Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Rescuing a PC That's Been Hit By Scammers?

timothy posted about 2 years ago | from the how-much-holy-water-ya-got? dept.

Software 320

New submitter malcus writes "My father was hit by scammers the other day and even though he has handed over all computer service tasks to me they were able to sweet-talk him into: (1) Running some 'checks' to confirm the 'grave situation' that his computer was heading for (bad). (2) Start some remote-control program (worse). (3) Giving them his social security number (terrible). When they asked him for his credit card information he stopped and is now probably expecting them to call again. Meanwhile I have told him to dump the computer in holy-water or aqua regis and cut the internet cable. I am heading over to his place later and wonder what measures I should take."

cancel ×

320 comments

Sorry! There are no comments related to the filter you selected.

Just the obvious (5, Insightful)

gestalt_n_pepper (991155) | about 2 years ago | (#41148091)

Bow your head and type "Format C:" Amen.

Re:Just the obvious (4, Informative)

RivenAleem (1590553) | about 2 years ago | (#41148317)

The 'hurt' caused by the loss of data might also shock him up enough to be more careful.

Re:Just the obvious (2)

ArsenneLupin (766289) | about 2 years ago | (#41148639)

... or cause him to dump you even quicker as the trustee for "all computer service tasks".

Re:Just the obvious (4, Insightful)

snowraver1 (1052510) | about 2 years ago | (#41148779)

No offence to the OP, but you can't fix stupid.

Re:Just the obvious (4, Informative)

Lord Lode (1290856) | about 2 years ago | (#41148347)

Yes, but make sure you back up any photos and other irreplaceable bits of information first!

Do not back up anything that's executable though.

Re:Just the obvious (5, Informative)

RogueyWon (735973) | about 2 years ago | (#41148397)

That's definitely the first thing he needs to do, but there's more besides:

1) Change all passwords. Either do it from a different PC or from that PC AFTER it has been wiped and confirmed clean.

2) Get a few credit checks over the next few months. Depending on how much information the father has actually given away (and it may be more than he's willing to admit), he may have given the scammers enough to do a thorough identity theft job on him. Picking up any attempts at this as early as possible will be important.

3) Some urgent parental re-education. Using a stout stick if necessary.

Oh, and when going to do the disinfection, if you're taking a personal machine with you, make damned sure before you go that it is NOT set to automatically connect to wireless networks. I got stung with this one a few weeks ago when disinfecting an uncle's PC.

He'd picked up one of those ransomware fake-AV trojans that basically renders Windows unusable. I'd figured it was going to be a wipe-and-reinstall job (which indeed it was), but had taken an old laptop with me in case I needed a "clean" PC for anything. This laptop had been my secondary PC until I replaced it with an iPad and I was going to use my trip "up north" as an opportunity to hand it over to the parents, who would make more use of it than I would. It'd just been flattened itself and had a fresh (though updated) Vista install on it. It also has a network share on it, that I'd used to copy a few drivers and other files over from my desktop to save redownloading them.

Anyway, like a fool I boot the thing up as soon as I get in there, forgetting two important things:

1) The laptop will default to connecting to any wireless network it can find and get onto; and

2) My uncle, being a complete idiot, has an unsecured wireless network.

So the laptop connects immediately to his wireless network - and gets infected within seconds by the trojan on his PC via the open network share. Fortunately, I had the Vista disc with me to do an immediate wipe and reinstall on the laptop as well, but it was still frustrating.

Re:Just the obvious (1)

Anonymous Coward | about 2 years ago | (#41148599)

Anyway, like a fool I boot the thing up as soon as I get in there, forgetting two important things:

1) The laptop will default to connecting to any wireless network it can find and get onto; and

2) My uncle, being a complete idiot, has an unsecured wireless network.

So the laptop connects immediately to his wireless network - and gets infected within seconds by the trojan on his PC via the open network share. Fortunately, I had the Vista disc with me to do an immediate wipe and reinstall on the laptop as well, but it was still frustrating.

Wait, how did it get infected? Did you share out the entire C drive with read/write access? Or did it have an unpatched exploit? Normally I would just create a single folder and share out only that folder. Any viruses on the network could feel free to dump whatever virus filled crap they wanted into that folder, but they couldn't infect the whole machine.

Re:Just the obvious (4, Informative)

RogueyWon (735973) | about 2 years ago | (#41148677)

The permissions on the share were read/write (though not for the whole of drive c). And it was basically a fresh Vista install that I'd run windows update on, but not been as thorough about as I should have been. My own fault, but that doesn't make it any less frustrating. Some of the ransomware stuff doing the rounds at the moment is absolutely vicious in how it will spread itself and protect itself from removal.

Re:Just the obvious (0)

Anonymous Coward | about 2 years ago | (#41148883)

? Is security in the Windows world still this bad (boot a machine with default settings near an infected computer=one more infected computer), or is this some kind of troll?

Re:Just the obvious (3, Informative)

ArsenneLupin (766289) | about 2 years ago | (#41148671)

Family members won't let family members use windows...

Re:Just the obvious (1)

Anonymous Coward | about 2 years ago | (#41148427)

Agreed. The first step should be wiping the hard disk clean preferably from a bootable GNU/Linux LiveCD. The second step should be to determine the tasks the OP's father uses the computer to accomplish each day. The third step is determine whether Microsoft Windows or a very user-friendly GNU/Linux distribution is appropriate. By very user-friendly I mean user-friendly in the eyes of the OP's father not the OP himself/herself. While some people rail against Ubuntu Linux I recently made the switch from PCLinuxOS to Ubuntu following the purchase of a 64-bit notebook computer. I have been extremely satisfied with Ubuntu Linux 12.xx LTS. On the other hand, if the OP's father wants to stay with the more familiar Microsoft Windows I suggest (i) making a complete raw image (dd) backup onto external storage media, (ii) telling the affected user to leave all maintenance to the OP, and (iii) if restoration is required in the future the raw image can be in place within 1 hour and in a pristine state.

Re:Just the obvious (1)

scubamage (727538) | about 2 years ago | (#41148433)

Backup everything first. If you want to poke around first, make sure the damn thing is off the intertubes.

Re:Just the obvious (4, Informative)

Adriax (746043) | about 2 years ago | (#41148459)

Yank the HD.
Slave it to another machine.
Save what you need to.
Format it.
Toss it back into the original machine.
If he can handle it, install your favorite flavor of linux. If not, reinstall windows.
Make sure his account lacks the privileges to get into that much trouble in the future.
Start researching identity theft countermeasures.

Re:Just the obvious (1)

ArsenneLupin (766289) | about 2 years ago | (#41148605)

But when you plan to do this, bring sure to bring a Ubuntu CD :-)

Re:Just the obvious (5, Informative)

Joce640k (829181) | about 2 years ago | (#41148635)

Bow your head and type "Format C:" Amen.

Even better ... make him buy a new hard disk, that way you can be sure that:
a) He spends some money (more likely to pay attention in the future).
b) You didn't lose any data files - they're all on the old disk somewhere.

Re:Just the obvious (0)

Anonymous Coward | about 2 years ago | (#41148705)

Closing the stable door after the horse has bolted, grandad.

Re:Just the obvious (0)

hobarrera (2008506) | about 2 years ago | (#41148893)

Or use the oportunity to put Ubuntu/Mint/something-alike on his PC.
Sorry, but somebody had to say it.

Also, I sincerely don't think scammers will have the same "verification instructions" ready at hand for non-windows OS. :)

Wipe and reinstall. (3, Informative)

Gordonjcp (186804) | about 2 years ago | (#41148097)

Same as for any other compromised machine.

More Information. (2)

Robert Zenz (1680268) | about 2 years ago | (#41148099)

What operating system? Also check what programs were run...and prepare for worst case: Reinstall.

Re:More Information. (0)

Anonymous Coward | about 2 years ago | (#41148137)

There is only the worst case... prepare to wipe and reinstall

Re:More Information. (1)

somersault (912633) | about 2 years ago | (#41148343)

I'd also change passwords on any sites he was using, especially ones that store credit card details etc.

Wipe it (1)

Anonymous Coward | about 2 years ago | (#41148107)

Format it and start over..how is this news?

Format and reinstall (1)

Hatta (162192) | about 2 years ago | (#41148113)

What else were you expecting?

Re:Format and reinstall (2)

vlm (69642) | about 2 years ago | (#41148269)

What else were you expecting?

Probably, "as of August 2012 the best forensic analysis boot disk/usb image is ..." and the URL of a web page at SS.gov or maybe some consumer organization most likely titled something like "Your SS number is now public knowledge... what should you do now?"

Some anecdotes of what someone has RECENTLY found in a forensic analysis of something owned like this might be interesting, although not terribly useful.

Re:Format and reinstall (4, Insightful)

SecurityGuy (217807) | about 2 years ago | (#41148325)

As someone who does forensic analysis, no, the thing you want to do is not tell an untrained amateur how to try to do it, point them at tools, and hope for the best. It's actually time consuming and can be hard. By far the simplest solution is wipe and reinstall. If you want an actual forensic analysis done, unplug the network cable, step away and DO NOT TOUCH THE BOX AGAIN! Then call a pro.

Re:Format and reinstall (1)

ArsenneLupin (766289) | about 2 years ago | (#41148797)

GP obviously didn't mean forensic as "will stand up in court", but only as "will satisfy my curiosity about what the scammer did to the PC, so that maybe I can get around a complete wipe".

Victim's father is not accused of a crime here (unless the scammer also dumped some kiddy porn on the disk..), so "preserving the chain of evidence" is not a necessity here.

And preserving evidence in order to haul the scammer into court is not necessary as well, because:

  • police already knows about these scams, so no additional "hard" evidence needed
  • police is too overworked to do anything (else they'd already done something long ago), or they know that those scammers reside abroad anyways

Re:Format and reinstall (1)

vlm (69642) | about 2 years ago | (#41148815)

It's actually time consuming and can be hard.

Sounds like the definition of a hobby. I'd strongly suggest OP poke around for fun, but no one wants to help him by telling him "the best free downloadable forensics boot disk as of aug 2012 is ...". At most all it'll cost is a blank cdrom disk or unimaginably if he has no spare flash drives laying around it might be $5 at walgreens for a small one. I'm assuming OP is not going to send his dad an itemized hourly bill of his work, so if he Fs around for a couple hours before the reinstall no one is "losing money".

Re:Format and reinstall (1)

MozeeToby (1163751) | about 2 years ago | (#41148723)

Your points about the SSN and identify theft are spot on, but for the PC itself it just doesn't make sense in a risk/cost vs reward context for an amateur to try and salvage an infected PC. It'll take hours at least and most importantly, you'll never really know if the machine is clean or not. Any machine that I know has been compromised is treated as compromised until it gets a full wipe, no matter how much effort I put into clearing the infection.

For my 2 cents: Boot from disk into a flavor of Linux that allows you access to the windows partition. Use a freshly formatted USB key to pull whatever important data is on the machine. Wipe and reinstall windows. Boot back to Linux and replace the important files. Reformat the USB key. Reboot to windows.

Re:Format and reinstall (1)

sabs (255763) | about 2 years ago | (#41148807)

Reflash the bios.
BIOS Trojans are evil and bad.

Have some fun with them (2)

Maximalist (949682) | about 2 years ago | (#41148115)

Install a VM with a godawfully infected version of Windows 98 on it and turn them loose on it... for the lulz.

Re:Have some fun with them (2)

History's Coming To (1059484) | about 2 years ago | (#41148499)

There's a video here [youtube.com] of somebody allowing one of these scammers access to a VM. They essentially just disable a bunch of regular Windows services. Given we have no idea of what the OP's scammer actually did the safest course of action is a format and reinstall.

Re:Have some fun with them (0)

ArsenneLupin (766289) | about 2 years ago | (#41148825)

format and reinstall.

reinstall implies "install same shit OS than was there before". Maybe know might be the time to install a noob-friendly Linux instead (Ubuntu, ...)?

oddly enough (5, Informative)

alphatel (1450715) | about 2 years ago | (#41148117)

I had a client do this to his machine. He called an 800 number thinking they were the Yahoo help desk and they performed a similar routine. Oddly enough, they left no traces of their activity and there is no reasonable way to tell if there is an inactive trojan waiting to be launched in the future. Best bet is to copy off the data, wipe, reinstall OS.

Victims are stuck cleaning up the mess. (5, Informative)

Anonymous Coward | about 2 years ago | (#41148485)

What many of these scammers do is surf the hardrive for login information for financial institutions, bank and credti card numbers, and anything else they can get to commit financial fraud.

Call and write letters to the credit bureaus, your banks, and every other financial institution one does business with.

And keep a sharp eye out for shenanigans and don't pay any bill that's not yours.

File a police report. The cops won't do anything, but at least you'll have something to fax the debt collectors who may be calling.

It sucks but it's up to the victim to clear their name as best as they can.

The banks and other financial institutions just write off any losses and pass on the costs to the rest of us in the form of higher and more fees.

The other thing they do with the information is create phoney IDs for illegals, get medical care for folks who can't pay, and various other things that require an ID - all in the victim's name and SSN. Folks have been arrested in the past because of someone else using their identity to commit a crime, the warrant goes out, and then the victim gets their lciense plate scanned by a cop, pulled over and taken to jail.

Have fun with that.

Reload (0)

Anonymous Coward | about 2 years ago | (#41148123)

Gotta backup your documents and reload, man. I wouldn't waste your time attempting to clean it.

This is why backups exist. (2)

h4rr4r (612664) | about 2 years ago | (#41148131)

This is why you have backups. Reinstall the OS, restore your backups and do not give him an administrator account this time.

Re:This is why backups exist. (4, Insightful)

rbrausse (1319883) | about 2 years ago | (#41148379)

everyone wants restore, no one make backups...

Password resets (2)

Fwipp (1473271) | about 2 years ago | (#41148135)

Get him to change all of his passwords, especially banking passwords. Preferably from a network that hasn't seen the computer in question (and of course not on that machine). You know that they've executed foreign code, you have to assume that the machine is pretty much forever compromised.

If aqua regis (1)

Anonymous Coward | about 2 years ago | (#41148149)

Then don't forget eau de kathy lee...

Back it up and nuke it! Then scan the backup. (2)

cybervegan (1440999) | about 2 years ago | (#41148161)

Back up all the data and then re-install the OS from scratch. Before restoring the data, do a thorough threat scan on it, to make sure there are no nasties lurking in there. If the machine has been rooted, then you simply can't guarantee that anything else you do to clean it up will get rid of all threats. Hope that helps! (I missed a chance there to evangelise on Linux!)

Re:Back it up and nuke it! Then scan the backup. (3, Informative)

vlm (69642) | about 2 years ago | (#41148217)

Given the price of drives and the rate of change, you're better off just buying a new $50 drive and upgrading him. Then take the old drive, stick it in an external enclosure, and play around with it on a linux host. Unless his old PC is so old it can't be easily upgraded. Can you still buy PATA from retail stores or is it all SATA now, for example?

Re:Back it up and nuke it! Then scan the backup. (1)

h4rr4r (612664) | about 2 years ago | (#41148239)

You can buy pata, but the markup is enough to cover the cost of a pci sata card in many cases.

Re:Back it up and nuke it! Then scan the backup. (2)

bastafidli (820263) | about 2 years ago | (#41148305)

I second this. Just get another drive and start from scratch on that drive. If you need any data from the old drive, do it on a isolated computer on different non standard OS (*BSD or *nix) to prevent cross contamination. I would also reapply BIOS in case they found a way to infect it.

Re:Back it up and nuke it! Then scan the backup. (1)

vlm (69642) | about 2 years ago | (#41148901)

I would also reapply BIOS in case they found a way to infect it.

Like I said, look at it as an upgrade opportunity. May as well stick the latest bios version on there, if you're coming over to fool with the computer anyway.

The part I don't get is I haven't BIOS upgraded anything in a while, but the board makers fixation used to be only providing a windows app to flash. So you can't install windows or it'll get owned by the flash but you can't upload the flash without installing windows. I'd hope all mfgrs would distribute freedos bootable cdrom/usb images with the boot flasher .exe on the freedos image.

I always found it odd that mfgrs need to be babied and only have a GUI flasher on windows only but the virus writers without even the benefit of NDA docs seem to have no trouble writing their own flasher. Of course they're not so concerned with warantee returns if it doesn't work, but still....

Re:Back it up and nuke it! Then scan the backup. (0)

Anonymous Coward | about 2 years ago | (#41148255)

I missed a chance there to evangelise on Linux!
Unfortunately this sort of scam would have worked just as easily on linux.

Format and reinstall is in order... Dont mess with it. You will spend more time farting around trying to fix it.

If you do not have a reinstall disc they are usually 15-20 bucks from the manufacture. You can sometimes sweet talk them out of it. Plan on about 1-2 days reinstalling all the latest patches. Set them to automatically run. Also setup a less privileged user for him to use. That will help mitigate the issue next time. Then tell him that these companies never reach out to you. You have to call them first. Only credit card companies might do that (and then only if you sign up for it).

Re:Back it up and nuke it! Then scan the backup. (1)

scubamage (727538) | about 2 years ago | (#41148413)

I'd disagree that it'd work on linux as well. The SSN info would have been gotten to, but any remote execution applications most likely wouldn't be binary compatible.

hire a pro (-1)

Anonymous Coward | about 2 years ago | (#41148181)

fuck off and hire someone who knows what they are doing asshole.

Re:hire a pro (1)

benjfowler (239527) | about 2 years ago | (#41148359)

Don't quit your day job, Cicero.

Re:hire a pro (2)

jones_supa (887896) | about 2 years ago | (#41148457)

One could think that hiring another father is a bit overkill solution...

Re:hire a pro (0)

Anonymous Coward | about 2 years ago | (#41148477)

fuck off and hire someone who knows what they are doing asshole.

Did daddy piss in your Wheaties this morning because mommy was spending too much time in the bathroom?

A stern son-to-father lecture (3, Insightful)

stevegee58 (1179505) | about 2 years ago | (#41148229)

In addition to the wipe and install suggested over 9000 times, your father needs a good talking-to.

Re:A stern son-to-father lecture (1)

Zuriel (1760072) | about 2 years ago | (#41148521)

syslogd man page:

If the problem persists and is not secondary to a rogue program/daemon get a 3.5 ft (approx. 1 meter) length of sucker rod* and have a chat with the user in question.

Sucker rod def. — 3/4, 7/8 or 1in. hardened steel rod, male threaded on each end. Primary use in the oil industry in Western North Dakota and other locations to pump 'suck' oil from oil wells. Secondary uses are for the construction of cattle feed lots and for dealing with the occasional recalcitrant or belligerent individual.

Re:A stern son-to-father lecture (2)

Robert Zenz (1680268) | about 2 years ago | (#41148561)

Just remove Admin-Rights from his account.

Re:A stern son-to-father lecture (3, Insightful)

spacepimp (664856) | about 2 years ago | (#41148795)

I would also remove his administrative privileges. Set up team viewer so you can connect remotely when he needs to install/make changes. My father was the same way. He had some sort of weird skill to always get immediately infected. Almost like he looked for some way to screw up his own life constantly.

Nuke the site from orbit (4, Funny)

necro81 (917438) | about 2 years ago | (#41148253)

It's the only way to be sure.

Re:Nuke the site from orbit (1)

stewsters (1406737) | about 2 years ago | (#41148281)

http://www.dban.org/ [dban.org] Nuke it from a boot disk. Its the only way to be sure.

Re:Nuke the site from orbit (0)

Anonymous Coward | about 2 years ago | (#41148309)

Okay, but how do you figure out which Indian call centre's co-ordinates to use?

Rescue or salvage or recover? (0)

Anonymous Coward | about 2 years ago | (#41148257)

You rescue damsels in distress. If you rescue your computers, you've been in the basement for too long. What kind of relationship exactly do you have with your computer?!?

Wipe, reinstall, serious talk about his finances (5, Insightful)

SecurityGuy (217807) | about 2 years ago | (#41148267)

Everybody's going to tell you the obvious right answer. You wipe the box and start over with a clean install, fully patched, with a firewall and AV. Anything less is really just asking for whatever happens next.

Subsequent to that, you need to have a serious talk with your dad about sharing control over his finances with someone trustworthy (you, maybe). If he's handing out his social security number to any random nutjob who calls him, he's going to give away his life savings to some scammer someday. The time to prevent that is now, not later. I am seriously planning to do that myself, that is put something in place so that when (not if) I'm no longer competent to handle my own affairs, my kids will have the legal ability to seamlessly keep me from bankrupting myself. I have decades before this needs to happen, but the time to do it is when you are of sound, not failing, mind.

I'd also look into putting a fraud warning on his credit report with all three credit bureaus. I'm not going to pretend that's something I know much about, so research it and confirm for yourself what good it will do and what harm before you act. I do think you want to limit the ability of any random goofball who knows your dad's SSN and name from opening credit in his name.

Re:Wipe, reinstall, serious talk about his finance (1)

rfrenzob (163001) | about 2 years ago | (#41148799)

You can setup alerts with equifax and experian here:
equifax [equifax.com]
experian [experian.com]

Disconnect PC from the internet, get him an iPad (2)

Alzheimers (467217) | about 2 years ago | (#41148283)

Disconnect the PC from the internet, so it's only useful for Word/Excel and maybe Turbotax.

Get him an iPad for day-to-day web surfing.

Unless he's a real gamer or his bank is from the 19th century, this should solve most of his problems.

Boot with a Linux Live CD (1)

Anonymous Coward | about 2 years ago | (#41148293)

After booting a Linux live CD, your choice of cleaning, reformatting or installing Linux. Within the Live CD session, there may exist rudimentary tools to scan for malware, but mostly you'll be able to mount the old disk and rescue data off to an USB key or disk. Once your data has been rescued, make a full reformat/reinstall of your choice OS.

Wipe the Drive (1)

Anonymous Coward | about 2 years ago | (#41148299)

This is what you need to do:

dd if=/dev/zero of=/dev/sda bs=4096

I find writing in 4KiB chunks performs slightly better than the default 512 bytes.

Or:

shred -z /dev/sda

Or:

Download and burn DBAN then type AUTONUKE at the prompt.

If there is any data that is hard to lose, you may wish to back it up. You may consider it all as suspect, however.

Re:Wipe the Drive (1)

v1 (525388) | about 2 years ago | (#41148489)

4k block size will still take quite awhile due to all the overhead. bump it up to 1024000 for a wipe that will move at much closer to the speed of the interface.

Boot from a flash drive (0)

Anonymous Coward | about 2 years ago | (#41148315)

Boot from a flash drive with another OS, back up anything important, format, reinstall.
Try one of these: http://www.pendrivelinux.com/category/new-usb-linux-tutorials/

Bring your Ubuntu or Fedora CD (0)

Anonymous Coward | about 2 years ago | (#41148323)

Be sure to bring your Ubuntu or Fedora CD.

obvious (3, Informative)

slashmydots (2189826) | about 2 years ago | (#41148341)

Combofix, believe it or not, specializes in removing all forms of remote control software. Most people don't know that. In fact, it will even destroy gotomeeting related files whether you want it to or not :-P Also, any system setting viewer like even the ancient HijackThis will list all LSP and protocol changes and all startup entries and all browser plugins. Just get rid of anything you can't identify or that google says is a remote control viewer. If malware scanners can't pick up anything bad, a system restore will definitely destroy any legitimate remote control software so between the two, you should disable any control they had.

So, reset all passwords for all significant accounts, add a fraud alert to his credit report or add a third party lockdown solution like Lifelock (even though I hate them) and you should be set.

Apart from the above suggestions to Wipe & Rei (1)

pkbarbiedoll (851110) | about 2 years ago | (#41148345)

Is there a reason your father MUST be on Windows? Is he primarily browsing and using office productivity applications? If he does not have specific requirements (such as gaming, high end graphics/video production, ect) then he should not be running Windows to begin with.

Get thee to Linux Mint, good sir, and do have that son to father talk regardless. Giving out personal info to strangers is insane.

Consider other fallouts (1)

ZeroSerenity (923363) | about 2 years ago | (#41148357)

Computer related items would be better served if we had more info, so here's a few suggestions otherwise. Have your dad (or you) monitor his credit reports to keep an eye out for new accounts that open and charges to his credit card/bank accounts/etcetera. If you feel that something might have been opened against his will, make sure he gets his credit frozen (How to [consumerist.com] ) and closes the affected account if there is one. I've never taken stock in monitoring services personally, but this may not be a bad situation to hire one.

Also watch his mail for anything that looks suspicious, such as credit card informationals. The worst thing that can happen is somebody running up a criminal record using his info. It's not common and somewhat hard to pull off, but it could be painful.

The Consumerist (liked above) also has tons of other info you can use about this stuff.

"Giving them his social security number" (0)

Anonymous Coward | about 2 years ago | (#41148405)

Here we go YET again.. WHY do people seem to think that this number is some kind of "password" or private in ANY MANNER?! IT IS NOT! IT IS PUBLIC INFORMATION, AVAILABLE TO ANYONE! It's a "public key" if you will -- NOT any form of verification/security. It's the ID -- not the proof! For fuck's sake. Idiots.

Re:"Giving them his social security number" (2)

SecurityGuy (217807) | about 2 years ago | (#41148505)

Why do people think that?

Because many, many, many organizations treat it exactly like it's a password. You are very right that it should NEVER be treated as an authenticator. You are very wrong that it ISN'T treated as exactly that.

Re:"Giving them his social security number" (0)

Anonymous Coward | about 2 years ago | (#41148627)

Right and wrong. It was intended to be that way, the problem is that organizations seem to think that it is private. Then again, technically it IS supposed to be private, shared with only employers and financial institutions. SSNs are not of public record. Even the . Show me a LEGAL public database of SSNs, and I shall give you over 9000 internets.
If you don't believe me, read the information from https://www.socialsecurity.gov/pubs/10002.html
particularly for "how can I protect my social security number"

wipe and reinstall (0)

Anonymous Coward | about 2 years ago | (#41148411)

use a linux cd to recover the personal data, then wipe and reinstall. this is the only choice

Install Ubuntu (2)

jones_supa (887896) | about 2 years ago | (#41148423)

Do you think your father could do everything he needs by using desktop Linux? If so, you could consider switching him to Ubuntu or some other distro. This could be a good turning point as you need to wipe the machine anyway.

Kill it with fire (2)

gman003 (1693318) | about 2 years ago | (#41148435)

Failing that, you need to treat the entire system as compromised, because it probably is. Do the following:
Bring a Linux live CD and an external hard drive. Boot ONLY into Linux, copy necessary files (documents, photos) over to the external hard drive.
Wipe the computer and reinstall everything from scratch. EVERYTHING. DBAN is your friend here. In fact, if he needs a bigger hard drive anyways, do that - just get a completely new hard drive.
Restore his data files from the backup you just made.

Yes, it's a pain, but at this point the system could contain something that anything short of this wouldn't clear out. (In fact, it's *possible* for malware to make it through even that, but AFAIK those are still just research demos, not in the wild).

Dealt with this last week... (0)

Anonymous Coward | about 2 years ago | (#41148439)

Please do not simply wipe and re-install. That is most likely the ultimate solution - i.e. in my dad's case the con men had deleted required windows files, and even booting into the recovery partition failed to restore the disk.

However, before you go ahead with the re-install, do yourself a favour and boot into a Linux live CD. You can then mount the Windows file system, and copy any data needed to an external drive or cloud service. (At least in my dad's case, there was no backup available, so this approach allowed him to save some files.)

Once files have been backed up you can then proceed with the wipe and re-install. A good time to encourage the victim to give Linux a serious try. My dad is mighty happy with his "new" Linux machine and claims it runs much quicker than it did using Windows.

Re:Dealt with this last week... (1)

jafiwam (310805) | about 2 years ago | (#41148591)

The windows CDs now contain a "recovery" console that copies required-to-boot files back into the install.

It works pretty well, I was quite surprised when I used it the first time, and it's been a great help (as in, saving time) several times.

That said, any compromised machine still needs to be wiped, but the damage they did by deleting files isn't unrecoverable. So, if you need to walk someone through it on a phone or something it may be worthwhile to know.

Terminate With Extreme Prejudice (1)

the eric conspiracy (20178) | about 2 years ago | (#41148445)

Boot From System Recovery Disk

Backup data files to DVD

Reinstall BIOS

NUKE MBR

Zero the hard drive

Reinstall everything.

-or-

Boot From System Recovery Disk

Backup data files to DVD

Zero Hard Drive

Put Computer in Trash

can i have his number? (0)

Anonymous Coward | about 2 years ago | (#41148449)

could do with a new car and a holiday.

Preserve, and nuke it from orbit! (0)

Anonymous Coward | about 2 years ago | (#41148461)

Backup first, preferably disk-to-disk low-level copy so you preserve the state of the machine. Buy or bring a disk with the same capacity or bigger than what he already has. Use something like clonezilla [clonezilla.org] to make the copy. Assume the backup *is* contaminated. Do *not* mount the drive on a machine with the same OS. Retrieve document files using a different operating system from the one your Dad's machine was running, scan those files until they are squeaky clean. Restore only what is absolutely necessary. Keep the backup handy for when (if) you talk to the police and/or bank.

An alternative approach rather than backing up and nuking the original disk would be to leave the original disk untouched, simply take it out of the machine, swap in a new/clean one, and start the reinstall from scratch. This would get your Dad up and running again and let you explore the original disk at your leisure, again not from a machine running the same OS. You don't say what system your Dad is using, but if it is a Windows machine, you could run a linux machine and explore the disk relatively safely after mounting the ntfs disk read-only.

Use caution with any and all data (1)

Anonymous Coward | about 2 years ago | (#41148465)

I have to deal with this from time to time, and working in a security organization has taught me to NEVER trust a system after a compromise of ANY kind.
Think you can just run the already installed antivirus on all files and catch it? Unfortuantely, No. Malware can hook into the antivirus itself. I found this out the hard way (in particular, during an exercise with some DoD participants. They did that the first day and were just toying with us at that point. Imagine someone who actually cares about getting your private data).
It can also affect the boot-loader, which means if it hooked into files an antivirus can scan, it will still load at OS start up into memory
Run an up-to-date anti-virus scan on the drive from an independent source, such as hooking it into another machine (with that machine set to scan all drives before mounting them).
Malware can attach itself to media files, word files, etc. If those check out by an independent scan, back them up to a disk.
Then, wipe the old drive and re-install the OS (if it's Windows 7 and a machine with no disc, you can download the ISOs online as they are from Microsoft. You'll still need the product key which should be on the side of the machine).

Hope this helps ya.

Re:Use caution with any and all data (2)

dajjhman (2537730) | about 2 years ago | (#41148821)

forgot to add these notes: install an anti-virus that does boot-time scans, like Avast. It will put itself BEFORE the bootloader for Windows, ergo scan files before they could be loaded into memory and hide themselves easier. Of course, if the AV gets compromised it wouldn't help, but keeping it updated should make it much less likely. A FULLY patched Windows 7 machine is a tough freaking nut to crack (coming again from that experience with the DoD in the above post). Of course, get one update behind and it can be devastating. It is not likely that some ordinary scammers will have serious 0day exploits. But then you're in God's hands if that happens. Also regular backups help, but I know that can be difficult with non-technical people. If he's willing, get him an external drive for backups and tell him to just plug it in at a scheduled time (like saturday mornings?) and to unplug it at the end of the day. Unless it gets infected while the backup drive is attached, could help save a lot of trouble. The Win7 backup feature is pretty good. Not the best, but good. Last item: I realize I've been talking about Win7 a lot, but the same applies to pretty much all OSs. However, if he is on XP then I'd get him off of it, as it has reached end of life support for consumers unless they purchased an extended contract with microsoft (which I don't even know if they sell to non-businesses). NOTE: the above post is mine, I wasn't thinking to log in when I made it as it is early morning here and I need some coffee. It was supposed to be a day off from this kind of stuff haha

1. remove hard drive, boot from optical (1)

Tastecicles (1153671) | about 2 years ago | (#41148515)

2. Have him save all his data to a cloud service.

3. As for the data on the hard drive, consider it all suspect. Only read it on a readonly environment such as Knoppix or other live Linux CD. I'm sure there are online virus scanners out there (Panda was one I used a couple times several years ago - are they still going?) that can be used to scan individual files, which can then be moved to flash or online storage.

4. Microsoft Windows should be considered a niche platform.

Use offline Windows Defender USB/CD (2)

ninjacut (1938862) | about 2 years ago | (#41148541)

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline [microsoft.com] Download it on another machine, boot with it and clean up the mess. I will recommend installing the free Microsoft Security Essentials, and avoid using administrative login. Also not using any browser plugins will help as well.

Same as you would expect (0)

Anonymous Coward | about 2 years ago | (#41148565)

1. Backup
2. Quick format
3. Re-install
4. Restore data
5. Place phone on floor
6. Don heavy boots
7. Render phone unusable

CYA (0)

Anonymous Coward | about 2 years ago | (#41148569)

Firstly, make sure you are prepared to explain to your dad this is not your fault, you may want to borrow the car at some point in the future.

Secondly, take the old hard drive/s out, put a brand new drive in (Make it an SSD why not) and reinstall

Thirdly, create a limited privilege user for your father, to protect him from himself.

Finally, install AV, firewall & easy to use remote control like teamviewer to help your dad out when he calls

Nuke it from orbit (0)

Anonymous Coward | about 2 years ago | (#41148571)

It's the only way to be sure.

Seriously. Assuming a windows PC, run the easy transfer wizard and back up his files, and while formatting and reinstalling his machine, virus scan his user files to make sure no nastis are making the trip to the fresh environment.

Remove dad's admin privs (1)

plsuh (129598) | about 2 years ago | (#41148579)

Lots of good advice so far, but one more item -- since your father has turned sysadmin tasks over to you, once you wipe and re-install, set up his account on the computer so that it is a restricted user account, not an admin account. If he isn't doing sysadmin tasks then he doesn't need the privs and this limits the amount of damage that a scammer can do to the computer. (Although getting his SSN and other info is still really bad.)

--Paul

Boot from DVD (1)

alabandit (1024941) | about 2 years ago | (#41148585)

1) Boot from a DVD (Non-Writable Drive) and Backup hard disk, NO APPLICATIONS!!! 2) Then format and reinstall. 3) Reset router Firm Ware 4) Rest any and all passwords from a secure terminal (You Boot disk should be sufficently secure if you force https) 5) Monitor you local Credit Record, Bank Accounts and such, with a fine tooth come for the next 6 months

credit freeze (2, Informative)

Anonymous Coward | about 2 years ago | (#41148679)

I can't believe no one has recommended a credit freeze:
http://en.wikipedia.org/wiki/Credit_freeze

gave them his ssn? (5, Informative)

v1 (525388) | about 2 years ago | (#41148715)

really? And you're worried primarily about the state of his computer?

He should be spending some time on the phone with his credit card companies making sure any security features they offer are fully activated, such as enhanced (not easily guessed based on what was on his computer) security questions, subscribing to a few years of identity theft watch, schedule regular pulls of his credit report watching for new plastic, checking accounts, and loans in his name, etc. The ssn by itself has some limits on abuse, but combined with the information on the hard drive (mother's maiden name, address, workplace, etc) it greatly magnifies the risk because it's going to allow additional verification of identity that a lot of places require.

After that, get him a book or something on how to be less of a sucker on the internet and in the world in general, or he'll just do it to himself again.

This could hound him for years to come. Make sure he understands that. If someone DOES manage to take out say, a loan or a card on his ssn, he needs to deal with it swiftly and decisively. Banks and similar organizations are notorious for not wanting to be the fall guy in cases like this, and will often try very hard to stick your dad with some or all of the bill. Don't be terribly surprised if something requires a lawyer to fix or clear off his record.

Here's an idea (1)

JustNiz (692889) | about 2 years ago | (#41148725)

Back up just his data then blow away windows entirely and upgrade him to Linux.

Not only is linux more secure than windows anyway, but if his recovered data includes places where virusses can hide (such as any Microsoft Office files or PDF files) then they most likely wouldn't be able to do harm or even run in that environment either.

Suggestions (0)

Anonymous Coward | about 2 years ago | (#41148767)

1. Get a new PC
2. Get a new Dad

NOOOOOO (0)

Anonymous Coward | about 2 years ago | (#41148791)

My old man did fell for some scare ware. They updated the bios to only see 512 ram, disabled boot to cd etc. They were very good all my old go to tricks were disabled. I had to boot a second box to vm and slave the drive to the vm in order to be able to format the drive w/o infecting the other drive. They are getting very very good.

Really, guys? (0)

Anonymous Coward | about 2 years ago | (#41148833)

Of all the people on the internet, i would have expected the Slashdotters to know what happened to this individual.

The issue is very simple. As of late, people are getting cold-called by call centers from Singapore, claiming to be from MS, and that they have discovered your machine to be infected, and ask you to run a simple check to prove the problem exists ( With heavy exaggerating ).

http://www.youtube.com/watch?v=jb69H7l0vJA

This is a good breakdown what these people do.

TL;DR - They tell you to run eventviewer, then use legitimate third party remote access tools to lead you into the scam of having you pay for something nonexistant.

These people are too inept to install keyloggers, trojans, or any other kind of malware. If you want to be sure, certainly do what others have suggested, but in this case, I suggest putting more of your attention to making sure your identity ( and hard earned money ) are safe instead.

This has been very common in Australia. It seems they are still doing well in the US.

Measures (0)

Anonymous Coward | about 2 years ago | (#41148837)

Should you keep his PC. Do the following.
1) Use some strong snipers to cut the cable on the back of the PC called LAN. If he has a wireless router, throw it in the garbage.
2) Get Linux from a clean machine and make install CD
3) Install Linux over his Windoz
4) Change his telephone number
5) Unlist his name from the telephone book

He should be good to go

Take Off... (0)

Anonymous Coward | about 2 years ago | (#41148839)

and nuke the entire site from orbit. It's the only way to be sure.

Nuke it from orbit (1)

synapse7 (1075571) | about 2 years ago | (#41148843)

it's the only way to be sure.

dd if=/dev/zero of=/dev/sda bs=1M

Seriously? (0)

Anonymous Coward | about 2 years ago | (#41148847)

If you have to ask that question here, you should hire someone who knows what they are doing.

Parental Re-education (0)

Anonymous Coward | about 2 years ago | (#41148921)

I went through a similar thing with my mother ("Microsoft" called and told her she had a lot of viruses; she let them remote into her PC and only put on the brakes when they wanted a credit card for the $200+ "virus protection" they were offering). How do we manage older or unsavvy people like this? Should there be some sort of Parental Controls for Parents? Even as I was trying to fix her computer, she kept asking questions like, "What should we do about the viruses that she said are on my computer?" I couldn't get through her head that this was a SCAM, and it wasn't much different than someone coming to her house, pawing through all her drawers and personal items, then demanding money to protect her from non-existent dust bunnies. Everything the "nice Microsoft lady from India" said was a lie, Mom. Really. My mother isn't stupid or in any way demented, but she has no online savvy and therefore doesn't understand what I consider common sense.

How do you handle this and still provide an easy-to-use, low maintenance method for parents to check email, print coupons, look at grandbaby pics, and all that stuff?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>