30

An acquaintance of mine got a call from an alleged Microsoft employee and provided him access to his Windows 10 computer via team viewer (commonly known as the tech support scam). But when the scammer wanted to send him a file he got suspicious and immediately shut down the computer before anything could be sent. He did not give away his credit card number or any other personal information. Afterwards he immediately changed his passwords from another computer and did not connect the affected computer to the internet since. He asked me for help now, but I am not sure which steps are necessary.

  • Do you think the computer could be infected? A team viewer remote session was active, but as I told, no file was sent. Is it still possible to infect a computer?
  • My plan is to start a live CD and run a virus scan, but I am not sure if it is necessary to erase the whole disk. Would be the safer way, but also much more time consuming.
  • Is it possible that the router could have been infected? I want to check the DNS settings, is there anything else I should check? Or should I completly reset the router?

Would be nice if someone gave me some hints and advice. I don't think the question is a duplicate of these two:

Because I'm more interested if it was possible to infect the computer without sending a file rather than about what to do if there is a virus on the computer.

PS I'm from Germany, it seems like the tech support scam has reached non English speaking countries as well...

Phil
  • 411
  • 1
  • 4
  • 5
  • 3
    Was control given to the other party, or did the other party just view the TeamViewer session? – schroeder May 15 '18 at 15:44
  • 1
    You might be a duplicate of this, though: https://security.stackexchange.com/questions/84548/can-someone-hack-through-teamviewer – schroeder May 15 '18 at 15:47
  • @schroeder Thanks for your hint reg. the TeamViewer post and also your answer below. What I understood is that no control was given to the scammer, but I'll crosscheck about this point. – Phil May 15 '18 at 18:38
  • 24
    Are you absolutely sure that your friend used the real TeamViewer, or is it possible that he was directed towards installing something more nefarious presenting itself as TeamViewer? – user2752467 May 15 '18 at 19:02
  • 2
    The scammer probably talked him through some steps (one of them, opening TeamViewer and starting the session). What were all those steps? – Bergi May 15 '18 at 20:56

5 Answers5

28

From your description, there is nothing to worry about. The victim just shared the screen with the attacker without giving the attacker control or giving the attacker any information.

As the victim used a common tool (TeamViewer) and not one provided by the attacker, there is no risk in the shared session.

There is no risk to the router as the attacker never had access to it.

It is not known what information the attacker saw on the screen, but perhaps the only concern is the disclosure of the IP address. This can be mitigated by turning the router on/off (which works in some instances) or asking the ISP for a new IP.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 18
    You might want to add that "*He did not give away any personal information.*" is quite wrong. There's a lot of personal information on computer screens (depending on the exact activity, though). – Bergi May 15 '18 at 20:52
  • 18
    He also of course revealed himself to be susceptible to this kind of phishing campaign. Next time he might not be so lucky. – Rob Rose May 15 '18 at 22:54
  • 3
    "There is no risk to the router as the attacker never had access to it." is not accurate. Packets of data were being sent out through the network. Any remote vulnerability in TeamViewer could be exploited to gain access to the network. You simply can't make that assertion. The reality is that the person doing that scam was probably more interested in a script kiddie malware deployment and to make money than to initiate some custom remote exploit they created themselves. – CubicleSoft May 16 '18 at 14:30
  • @CubicleSoft but in your scenario, the host would need to be compromised first, and then pivoted out to the router, etc. In the scenario provided, the attackers did not have direct access. – schroeder May 16 '18 at 15:54
  • _"As the victim used a common tool (TeamViewer) and not one provided by the attacker"_ It's worth verifying that this is true, that the instance of TeamViewer installed was actually the common tool and not a lookalike from a spoof url. – Tim Sparkles May 16 '18 at 18:16
  • @Timbo I address this in the comments to Rui's answer – schroeder May 16 '18 at 19:26
  • Yes, I saw that after posting my comment. It is still worth verifying, regardless of how unlikely a fake TV might be. The cost is minimal (check browser history, or at worst hash the files from a known good TV vs. this one) and the benefit is high (confidence that the machine is clean, saving the cost of a complete wipe). – Tim Sparkles May 16 '18 at 19:36
4

In my Uni times, when I cracked nagware, I often repackaged the original installer with my crack and whatever modifications I had done to the code, including extra files/binaries. The tools at the time were far more simple than today, but it was more difficult to pull that off.

Nothing whatsoever guarantees your friend installed a "genuine TeamViewer".

Nothing also guarantees that despite he "having seen" what they were doing, that they had not by the time he clicked on a binary/installer, that a secondary control connection was opened to a partner of the people talking with him, or extra software was downloaded in the background.

Despite the victim having "only" installed TeamViewer, and "having seen" what was done, IMO the only sensible solution is to format the computer and install everything from scratch just in case.

It is also quite a false sense of security assuming there is nothing left if some AV solution does not find signatures. An AV wont find special crafted binaries/scripts or "official" software left behind.

Rui F Ribeiro
  • 1,736
  • 9
  • 15
  • 1
    I thought about a fake TV, too, but then there would have been no need for the attacker to send a file for the victim to handle later on in the process. This fact makes me think that the TV was legitimate. – schroeder May 16 '18 at 08:04
  • @schroeder On the contrary, it makes more sense to have control as soon as you can in the process. But I concede you often are not dealing with the brightest of the bulb on the scam side. Nevertheless, even if the TV is genuine, you do not have and cannot assume something else was not installed in the process. I do not find the others answers are offering particularly good advice – Rui F Ribeiro May 16 '18 at 08:11
  • 4
    But if it was a fake TV, then they would have enabled control on their end making the later file unnecessary. I just don't find it likely that the TV was fake. Also, the way the OP narrates the situation, I think that it would have been mentioned that the victim was told to install a TV from a non-official source ("the scammer gave me a TV to install"). – schroeder May 16 '18 at 08:13
3

If they did not give a credit card and did not receive the file, there should not be a significant reason for concern. I would have them run virus scan and malware detection and remove anything found.

In the US, the Federal Trade Commission put together a non-techie page about these types of scams. You might direct your friend there for some further knowledge.

It never hurts to be over protective if you think anything might have occurred. It is all about the level of comfort the person has after the fact that their computer data is still intact.

here is that link from the US FTC

jedicurt
  • 139
  • 1
  • 1
  • 6
2

Teamviewer by default allows the other party to control your computer. However, this control is entirely visible, as if they were sitting right at your machine, using a mouse and a keyboard.

To infect the PC, the attacker could download and execute a file through your PC; sending a file via TV definitely isn't necessary. But if they tried to do that, it's very likely that it was part of their plan. Why do it otherwise.

If your friend has seen the whole process, they can know what the attacker has accessed. If your friend knows they did neither of that, and they didn't set up access for themselves via RDP or something else, then it's very likely that they didn't 'hack' the computer. This is an easy scam on the unsuspecting, it's unlikely to be combined with a sophisticated under the radar attack.

If the computer isn't used to process sensitive information, it's probably not necessary to take any steps out of the ordinary (malware check). Just to be sure, some further steps that can be taken include uninstalling Teamviewer (in case it's been set up for unattended access), clearing the browser of banking passwords/using a password-protected manager, and changing the banking passwords where 2FA isn't used (not a bad thing to do every year or so anyway).

Therac
  • 2,610
  • 11
  • 18
  • Whether it automatically grants the remote viewer control depends on which TV and how it was launched. I have always had to request access to control a remote computer. – schroeder May 15 '18 at 19:18
1

The Teamviewer version was not specified.

Older versions allowed clipboard sharing (including files) by default. Worse, the clipboard sharing did not have any indication of being used, so one can copy files to a remote computer (possibly on Startup locations) without anyone noticing.

There's a risk that a program may have been copied over to the machine being remote controlled. This doesn't have any immediate effects, but any malicious payload will get activated on next boot. One can also replace files that are periodically used by services. So yes, the machine may be infected.

Running a live CD and doing a manual check may be the best way to go. A virus scan may miss obfuscated files, or the malicious payload simply isn't recognized by the scanner. Realistically, there's a lot of attack options once one has write access to a machine (e.g. replacing commonly-loaded driver files, replacing files used by common services), so a manual check might not even be feasible.

Using the approach above, the router may be infected in theory, though I highly doubt that unless you're up against a persistent, dedicated threat.

Aloha
  • 900
  • 7
  • 14