work on the victim’s mobile phone.
Paul had mentioned that he was having phone problems, but it took me a while to work out why. From a cold start, it was possible to input a PIN to access the phone but within 60 seconds, another screen would appear, requesting a second PIN. It seemed like a simple case of malware. Had Paul inadvertently downloaded a rogue app from the Google Play store? The timing seemed too coincidental.
When dealing with these types of cases, the customer is often so completely overwhelmed by the events that key bits of information are never revealed. Once I’m able to reassure the client that things are under control, I can probe a little deeper. It was at this point that Sylvia mentioned that the scammer had asked her to download a few things onto the mobile.
I restarted the phone, unlocked the first PIN and deftly (I am 46!) managed to access the list of installed apps before the second PIN appeared. The first app I managed to remove was “Pin Lock Screen”, which provides an alternative PIN system to “give your phone a ravishing look”. Well, quite! However, this wasn’t the culprit as the second PIN system eventually reappeared. So, phone off, phone on, first PIN in and then back to the app list to remove “Ultra AppLock”, which provides users with a new PIN system that’s supported by adverts – truly a solution looking for a problem!
The second PIN didn’t kick in and I could then see that the reason the scammer had gone through all this phone nonsense was TeamViewer.
The scammer wanted control of the mobile too and, although the reason is obvious, I didn’t see it straight away.
Once the phone was checked and cleaned up, I went back to the laptop to see that the scammer had moved onto Coinbase. This is another legitimate organisation and any prospective users must provide identification to open an account. The scammer used Paul’s email address and the scanned driving licence as ID. Who knows what mayhem he was about to cause because it was at this point that he made a mistake. Coinbase uses two-factor authentication (2FA) to verify its accounts so, apart from a username and password, the scammer required a code number to be sent to Paul’s phone. This was the simple explanation for the remotecontrol software on the mobile. I accessed the Coinbase account, sent the 2FA SMS request to the phone in my hand and waited. Nothing. Except a rare moment of inspiration.
I phoned Paul, who was pleased I’d called because he’d been getting very odd SMS messages for the past three or four hours. If you haven’t yet joined the dots, the mobile phone that the scammer had hijacked was Sylvia’s and the 2FA on the Coinbase account had been set up with Paul’s; the scammer had tapped the wrong phone.
There must be a reason why scammers don’t use a mobile under their control because in every Coinbase case I’ve seen, the victim’s real details are used. This must give the scammer an extremely narrow operating window, but the real headache is for the victim. As the account has been opened and verified under the victim’s own name and IP address, proving that nefarious activity has taken place becomes much tougher.
As this scammer couldn’t pass 2FA, he never accessed the Coinbase account. I did and closed it. I also terminated the Google email account after downloading an activity report to satisfy myself that it hadn’t been used for anything exciting. I cleaned up the machine and gave it back to the customer with a few words of advice.
Not a kind of magic
This type of scam may have farreaching implications for the victim as his driving licence is now in the wild. I spoke to the DVLA ,who said: “We remind motorists to never share images on social media that contain personal information, such as driving licence and vehicle documents.
“Where we become aware that a driving licence has been used for fraudulent activity, we will take the appropriate steps. This will include putting a security marker on the driver record, and offering the driver a new driver number.”
What remained for Paul and Sylvia was the fear of using their laptop as, in their words, they’d been “hacked”. It’s necessary to point out, in a delicate and non-demeaning way, that they weren’t hacked but misled. This scam is no different to a burglar knocking on the front door only for the owner to let them in to use the PC. It’s important to dispel any misunderstanding so that the victim can see the actuality and remove the faux anxiety that remains after the event. This type of crime isn’t hacking, internet wizardry or magic – it’s just good old deception, first practised several millennia ago by Cain in an aggressive takeover of Abel’s lamb burger franchise.
This all unravelled from a locked graphic caused by legitimate software. If you or someone you know have been caught by a scam like this then investigate it thoroughly and, if you’re in any doubt, contact your friendly neighbourhood computer shop. There might be more going on than you realise.