NICEVILLE, Fla. — A Fort Walton Beach-area reader returned home to find a stranger remotely operating a household computer, offering a real-world example of how quickly a trusted click can turn into a serious security breach and what to do next.
Niceville.com Community Partner
Question:
William R. from Fort Walton Beach, Florida, writes:
This is a real-world example of a phishing experience.
My spouse peripheral and I returned from a 50-minute absence yesterday to find her desktop screen actually “doing things.” She exclaimed, “Hey, someone’s using my computer!” I looked, and someone WAS doing so!
The cursor was moving, menus were dropping down, windows were being opened, just as if someone was sitting in front of it.
I quickly shut it off, rebooted in safe mode, disconnected WiFi & Bluetooth, ran extensive virus scans, examined installed programs, and actually found the exact program, DATTO RMM AGENT, she’d mistakenly installed by clicking a button from a known friend (without checking the bottom-left for the underlying URL!).
I removed it, then reviewed browser history for every entry that happened while we knew we were not home.
Bottom line, well, you can leverage our experience for a reprint of your favorite phishing precautions if you like.
Niceville.com Community Partner
Answer:
Jeff Werner responds:
Well, that’s a bit of a digital nightmare, isn’t it? Coming home and finding your computer being remotely controlled by “someone” for purposes you don’t even know?
Let me say up front that this is a fairly rare type of attack, and one that doesn’t really meet the classic definition of “phishing,” which is the practice of sending fraudulent emails that appear to come from legitimate companies and attempt to induce people into revealing personal information, such as passwords or credit card numbers. It might be termed as a close cousin, called spear phishing.
How you label the attack depends on whether this email actually came from a friend, from the friend’s compromised email account, or an account set up to appear to be the friend’s account. The only reason this is important is to backchannel the original attack vector and guard against future problems.
If your wife’s friend’s email has been compromised, a good net citizen would kindly inform her so she can take action as well.
But let’s talk about the attack.
Niceville.com Community Partner
This is what’s called a Malicious RMM Lure. That acronym means Remote Monitoring and Management. They are clean software, meaning in and of themselves, they are not malicious, so they don’t trigger the antivirus/antimalware programs that are looking for bad stuff.
In fact, they are often given explicit permission to install themselves by the user clicking a link, as happened in your case, William.
Once you realized that a stranger was joyriding through your system, you did exactly what you should have done.
For the benefit of my other readers, if you find yourself in a similar spot, you should follow William’s lead and do the following:
- First, sever the link. If you see active tampering, pull the plug or hold the power button until the machine powers off. Physically disconnecting is the only way to be sure the intruder is locked out.
- Second, go dark. William rebooted in Safe Mode, and disabled Wi-Fi, and Bluetooth. The scammer can’t steer the car if his steering wheel isn’t connected to the internet, but this allows the system to be up and running so you can work on the problem.
- Third – the forensic sweep. Do a deep dive on the system to find anything that shouldn’t be there. In William’s case, he found Datto RMM Agent, which is actually a legitimate tool that’s used by IT professionals worldwide to perform remote maintenance on a PC. However, it was obviously being used for illegitimate purposes and needed to be removed.
- Fourth is the post-mortem. It may not be possible to determine everything the hacker accessed while on your system. The most important thing to do is change passwords on your most commonly used applications. That would likely be email and social media.
Niceville.com Community Partner
You should also consider changing passwords/PINs for banks and credit cards, and perhaps even your Windows password itself.
For the future, remember that in almost all cases, this kind of attack is preventable. Keep in mind these precautions, and pass them on to all computer users in your household:
- Trust, but verify: Even if a message comes from a trusted source, ask yourself whether the text sounds like them. If they sent a link with no context, or a weirdly urgent “Check this out!!” message, pick up the phone and call them before clicking anything.
- The bottom-left: As William mentioned, always check the underlying URL before clicking anything. The displayed text, and what it actually links to may not be the same.
- MFA: This is Multi-Factor Authentication, like those codes that get sent to your phone. They may not be convenient, but they will instantly stymie a scammer who tries to access your accounts without the secondary code.
- Self-Audits: Periodically review your installed programs. If you see anything you don’t recognize, especially anything with “RMM,” “Remote,” or “Agent” in the name, Google it, verify it, and delete it if necessary.
Keep your guard up, Geeks! The better informed you are, the better prepared you’ll be to handle situations like this with the least amount of damage.
To view additional content, comment on articles, or submit a question, visit my website at ItsGeekToMe.co (not .com!)
Jeff Werner, a software engineer based in Niceville, Florida, has been writing his popular “It’s Geek to Me” tech column since 2007. He shares his expertise to help readers solve everyday tech challenges.
Niceville.com Community Partner
