How I got phished!

FastEddieB

Touchdown! Greaser!
Joined
Oct 14, 2013
Messages
11,541
Location
Lenoir City, TN/Mineral Bluff, GA
Display Name

Display name:
Fast Eddie B
Part 1

As backstory, last week my Linksys RE6400 repeater had gone offline. It’s happened a couple of times in the past for no apparent reason, but was fairly easy to get set up again. Last Wed afternoon I got around to dealing with it.

I Googled “Linksys RE6400 Setup” and clicked on one of the links provided. It took me to this screen:

53724227540_ee45de5cf9_z.jpg


I clicked on “SET UP AS AN EXTENDER” and I got a page saying it couldn’t be found. I tried unplugging it and plugging it back in to no avail. I pushed the “RESET” button with a paperclip and still nothing.

The page I had been sent to had a chat option. I tried that but it seemed to hang up after one back-and-forth. So I called…

I got a gentleman with an Indian or Pakistani accent. He asked me what I had tried, and what the unit’s light was doing. I told him and he asked how many devices were on our home network, whether I sometimes used public wifi, if guests to our home were ever given our network password, that sort of thing. He suggested he could troubleshoot if I could give him screen access. I said sure, he sent me an app and a session number and got control of my screen. He asked me to unplug my second monitor and closed all the open Safari windows (I was on my Mac) and opened Terminal. He scrolled down lines of code and showed me code that suggested almost 60 users had access to my network, and that was likely overloading the repeater, and that he could fix it. Again, I said OK, and he said he was going to send it over to a network engineer to work on a solution. He then said “Why don’t you have a cup of coffee and relax while we work on this”.

Maybe something in the way he said that almost immediately set off my Spidey Sense, and I just got a sick feeling something wasn’t right. I hung up and shut down my computer and took a few moments to calm down and analyze what might have happened. I wasn’t 100% sure the exchange wasn’t kosher, but I had my doubts.


Part 2 to follow…
 
Last edited:
Part 2

I went through my Safari history and found the bait:

53723790111_2572468823_z.jpg


Note the “q” in Linqsys in the “Sponsored” link. I was never talking to a Linksys rep at all.

I Googled the phone number I had called and it same back to a tech company in Delaware. I called and was about to tear into them about sleazy business practices. The fellow there said they were a legitimate service, but someone had obviously spoofed their phone number and it wasn’t the first time it had happened. He said for sure to change my important passwords. He suggested an anti-virus program of some sort, but said in general Macs were pretty hard to crack and it was probably OK as long as I caught it in time. He said the next step was probably them asking for money.

I deleted the screen sharing app and called my son-in-law who works in IT. He came over and took a look. We launched the Terminal app, but he said the code was just a bit beyond him. We copied/pasted the code and sent it to a co-worker who was more familiar with Macs and the terminal. He called back and said he couldn’t find any suspicious code. So, for now we’ve just changed all our important passwords, including our network password, and checking our accounts for suspicious activity. So far, so good, and lesson learned.
 
Good reminder to everyone to NEVER click on the sponsored Google results.
Glad you got out (hopefully) unscathed.

Edit - and also shame on google for making these ads more and more indistinguishable from organic search results over time. Ads used to be obvious but they continuously removed the distinctive characteristics more and more. Amazon is doing the same now.
 
You're not the only one...

From an email from the university where I used to work:

"Last week, we sent an email to 750 xxx faculty & staff to gauge the effectiveness of our training. The subject was 'Annual Password Security Update'. Yes, this was an internal test and we designed it to be particularly 'phisy.' Our test email contained many of the red flags that have been covered in the KnowBe4 training, including how to check links before clicking. [...]

In spite of our test email's phishiness, 118 clicked on the embedded link(s)."
 
I posted this both as a mea culpa, and as a warning to others.

On the one hand, at 74 I’m part of a target demographic for this sort of thing.

On the other hand, I’ve successfully navigated these shark infested waters since soon after 1985 when my first Mac went online. A few close calls, but I guess I got complacent over time.

As an aside, I got a voicemail from California saying we apparently got cut off, and to call back to continue our session.
Yeah, right!
 
Remember, kids:
❌ don't copy that floppy
❌ don't stick your fingie where you wouldn't stick your dingie
❌ don't click on random URLs
❌ don't plug in random USB sticks you find in the parking lot
✅ but it's TOTALLY ok to scan any QR code
 
I got an email on my work account purporting to be from DocuSign, asking me to scan a QR code. Nope, nope, nope.
 
I had something I think similar with our ROKU. So its now in the trash. Every time I tried to reset it up, it sent me to someone who wanted a credit card to "re-register". We just had a parking lot charge. "scan the QR code to pay". I did. It never went to anybody. Some other people were there trying to pay the parking fee. But unable. Today there is a charge on our card for many hundreds of $$$. I also have a debit card on the apple pay on my phone, that just got locked by the bank. Gotta love that "safe" electronic money! I have no idea what to do next. Time will tell. Until that CASH IS KING!
 
I got an email on my work account purporting to be from DocuSign, asking me to scan a QR code. Nope, nope, nope.
I cannot tell you how many fake Docusign phish emails our small (~200 person) company gets every single day. It’s a lot.
 
He suggested he could troubleshoot if I could give him screen access. I said sure, he sent me an app and a session number and got control of my screen. He asked me to unplug my second monitor and closed all the open Safari windows (I was on my Mac) and opened Terminal.
NEVER ever give someone access to your computer! Especially if they're offshore.
 
NEVER ever give someone access to your computer! Especially if they're offshore.

No doubt very sound advice.

I guess I got to experience first hand the "con" in "confidence game". I had initiated the call to what I thought was Linksys, and was confident we were working together to solve a problem. I'm just glad I caught on when I did.

As a very sad example of how far things like this can go, the NY Times podcast "The Daily" had a recent episode where a family got bilked out of an insane amount of money on a timeshare scam:


It's a hard listen/read, but worth the time I think.
 
Here's my inbox a few days ago from a completely clueless bonehead scammer or someone that has some kind of hidden trap that I can't figure out. o_O

Bonehead scammer.jpg
 
Back
Top