Almost fell for “tech support” scam - what is the risk?

Phil 05/15/2018. 5 answers, 7.774 views
virus scam teamviewer

An acquaintance of mine got a call from an alleged Microsoft employee and provided him access to his Windows 10 computer via team viewer (commonly known as the tech support scam). But when the scammer wanted to send him a file he got suspicious and immediately shut down the computer before anything could be sent. He did not give away his credit card number or any other personal information. Afterwards he immediately changed his passwords from another computer and did not connect the affected computer to the internet since. He asked me for help now, but I am not sure which steps are necessary.

  • Do you think the computer could be infected? A team viewer remote session was active, but as I told, no file was sent. Is it still possible to infect a computer?
  • My plan is to start a live CD and run a virus scan, but I am not sure if it is necessary to erase the whole disk. Would be the safer way, but also much more time consuming.
  • Is it possible that the router could have been infected? I want to check the DNS settings, is there anything else I should check? Or should I completly reset the router?

Would be nice if someone gave me some hints and advice. I don't think the question is a duplicate of these two:

Because I'm more interested if it was possible to infect the computer without sending a file rather than about what to do if there is a virus on the computer.

PS I'm from Germany, it seems like the tech support scam has reached non English speaking countries as well...

5 Answers

schroeder 05/16/2018.

From your description, there is nothing to worry about. The victim just shared the screen with the attacker without giving the attacker control or giving the attacker any information.

As the victim used a common tool (TeamViewer) and not one provided by the attacker, there is no risk in the shared session.

There is no risk to the router as the attacker never had access to it.

It is not known what information the attacker saw on the screen, but perhaps the only concern is the disclosure of the IP address. This can be mitigated by turning the router on/off (which works in some instances) or asking the ISP for a new IP.

jedicurt 05/15/2018.

If they did not give a credit card and did not receive the file, there should not be a significant reason for concern. I would have them run virus scan and malware detection and remove anything found.

In the US, the Federal Trade Commission put together a non-techie page about these types of scams. You might direct your friend there for some further knowledge.

It never hurts to be over protective if you think anything might have occurred. It is all about the level of comfort the person has after the fact that their computer data is still intact.

here is that link from the US FTC

Rui F Ribeiro 05/17/2018.

In my Uni times, when I cracked nagware, I often repackaged the original installer with my crack and whatever modifications I had done to the code, including extra files/binaries. The tools at the time were far more simple than today.

Nothing guarantees your friend installed a "genuine TeamViewer".

Nothing also guarantees that despite he "having seen" what they were doing, that they had not by the time he clicked on a binary/installer, that a secondary control connection was opened to a partner of the people talking with him, or extra software was downloaded in the background.

Despite the victim having "only" installed TeamViewer, and "having seen" what was done, IMO the only sensible solution is to format the computer and install everything from scratch just in case.

It is also quite a false sense of security assuming there is nothing left if some AV solution does not find signatures. An AV wont find special crafted binaries/scripts or "official" software left behind.

Therac 05/15/2018.

Teamviewer by default allows the other party to control your computer. However, this control is entirely visible, as if they were sitting right at your machine, using a mouse and a keyboard.

To infect the PC, the attacker could download and execute a file through your PC; sending a file via TV definitely isn't necessary. But if they tried to do that, it's very likely that it was part of their plan. Why do it otherwise.

If your friend has seen the whole process, they can know what the attacker has accessed. If your friend knows they did neither of that, and they didn't set up access for themselves via RDP or something else, then it's very likely that they didn't 'hack' the computer. This is an easy scam on the unsuspecting, it's unlikely to be combined with a sophisticated under the radar attack.

If the computer isn't used to process sensitive information, it's probably not necessary to take any steps out of the ordinary (malware check). Just to be sure, some further steps that can be taken include uninstalling Teamviewer (in case it's been set up for unattended access), clearing the browser of banking passwords/using a password-protected manager, and changing the banking passwords where 2FA isn't used (not a bad thing to do every year or so anyway).

pandalion98 05/16/2018.

The Teamviewer version was not specified.

Older versions allowed clipboard sharing (including files) by default. Worse, the clipboard sharing did not have any indication of being used, so one can copy files to a remote computer (possibly on Startup locations) without anyone noticing.

There's a risk that a program may have been copied over to the machine being remote controlled. This doesn't have any immediate effects, but any malicious payload will get activated on next boot. One can also replace files that are periodically used by services. So yes, the machine may be infected.

Running a live CD and doing a manual check may be the best way to go. A virus scan may miss obfuscated files, or the malicious payload simply isn't recognized by the scanner. Realistically, there's a lot of attack options once one has write access to a machine (e.g. replacing commonly-loaded driver files, replacing files used by common services), so a manual check might not even be feasible.

Using the approach above, the router may be infected in theory, though I highly doubt that unless you're up against a persistent, dedicated threat.

Related questions

Hot questions


Popular Tags