1

I was called from what appears to be a legitimate apple phone number and I was told there was suspicious activity. Then I said I wanted to speak to someone and I was connected to a someone with an Indian accent. This person made me type www.fastsupport.com\apple into the run command and I installed something that gave this person control of my computer, similar to teamviewer.

I got an email from apple.care@techie.com which was in the spam folder and the guy opened netstat in cmd. Told me some stuff I didn't understand. Then he did something which started bunch of lines appearing on the command line. At that point I got spooked and closed the cmd and the connection.

What might be compromised, what should I be doing now?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Gappy Hilmore
  • 111
  • 1
  • Although I don't think you have a persistent backdoor as of yet, I would still consider your whole system to be compromised just to be sure. The command ``netstat`` is not harmful and you can check out the CMD command ``tree``, if this is what he showed you, it is not harmful either. – Kevin Jan 12 '19 at 23:27
  • @KevinVoorn he entered something that I do not recall, which triggered a bunch of text to appear rapidly. is there any way to figure out what was typed? – Gappy Hilmore Jan 12 '19 at 23:29
  • I don't believe there is if you clicked away the window, but you can try out ``tree`` to see if it looks similar (as it fits your description of text appearing rapidly with lines). That is however no guarantee nothing else was typed in, as this could have been to mask initial commands. As I said, I would consider your whole system compromised to be safe, even though I don't believe harm was done yet (as the practice of these scams is to scare you first before any persistent malware such as a trojan horse / backdoor is installed). – Kevin Jan 12 '19 at 23:33
  • @KevinVoorn indeed, i tried tree and it is indistinguishable from what I saw at the time – Gappy Hilmore Jan 12 '19 at 23:38
  • As a general point of reference: "... I was called ... computer activity ...". Right away you should be wondering how any computer activity resulted in a correlation to your phone! If you gave them access even for a few seconds, I recommend you completely wipe and rebuild your system. – user10216038 Jan 13 '19 at 00:35

1 Answers1

2

Worst case.

Strictly speaking, a machine where someone got to run something you don't know - whatever it actually did - is to be treated as "compromised", i.e., all accounts on it have to have their password changed, the data saved to backup before reformatting the machine, reinstalling the OS and restoring the documents - if you're really paranoid, the documents first need to be converted in a less vulnerable format (so for example all PDFs to Jscript-less PDFs, all Word DOCs to macro-less RTFs, and so on), and the backup virus-scanned from another, known good machine.

Also, any home banking accounts need to be re-secured, and all sensitive information (credit card numbers, emails etc.) checked and, if necessary, invalidated and re-issued.

Even apparently "innocuous" information might be used to impersonate someone even weeks after, and there are actually scamming "firms" that purchase such information from lesser criminals and "groom" them for weeks or months before striking (bottom line: you being scammed by an apparently innocuous "small fish" out of potentially sensitive information might end up, much later, with that information in the hands of those who can make the most out of it). In its most visible form this is called "CEO email fraud". I have been personally involved in investigations in two such (much smaller, around USD 100,000) cases, but the latest case I know of is just days ago ("The CEO mail was false: 17 million USD lost"). So if you're involved with a large and possibly vulnerable firm (head accountant, books reviewer, CEO, lawyer, consultant etc.), take care to warn them. The market is so juicy that people are working hard at such heists.

Likelier (in MY opinion) case.

It is possible - I suspect "likely" - that nothing got compromised, and the guy at the other end of the line just typed some command like DIR /S or TREE to cause a lot of "computerish-looking" output.

The next step would have been to tell you that your PC had been infected, whatever antivirus you were using was no good, and you needed the new and enhanced antivirus from Apple Support.

Sometimes they also insist that if you refuse, they have no choice but to disable your Apple ID since it may be used to commit fraud, rape, arson, murder and rape.

At this point you are directed to a website where you can purchase said antivirus for a reasonable fee. And that is when you get it in the neck.

There several flavours of this scam:

  • "almost honest" scam: you are buying a semi-fake product that will also try to have you purchase additional plugins, enhancements, add-ons and so on.
  • credit card fraud: you enter your credit card details to make the purchase, and, well.
  • the application you're buying is not an antivirus at all but mainly a backdoor. Your system is now well and truly compromised, in addition to the financial damage. The backdoor access might also later be sold to worse criminals. Usually it gets immediate use as spam relay, cryptocoin mining and distributed denial of service, all services that are commonly marketed on the dark Web. It goes without saying that all interesting information on the machine will get pillaged (up to and including the worst case, above).
LSerni
  • 22,521
  • 4
  • 51
  • 60
  • 2
    Although this answer is in line with what I typed in the comments, I want to add that if your security means a lot to you I would still consider your machine to be compromised and you should act accordingly (clean install, only use external backups etc.). – Kevin Jan 13 '19 at 11:58