Adobe update phone scam (fill in the blanks pls)

Strider590

My step father was using his PC last night, he somehow was informed of needing an Adobe update, this failed, he apparently received a phone call from a woman claiming to be from Microsoft who wanted money to fix the problem, during the call he noticed all the desktop icons disappearing.

Now this is just bizarre, i've heard of the Adobe scam (spam malicious email) and i've heard of the Microsoft scam, but this is something half way between...... My step father has early stages of Parkinsons and is also far too proud for his own good, so it's impossible to get at what really happened.

I can't see how they can possibly link his PC to his phone number, it was not a random cold call (the MS scam).
You can't link an IP address to a phone number without going via the ISP and this can take weeks/months.

So did he fill in his details somewhere? did they access his documents via malware and get his details from there?
The call happened very quickly, approx half way through the fake download.

I'm trying to piece this together, I have to go round and fix the PC in the next few days, but there are so many gaps in this story that im struggling to find any information of the web regarding a solution..... It's p*ssing me off because all I need is an accurate account of what exactly happened!!

Has anyone seen this and does anyone know what im not being told?

fiddiwebb

It won't be anything to do with a Adobe update, just an coincidence that it happened near the time your Step Father recieved a scam call purporting to be from Microsoft (a common scam these days)

The phone number is not linked to the PC, these scam callers just cold called, they are aware most households will have a computer/laptop these days so just cold call so no mystery there.

If the desktop icons disappeard during the scam call then your Step Father may have followed the instructions given by the scammer who had remote control of his computer via something like LogMein.

Did your Step father make any payment or give his credit/debit card details?

Strider590

^^ Yeah, see when non IT minded people describe something, they often include misleading cr4p that actually had no connection at all.... "I looked out of the window and saw a big black bird land on the telephone line just before the computer crashed" and no matter what you tell them, they refuse to let go of it

I was suspecting a well timed cold call, he probably told them about the Adobe popup himself :mad:

The MS scam involves a cold call, then directions to a website to download malware or to give over remote access to your PC, but he doesn't describe doing any of this and probably wouldn't admit if he had.... Hence my confusion.

fiddiwebb

If you go round, check the browser history to see if your Step Dad was directed to LogMein or a similar site, there may be a chance he wasn't.

Strider590

Right, ive looked at the machine.... I found 3 suspicious files.

"Copy of System Report.vbs.vbs", contents:

x=msgbox("Microsoft security licence number 4563.installation started.thank you for choosing microsoft.", 0+16, "System Report")

This apparently came up first.


"TECH SUPPORT.txt", contents:

MICROSOFT TECHNICAL SUPPORT
142 PICCADILLYT MAYFAIR LONDON W1J 0DS
PHONE==0203 514 2089
============
INSTALL MICROSOFT SECURITY ESSENTIALS
ONE TIME PAYMENT===20 POUNDS..FOR YOUR LIFETIME...
VIRUS PROBLEMS==NO MONTHLY OR ANNUAL OR RENEWAL CHARGES
LIFETIME GUARANTEE==NO EXPIRY DATES FOR THE SOFTWARE
E MAIL AND HOME ADDRESS

This ^^ apparently was typed out before his eyes, whilst on the phone.

"C:\WINDOWS\23c78.msp", contents unknown, does not flag with Virustotal.com

(Above all supicious for having creation date/time at near to time of the incident)

Internet history (reverse order):

==================================================
URL : http://www.natwest.com/personal.ashx
Title : NatWest Personal Banking
Hits : 5
Modified Date : 23/01/2012 16:55:07
Expiration Date : 18/02/2012 16:47:58
User Name : user
Subfolder :
==================================================

==================================================
URL : http://www.natwest.com
Title :
Hits : 1
Modified Date : 23/01/2012 16:55:00
Expiration Date : 18/02/2012 16:47:52
User Name : user
Subfolder :
==================================================

==================================================
URL : http://www.google.co.uk/search?source=ig&hl=en&rlz=1W1ADBR_enGB323&q=natwest+online&oq=natwest&aq=1&aqi=g10&aql=&gs_sm=c&gs_upl=112266l122062l0l127344l7l7l0l3l3l0l375l968l0.2.1.1l4l0
Title : natwest online - Google Search
Hits : 23
Modified Date : 23/01/2012 16:52:47
Expiration Date : 18/02/2012 16:52:48
User Name : user
Subfolder :
==================================================

==================================================
URL : https://www.westernunion.co.uk/WUCOMWEB/registerPersonalInfo.do?method=load
Title : The page cannot be found
Hits : 65
Modified Date : 23/01/2012 16:45:13
Expiration Date : 18/02/2012 16:45:14
User Name : user
Subfolder :
==================================================

==================================================
URL : http://www.westernunion.co.uk/WUCOMWEB/staticMid.do?method=load&countryCode=GB&languageCode=en&pagename=HomePage&utm_content=s4gFNJEDT_pcrid_8366519190_mt_e_kw_western%20union&src=gg_UK_TopBrand+-+Exact_eng&gclid=CKL-i6zL5q0CFUoifAodeh099Q
Title : Western Union Money Transfers | Send Money Online | International Wire Transfers UK
Hits : 12
Modified Date : 23/01/2012 16:44:12
Expiration Date : 18/02/2012 16:44:14
User Name : user
Subfolder :
==================================================

==================================================
URL : http://www.googleadservices.com/pagead/aclk?sa=L&ai=CIP8l0I0dT_E3goU6v7OdvA6mqZmVArbjh8EftOGLDggAEAEgsYrfBlCAqtut-_____8BYLuWxYPQCqABkqq06QPIAQGqBBxP0KRL5NEwQIK-cSemTodUExeuxB28ljB4ztgcgAWQTroFEwiOhIqpy-atAhUQdA4KHU4K7lzKBQA&ei=z40dT87gOpDoOc6UuOcF&ved=0CBAQ0Qw&val=ChA4MGQ1NWU3N2NmNDY3NDI0ENCyvPcEGgioeSA4K_qKNCABKAAwidjzgd-N26zLATjQsrz3BECohfb4BA&sig=AOD64_13W_JulKwzHf5-rBjr4s_W5b7E2A&adurl=http://www.westernunion.co.uk/WUCOMWEB/staticMid.do%3Fmethod%3Dload%26countryCode%3DGB%26languageCode%3Den%26pagename%3DHomePage%26utm_content%3Ds4gFNJEDT_pcrid_8366519190_mt_e_kw_western%2520union%26src%3Dgg_UK_TopBrand%2B-%2BExact_eng
Title :
Hits : 1
Modified Date : 23/01/2012 16:41:55
Expiration Date : 18/02/2012 16:34:48
User Name : user
Subfolder :
==================================================

==================================================
URL : http://www.google.co.uk
Title : Google
Hits : 7
Modified Date : 23/01/2012 16:41:52
Expiration Date : 18/02/2012 16:34:44
User Name : user
Subfolder :
==================================================

==================================================
URL : file:///C:/Documents%20and%20Settings/user/My%20Documents/Copy%20of%20System%20Report.vbs.vbs
Title :
Hits : 1
Modified Date : 23/01/2012 16:40:53
Expiration Date : 18/02/2012 16:33:46
User Name : user
Subfolder :
==================================================

==================================================
URL : http://www.ammyy.com/AA_v3.exe
Title :
Hits : 3
Modified Date : 23/01/2012 16:20:38
Expiration Date : 18/02/2012 16:13:30
User Name : user
Subfolder :
==================================================

==================================================
URL : http://www.ammyy.com/en
Title : Ammyy Admin - Free Remote Desktop Access, PC Remote Control Software and Remote Desktop Sharing
Hits : 5
Modified Date : 23/01/2012 16:19:02
Expiration Date : 18/02/2012 16:11:54
User Name : user
Subfolder :
==================================================

I'm completely stumped as to how they could phone him at just the right time to say "we notice your having problems installing Adobe".

I thought it was something installed on the PC, but i've found nothing that could do this. Not even a hidden service running.....

He reckons the lady he spoke to sounded English, but her supervisor sounded middle eastern........

closed

Timing is coincidence.

http://www.ammyy.com/en/admin_mu.html

There's a link to remote control software that they use there, and some to western union/natwest which is more worrying.

Check his bank accounts, and scan with malwarebytes

robmar0se

closed wrote: »

Timing is coincidence.

http://www.ammyy.com/en/admin_mu.html

There's a link to remote control software that they use there, and some to western union/natwest which is more worrying.

Check his bank accounts, and scan with malwarebytes

Agree - thye have used ammyy to access the PC - the worrying this=ng is that the user has internet banking, so not only check balances, but warn the bank, and change passwords etc immediately. Avoid using the net again until you have had a chance to check for any scams, keyloggers etc.

Strider590

closed wrote: »

Timing is coincidence.

http://www.ammyy.com/en/admin_mu.html

There's a link to remote control software that they use there, and some to western union/natwest which is more worrying.

Check his bank accounts, and scan with malwarebytes

Pretty much as I figured, the phone call however, they knew his name and what was happening on screen.... There's more to this, but I can't quite place my finger on how it works.

closed

names and phone numbers are readily available. The rest is probably patter or confusion

What did he pay, and how?

Strider590

closed wrote: »

names and phone numbers are readily available. The rest is probably patter or confusion

What did he pay, and how?

He didn't pay, he point blank refused.... My step father may be a little slow with computers, but when it comes to money, nothing gets past him :rotfl:

Yes it's easy to get names+numbers, but to link that name/number to a PC at the EXACT right moment?

IP addresses don't translate down to phone numbers, he claims not to have entered any personal details for months, the only personal documents on the computer at the time belonged to my brother, not my step father. I have to assume he's not told me everything here, because it just does not add up.....

bubblesbonbon

This report was circulating a couple of years back. It may have resurfaced. Malwarebytes scan should sort it if infected.

http://www.pc1news.com/news/1238/fake-adobe-updates-are-infecting-users-pcs.html