I really cannot figure out what these users do on the computer causing frequent infections. This week while I was asleep the user was online paying bills. She somehow landed on a page that locked the browser full screen with the same-old "We're Microsoft you have viruses call us and if you close the page we'll have to lock your computer to protect our network" Con. By the time I woke up and was told wtf was going on the user had downloaded the fake Microsoft technicians remote software. As I observed what they were doing the con artist was pulling the netstat command to show her what connections were to the "hacker". After this I got pissed because I can't bear to listen to to this lady talking out her ass taking advantage of peoples lack of computer knowledge and had the gateway unplugged and hung up the phone. I closed all the windows and foolishly the command prompt. I couldn't see what all was done through it.
Since all these con artists follow the same script and we know that they only made it as far as the netstat part of the con have they already infected the machine? I'm not sure if the remote control software was the infection, but usually from the videos I've watched they use legit software for this and don't infect the system till after this part of the con. If I ask the user what commands they let the scammer type in they wouldn't know.
I'm not concerned about the system being infected anymore since I nuked the OS. What I want to find out is the con artists method of action. What are they doing and when do they do it? At what point in the con do they steal any personal information? After the remote desktop software is downloaded and they connect are they showing the user things in the command line as a distraction while simultaneously looking for personal information?
I want to spin up windows in a virtual box and pretend like I'm a regular users with no computer skills. I will record the screen and find a way to monitor the file system and processes. When we get to the part of the con when I'm being shown netstat I'll disconnect from the gateway. Than I'll see what was done. These people should be following the same methods every time. Whatever they do and when should be the same for me as it was to this other person that day. I'm not sure what freeware would help me do this.
Didn't the U.S Government legalize some "hack back" laws so businesses can try and hack the hacker while being hacked? I wonder if this applies to citizens. The funny part of this whole event was after unplugging the gateway a good 30 seconds went by and the con artist said "Okay, I am connected to you"