I am a Desktop Support Technician, today 20th August 2016 attended a call for someone who thought that they had been Scammed.
The short answer is Yes, big time.
The Scammer had removed users paid for AV and replaced with Vipre AV. But he also left 5 executables on the Desktop which he had yet to set up. He tried this while I was there and after me calling him a low life and that he was busted and a bit more I told him not to call this number again and I hung up on him.
He had already hacked the web browser and had managed to withdraw $10000 from this pensioners bank account in the 12 hours since he called.
2 of the exe's have the following in the file description exif data.
"Terminates malware processes so that you can run your normal security programs." Bleeping Computer.com. Original name RKill.exe.
These exe's are named "Banking Protection" and "Firewall", same file. There is also "WiFi Protection" and "NET BLOCKER". The EXIF data on the last 2 files in empty. The last file is ATF-Cleaner, which he probably uses to clean after himself.
Is there anyone here who could pull these apart and analyze them, and see what the were designed to do? I have reported the incident with ScamWatch Australia and customer has informed his Bank who are investigating. But I also advised him to contact the Police considering the amount stolen. I will be providing his Bank and the Police with a report of what was found, it would be pretty awesome if I could also add an analysis of the tools as well.
If the answer is YES. Please advise where I upload the archived files to?
I am thinking it will be a YES, he is using Bleeping Computers tools for EVIL.
Edited by hamluis, 20 August 2016 - 07:30 AM.
Moved from MRL to General Security - Hamluis.