almost got scammed
Key Takeaways
The video discusses a cybersecurity scam where a user is targeted through a fake tech support scam, and the steps taken to prevent and respond to the incident, utilizing tools such as Huntress, Screen Connect, and Quick Assist. The video also highlights the importance of cybersecurity awareness and the role of AI in preventing such scams.
Full Transcript
it is story time so if you didn't know I do this YouTube channel thing alongside my day job where I work as a security researcher at Huntress we all work remotely and we use slack to communicate and the other day I got a seemingly random DM from a co-worker of mine in the sock or the security Operation Center he said off the top of your head do you recall where to find unsaved notepad notes on dis I recall a while ago you were able to pull it from somewhere I just don't remember where exactly and I thought oh yeah like I have a YouTube video on this I grabbed the link and I tried to find that timestamp in the video where it has the full path on the Windows File system so I sent that along and sorry the story is going to be told via screenshots he said look cool thank you I knew there was a video on it appreciate you and then he comes back with this screenshot which is an unsaved buffer in notepad which means the user just had notepad up on their computer the program was open and they were writing in and typing we got disconnected wait I'll call you back with I'm assuming a different number and then this unfinished sentence which I'm assuming is going to say do not talk to anyone else and this isn't something that someone would usually type into their notepad window this looks more like someone the user the end user and victim is currently on the phone with a scammer or was and their call got disconnected but the scammer is typing on their computer as they have control over it I'll call you back with a different number number do not talk to anyone because it will ruin their scam so I respond back in our DMS uh that's a scam phone call and at this point my teammate brings us to the larger Channel and he pings and tags the whole Security operation Center support team hey can we get a phone call to this individual right now as soon as possible the user on this host that computer their machine is currently in the process of actively being scammed we can see the notepad as the scammer is trying to talk to them through through their computer our phone call got disconnected I'll call you back don't talk to anyone else and then he says I'm getting an incident report out the door right now to help notify the partner as fast as possible and this is the incident report I've got it here to show you this is what the security Operation Center sent out first line here the huntress agent has been tasked to isolate the host from the rest of the network in order to prevent the incident from spreading to other hosts if you aren't familiar this is host isolation this is taking one computer in quarantine leing it away from its friends so that it doesn't infect anything else what that really means is that we are restricting all network communication other than our capability to interact and talk with that computer nothing else can obviously I will be redacting a lot of the private insensitive information like the host name the organization Etc you can see some of the other security products installed uh The Sentinel agent from Sentinel 1 and then we have a critical severity Report with the summary being look Huntress detected the following a rogue screen connect install connectwise screen connect one of those remote control applications hunus has been tracking a number of malicious thread actors convincing users via email to run malicious screen connect or connectwise control installers that give the thread actor remote access to the host this screen connect agent is configured to communicate with the following host which does not appear to be the standard management site used by this organization and they have the IP address here 37221 64 76 evidence suggests that the user redacted likely fell for a fake tech support scam the user was seen running quick assist another thing we have a video on on the channel giving access to a remote user who then deployed a malicious screen connect instance on this host downloaded from the domain jsr care. help evidence from the user notepad.exe tab shows that the user is getting actively scammed remediation instructions are what you would expect stop the service for screen connect remove the application and try to help carve out and make sure none of those footholds or persistent footholds are present and being an endpoint detection and response platform of course we can see the processes that have been invoked when and where and what we should stop so this is an interesting circumstance right it's scammers scamming and scam bait Community content the stuff that we tried to play with in that Dimension and our usual traditional like endpoint security EDR infosec cyber security world and these worlds colliding to see a scam from the perspective of a security Operation Center but let's get back to the internal conversation cuz the sock analyst had just tried to sound the alarm and ask hey can anyone on the support team can anyone get on the phone with this individual as soon as possible we got another team member chiming in he's on it analyst responds thank you knowing how these scammers work they'll probably try anything they can just to get back on the phone with them they still have access to the Vic computer via screen connect but for whatever reason the call got dropped our support member chimes in though I tried to call them twice got voicemail both times I'll send out an Outreach and start a ticket so while this is happening just to add some background context the sock analyst says look we had a signal pop for a rogue and malicious screen connect instance just before the screen connect signal popped we had a contextual signal for quick assist if you didn't know quick assist is the installed by default and built-in Microsoft solution for control rmm being the acronym here for remote monitoring and management and that's typically used in scammer situations the analyst then noticed notepad was opened and he thought he'd use that little trick forensic artifact to be able to extract and uncover the unsaved buffer in those notepad windows with that all the clues were coming together this is an active scam oh hang on just a second before we go too much further please let me tell you about the sponsor of today's video any desk the the best choice for remote desktop access any desk is fast even on low bandwidth connections with 99.98% uptime it's reliable backwards compatible with older operating systems even with file transfer functionality and a clean user interface it feels like you're sitting at the Remote device and the best part is any desk is completely free for personal use there are custom tailored business plans to help your whole te team stay connected with tons of use cases like video editing remote 3D printing and general collaboration across your organization connect your own devices for Access anywhere and even help support family members with troubleshooting and those everpresent tech support asks use any desk to save time and effort with the easily customizable secure and smart choice for remote access whether it's in the cloud on premise or even on mobile any desk is trusted by over 185,000 businesses worldwide get started with nides and connect your world with my link below in the video description jh. livees huge thanks to nesk for sponsoring this video now this starts to be really cool though because internally other team members are chiming in hey these are other scammer tactics like you might be familiar with opening up like the command prompt and having the victim uh the poor user type net stat and say oh those are all the hackers connected to your computer the bad stuff happening and why you need to either send them money or follow along with their instructions all part of the scam this is still unresolved though we haven't been able to get a hold of them and notify or save the victim in this case but then the analyst says uh-oh they released the host and what that means is that they release them from host isolation as I was telling you earlier when a computer was quarantined and moved away from a friends they said nah it's fine put it back in play put that computer back in the field the situation is okay now this worried us because that could very well just be again the end user and the victim totally brainwashed and convinced I need to send this money I need to get these gift cards I need to drive to whatever Bitcoin ATM right another team member chimed in though and they say hey look they actually approved the remediations though all hope is not lost I think they understand with that said though the remediations and the automated remediations only solves the technical end of this equation not the person end of it like oh we can clean up quick assistant screen connect but if the scammer calls back and the person still picks up the phone and they're still talking with them it doesn't help they can just reinstall screen connect quick assist and control them via phone instructions now I'm still trying to follow along and I ask hey what is the host name of this computer because I'm cognizant this is usually the situation where a scam baiter or another scam bait member of the community could very well be interrupting an active scam and trying to save the victim on their own I thought I would touch base with my scam bait friends see if anyone else was tracking this and I did want to reiterate for everyone internally look the writing in notepad is a super common trick when the scammer already has control of a victim PC but the scam biter gets in the middle of it has them drop the call and the scammer now has to type in notepad via their commute as the only way to communicate don't worry I'll call you back don't talk but anyway the case continues as we see execution of cmd.exe the process for command prompt opened up on that victim computer and I know this screenshot isn't really all that helpful to you it is just like the snippet of the elastic row where you can see this happening via elk but that matches the same scenario we were alluding to earlier where the scammer acting as a tech support individual total fake scam opens up command prompt has them Run net stat and see all these hackers affecting their computer this is really cool though cuz we see the teamwork kicking in team member ask look can we isolate and call without a report we already got the report out the door analyst says look sorry I should have clarified that CMD execution was prior to the report and the original isolation but then analyst realizes oh goodness gracious he takes a look at the browser history so whether you're using Microsoft Edge Firefox Google Chrome whatever he takes a look at the archive the catalog of the places that have been visited on that computer via the users web browser and you can see jsr care doelp title support a strange T.L short link for a cancellation and refund form and then it brings it to docs.google.com cancellation and refund form cancellation refund form they're there present on that page for quite a while but then suddenly they go to PNC financial services and their personal bank other team members are tring in like oh my goodness this is not real and another individual asks the analyst is this still going on and I think our analyst just charges on in like unspoken acknowledgement yes it is still happening he says I'm going to repoll the browser history right now to see if there's anything else other team members start rallying the troops tagging everyone else hey can we jump on this can you get in touch with someone at this company they have this individual the user in the middle of being scammed and we're unsure it's not clear yet if they realize what's going on because they released the machine from host isolation and quarantine pretty quickly like just minutes after we sent the report so we are desperately trying to save this victim and stop the active scam but we aren't sure yet if that user knows it's a scam or not new team member chimes in yeah I'll call they ran the remediations but that's likely after they filled out if they filled out that Google form right so we have pretty high confidence the customer was scammed potentially gave out some private information we got a ticket Al together making sure we're tracking the process here andless chiming in I'm mostly concerned now by the bank account being present in their browser history and I don't know if you've CAU on but there is like a mini ENT or open- Source intelligence investigation going on we're like running around Skunk Works trying to see can we get the contact information for this indiv visual I saw a phone number on one of the associated websites tried to call it and I got the front desk and they said oh that person works from home and they're not in the office right now so try their email I'm like all right thanks I appreciate it but don't forget about that Google form if our victim filled it out what information have they just voluntarily and willingly given away let's see how much of this infrastructure is still online uh is jsr help.com still active right now uh cloudflare connect and oh yep that do be a screen connect page how about that T.L address that was 079 icore 079 icore will that take oh cancellation and refund form with the Better Business Bureau A+ accredit business 30-day money back guarantee secure payments to PayPal asking for just your first name last name email address mailing address ZIP code phone number Mobile refund amount what you want to put that in and the name of your bank hm okay I'm surprised it didn't just straight up ask you for like routing and account numbers either way not good team members are trying to hey Connect the Dots here they're asking where did this form come from analyst explains look this is from the user browser history they went there as part of the scam and they realizing wait a second how did that get there email link whatever and realistically the scammer probably told them to go there since they're already in the machine via screen connect or quick assist they can do whatever you want and they're joking around I bet you it might have been a form for or like an email pretense or others that are like haha hey you overpaid for a Norton LIF lock or Microsoft Apple whatever receipt and invoice that they now fill out for a refund it's all a ploy it's all a ruse it's all a scam back to our micro ENT investigation though we're finding folks we uncover their sizzo they are tagged on our ticket to make sure everyone is aware we drop another phone number we think we've got someone but wait a second that's for someone else related and Associated a part of that company but we're thinking wait a second I think I found someone else's mobile number eventually we got it we got someone we got a hold of someone who is then in contact with the other uh he's on with the customer but our team member says I got to pass this to someone else I told him someone else would call and try to take this we tag another team member hey can you own own this are you up for it he says Roger that I'm on it I'm realizing that's still not the individual the person being scammed so I'm going to try another number I'm going to call this if no one else has unless you tell me otherwise but the team tells me I think we're good we've got a representative from the partner to speak with that individual so no need at the moment team confirms we got a hold of them they're on the phone now and I'm like cool all right I'm sorry I really didn't want to just be like trying to intrude and barge in on all this but please please please make sure you run through what just is the save script for someone going through a scam number one get off the phone with the scammer get off the phone with that person do not talk to them do not respond to anything that they send to you other text messages or communication emails Etc turn off your computer leave it unplugged if you have to just make sure there is no way they can remote control and get back into your machine and then when you can later uninstall whatever they use to get that access and needless to say if you filled out that form talk to your bank call your bank notify fraud department anything you can do to try and clean up this mess before it gets worse that is usually a super weird phone call to have by the way at least in like the traditional uh scamer sense when you want to save a victim you're a complete stranger you're a totally random person calling up another completely total random stranger to tell them hey the person that you've been on the phone with a totally random disperate stranger uh is scamming you you are in an active scam and you are brainwashed please please please I know you have no idea who I am but trust me we're the good people stop talking to them but when it is someone calling from like your security provider and your cyber security solution maybe that makes it a little bit more understanding team member helps chime in and I'm glad they said it outright if they filled out that Google form call the bank as soon as possible report potential fraud and then you know the team starts to celebrate a little bit like hey we got a hold of someone we've got some ground we may made a difference here start to high five cheer it up and look if we really did get to save the victim right there in the moment like that's a good feeling that is pretty fulfilling and meaningful work team member says okay they seem to have things under control the user actually hung up right after the threat actor scammer took over their computer the partners really appreciated our persistence on this one and we grateful that we caught it good show and great work to the sock analyst in the team heck yeah that's a win now this is really silly it's stupid but I'm like hey can I I try to ask permission with stuff that involves other people you know do I have everyone's blessing and your approval to make a video on this obviously obviously redacting absolutely everything but I sorry to ask I think this is a cool story I think it's neat I think look this is the usual cookie cutter scam that you get to see in scam bait content and material and education and awareness but in the same vein as what we typically get to do on this channel for cyber security for for infosec for endpoint malware thread actors and hackers Worlds Collide and I thought it was neat to walk through Like A team's internal process of the forensic artifact analysis of this as it happens and then we got other team members wondering like hey how did this all come to life was it a VoIP system business phone how did this phone call happen from the scammer analyst is thinking like oh yeah could they share the number with us I wonder where this was how did this all come to life and the one who successfully made contact and was able to get the folks on the phone for outreach they say hey the individual the poor victim received an email that prompted him to call it was on his personal email account and he did it from his work computer when they asked him to go to the website to remove the software that he didn't want to be charged with M and ladies and gentlemen this is the original email looks like a cool iPhone screenshot email from Enrique Rivera to an undisclosed probably recipient really the uh end user the victim was CC seed with uh no subject there as the uh subject line but the invoice stating hey dear purchaser your account has been charged uh bold dollar sign there $450. 80 and will be going to deduct from your account within 24 hours if you do not recognize this transaction or want to cancel please reach our customer help center at the number do not call this number got some bogus customer ID numbers and invoice numbers here uh and taking a look at the product name just as we we have seen the future and it was written in the prophecy 360 LIF lock oh boy oh boy hey now you know don't fall for scams like this if I may say though this situation was really cool because you get to have a little bit more person-to person interaction and more trust than you would in the usual scam biter call victim to save them from scam situation cuz again you're total random strangers in there this interaction is a little bit different because there is the trusting relationship so we get to chat and communicate with them and they say hey thank you you saved our bacon here it's just cool it's just cool I love the story and you know I wanted the blessing and approval to be able to put this out just think it's always the right thing to do to ask and the team Huntress was like yeah sure totally cool whatever uh but making sure they the individuals affected were okay with this they did get permission shared uh to use any blogs tradecraft Tuesday also have permission to John to make a video private info redacted of course they say yep no problem with that at all and I love watching his video oh thank you that's super sweet and hey thank you so much for watching this video I hope you learned a little bit of something hope you thought it was a cool sweet story time and please do give some love to our sponsors Link in the video description anyes is always doing great stuff in the fight of scammers trying to fight back against scams I hope you do show them some love link below and please do all those YouTube algorithm things like comment subscribe and I'll see you in the next video
Original Description
https://jh.live/anydesk || Join the fight against scammers alongside AnyDesk, with fast remote desktop software and access from anywhere! https://jh.live/anydesk
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
Learn Coding: https://jh.live/codecrafters
Host your own VPN: https://jh.live/openvpn
WATCH MORE:
Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4
Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5
📧JOIN THE NEWSLETTER ➡ https://jh.live/newsletter
🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎FOLLOW ALONG ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
The man who built Pegasus now sells governments the antidote, and Latin America is buying
The Next Web AI
How to Test OAuth Recovery Emails Without Exposing Real Inboxes
Dev.to · SophiaXS
The Impending Collapse of the Internet — And the Sovereign Cryptographic Standard That Will Save It
Medium · Cybersecurity
North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets
The Next Web AI
🎓
Tutor Explanation
DeepCamp AI