0

Question resolved: no reason at this time to assume the remote access was with any malicious intent.

[skip this beginning if you want]

My partner was offered a job with a real estate listing company doing photo processing for their virtual tours, and this rang a couple of alarm bells: their photos aren't super professional on their website, the company uses the physical address of a hundred other businesses, and the interview did not seem very extensive or job-focused - though I know from experience some companies don't ask for a lot in entry-level interviews.

But mostly my partner's concern was that the employer wants remote access to the machine "to set up software." The only reason I can imagine doing this is perhaps if they have a license that they want to maintain ownership of and not have a prospective new hire share or use on other equipment. Or if they really think that someone they're hiring for a computer-intensive position is going to be that incompetent and don't want to waste time supporting program install, there are probably other reasons but I don't know how much this should raise alarm bells as I haven't done any WFH jobs. My partner has already provided them with usual hire stuff, SIN, bank deposit forms which they were in no particular rush to get.

The salary isn't out of expected range, a bit above minimum wage, and they're not rushing to try to encourage the new hire to do everything as soon as possible which is what you would expect for an IS-breaching sort of situation, and they're a smaller company with a low profile.

Anyway, I'm thinking of putting a new install of windows on one of our systems and separating it from the network by physically removing other devices until I can take a look at what they did while connected. Since we don't have a way to set up a DMZ that I'm aware of, I feel this is the safest option though perhaps paranoid/overkill - we do run 2 attached routers with different network names and passwords.

I don't know what they'll be using, and I won't be present since I will be working. My partner is tech-savvy and will recognize an obvious scam but is unlikely to recognize commands run through cmd or PowerShell, e.g., and I expect that they will be asking for admin access to install programs.

The idea is to run a clean (formatted) drive on the system to be accessed with all others temporarily disconnected as we don't have a physical firewall set up as such.

I'm willing to spend time on this but not money (ideally)

I am thinking of setting up a "honeypot" so that I can determine what is being done while the system is accessed so that I can try to determine if there is anything nefarious going on. The aim is to see if there's any personal information snooping or additional virus/software/access to unexpected files without putting anything real at risk. Obviously if there's anything like this we can assume it's not a legitimate opportunity (or otherwise involves unethical people) and waste no more time with it.

The first article I found regarding a honeypot online recommended things like ghostusb, kfsensor, and glastopf or SNARE/TANNER but I worried that there might be too many settings for a casual endeavour and I did not want to risk actually compromising the computer from outside of this one occasion while I was setting it up (also it specifically warns against not knowing what you're doing and running it, so I figured I would heed the warning since I don't want to risk a different set of attacks or make myself a target in future.) I just wanted to make it inviting from the inside, here are some things I was thinking of which may or may not be appropriate:

  • leave a junk passwords.txt file on the desktop, a file called bank stuff.txt on the c:/ root, and check for access in event viewer (assuming they don't purge - would also like a backup)

  • changing any default router admin passwords, IDK if we've ever bothered I just assumed the last boyfriend would have since he was a tech guy.

I would like to install maybe some of these

  • https://github.com/dragokas/hijackthis/

  • https://www.bleepingcomputer.com/download/gmer/

  • https://www.xplg.com/download/#tab-id-1

  • I would consider e.g. spyrix free keylogger but unsure if this would capture remote access commands as I am unsure how it works/if I can get it to work and my... ISP? I think blocks it, plus I would have to convince windows to use it.

  • and run some sort of screen recorder, either OBS or NVidia's capture software to video the desktop during the remote session or something external from the computer since I'm not sure how to hide OBS and I'm not really familiar with NVidia's software except I know it's usually used for game capture so IDK if it does two screens - they specifically requested two monitors to be connected, I'm not sure if that's relevant.

Any other recommendations, "you're being paranoid," "try using software that's less outdated or would actually work as a backup for Windows event log," etc. would be appreciated. I have maybe a few more days to reinstall Windows and set up. Ideally, if they are a malicious actor I would like to capture any/all information I could (IP addresses, e.g.) and pass it along to whoever is relevant, or if I am unsure and anybody else might be interested.

For me, a big sign of illegitimacy will be if they connect from an IP assigned to the wrong geographical location or touch any of the no-no files. Obviously, if my partner decides to pull the plug/drive due to concerns then that's a different story.

I'm open to setting up Linux and a Windows virtual machine or something but I'm not familiar with it and if the remote desktop session turns out to be legitimate I don't want to leave my partner without a working computer/program that the new employer has just set up. The job starts in about two weeks, software setup is supposed to be some days before that.

Rob Tango
  • 1
  • 1
  • You have not defined what your goal is. You have a ton of "things to do" but they are not tied to a goal. Your list is mostly about detection. But if you have a clean environment, which you suggest at the start, then there is no risk to personal data/files, so I'm not sure what the purpose is of gathering info on the remote person. – schroeder Feb 03 '21 at 10:37
  • Thanks for your help with the edits. It would be nice to know before my partner puts in any time with the company if they are legitimate, assuming that they might not be. If something convinces me they are not legitimate, the detection is for that intention, though I am unsure what I would be looking for barring obvious access to something they have no business accessing. If they are indeed bad actors e.g. seeking personal data/information then I assume that some third party (e.g. law enforcement) would be interested in this information as it sucks that people would prey on job seekers. – Rob Tango Feb 03 '21 at 10:55
  • Ok, then you can edit your post to be more explicit about that. You do truly want to create a honeypot. Focus on that. – schroeder Feb 03 '21 at 13:01
  • Did they ask your partner to setup a new bank account? And does your partner have their phone#... can they call and speak to the person offering them the position? – pcalkins Feb 03 '21 at 19:04
  • You should interview them and get the information you need to verify their claims. – pcalkins Feb 03 '21 at 20:19
  • Sounds reasonable. Part of the reason the situation exists is because my partner has social anxiety. I could contact via company's website, but I don't want to put my partner in a position they wouldn't be comfortable with if the offer is legit. Even if I am able to match the information up to the business's website... the company seems pretty fly by night itself, so I don't know what that proves. Part of the issue is I don't know what legitimate reason they would have for remote desktop aside from the random guesses, I've only encountered it for tech support or telework and this use is weird. – Rob Tango Feb 03 '21 at 20:35
  • Oh, no to the new bank account. Just direct deposit to the current one. They've done a zoom call interview and followup but couldn't point me to any specific person who might be in the photos on the compnay website that they talked to: "the zoom call was dark, they didn't really seem like they knew what they were doing hiring online." – Rob Tango Feb 03 '21 at 20:38
  • when you say the zoom call was dark, could you see the other hiring party clearly? – brynk Feb 07 '21 at 04:54
  • another thought might be to observe what they plan on doing with your machine, once they've gained access - you could get comfortable using a virtual guest, and on your clean host (at the very least), running network scanning software (*Wireshark*) - you might also run this inside the guest as well ... **you're not being paranoid** - i worked my way through all the links on [a post about using browser extensions to create distributed scrapers](https://sponsor.ajay.app/emails/) *Ramachandran '20* (also *https://news.ycombinator.com/item?id=25884338*) and I came away with a headache – brynk Feb 07 '21 at 05:04
  • I decided to run everything as a second user logged in concurrently. I went with procmon, Regshot, Wireshark, installed Hitman Pro Alert since someone recommended it, was going to use ProcDOT and dependency walker afterward, but after watching the start of it, it seemed pretty legitimate and considering what they spent time on and how much they spent doing it, no longer concerned, didn't even end up running the follow-up analysis. My partner waived me off not long in and took care of the rest of it. Thanks for the suggestions, everybody, seems like in this case the company was legit! – Rob Tango Feb 08 '21 at 04:49

0 Answers0