ConnectWise Client download from invoice

ecw06471 · 12 November 2022 17:40

My wife got this email regarding a large invoice. Clearly a scam, but curious as I am, when you click on the invoice, it downloads ConnectWiseControl.Client.exe, not something anyone should do, obviously. When I opened it in a Win 11 VM, it installed remote access software. Checking the processes, it was pegging the cpu and virtual HDD at 100%

email:

---------- Forwarded Message ----------
From: Oaks Danner [email protected]
To:deleted
Subject: You Invoice has been paid #2281298
Date: Sat, 12 Nov 2022 06:02:39 -0800

Dear -,

A new invoice has been paid for your Mailjet by Sinch account is now available.

Invoice Number: 933056
Issue Date: 2022-11-12
Total: $2792.32

Please see the invoice attached.

You can also view your invoice in your control panel.

Download Invoice

Note : Your order will be confirmed whithin few hours and will be Shipped .
if you want to cancel this order,please download invoice and fill the cancellation immediately!

Thank you,

drwat · 12 November 2022 18:36

ConnectWise is insidious remote software. It runs as a permanent windows service (screen connect)
Scammers can connect any time w/o permission.
One needs to stop the screen Connect Windows service and disable it.
What is the scammer phone number?

ecw06471 · 12 November 2022 21:09

There was no phone # in the email. I had opened it in a VM of Windows 11, so no harm done, just returned it to a previous snapshot and checked to make sure no services were running. I suspect it was used to steal computer resources for something, but don’t know.

drwat · 12 November 2022 21:16

right. Scammer had the ability to login to your VM.