Geek Squad Scam Application

Not sure if this is the right place, but I contacted a Geek Squad scammer that had me go to a specific website to download an application which they used to connect to my computer and put up a screen block so they couldn’t see certain things there are doing. I’m wondering if anyone had any info on how to look at the code of the application just so I can exactly what it is doing. I don’t have a ton of programming experience so if it’s too involved no worries.

2 Likes

Make sure you use a Virtual machine, not your real PC.
They typically use Anydesk or teamviewer.
I use Wireshark to capture the IP. Since I don’t have a fake bank, I close the VM to the present state and reopen a few times. The scammer thinks I have network issue.

Scammer blocks you and tries to steal various logins and personal data.

4 Likes

Yeah I have it on my VM, just curious about the code of this app. I’m thinking it connects to the internet to call a remote connect service, but I’d like to see the whole process they use to blank out the screen.

2 Likes

Its part of the Remote Admin Tool. When they use ConnectWise, they can blank out the screen. They can also disable keyboard/mouse input. What I usually do is keylog the VM so at least I can tell where they clicked and what they did.

3 Likes

That’s a good idea, thanks. And yeah the digital signature said ConnectWise LLC.

2 Likes

“Connect Wise” is nasty remote control software. It runs as a Window service. Either reset the VM to previous snapshot or stop/disable “Screen Connect” Windows service

3 Likes

Is that in the task manager or somewhere else?

2 Likes

One simple way to access windows services is to type “services” in the bottom left “type here to serach” and scroll down to “screen connect”. stop that service and disable it.

3 Likes

Nasty to remove, yes, but also a legitimate program for businesses. Similar to TeamViewer, it does the same thing and lets them connect in. The difference is this is persistent and requires no code to get access to the computer.

2 Likes

Thanks, do you have a suggestion for a decent keylogger?

1 Like

I’m a software developer by trade, so I made my own. Unfortunately, the regularly available ones are detected by Defender and other antimalware products, so I can’t really suggest any.

2 Likes

damn software developers have all the fun. :stuck_out_tongue:

1 Like

Just curious, does this run on your local machine or the VM? Where does the information get stored? What language do you use?

2 Likes

Great question! It runs on the virtual machine, mimicking a “normal” application, so they dont get spooked. Essentially, name the EXE chrome.exe, explorer.exe, crss.exe, registry.exe or whatever is common to your computer. Set the program to run as a service, so it persists even if they reboot the computer. The file gets dumped into a text file that is actually named as if it was a DLL (ieproxy.dll), so if they go snooping, they wont suspect anything. If you ‘open’ the DLL in TextPad or the like, it will read just like a regular text file. I’m an old school dude, so I code in C++.

3 Likes

Very cool. I mostly code in JavaScript, but I do have a lot of experience in programming. I might try this out!

2 Likes

If you’re familiar with scripting, then try PowerShell. Its pretty flexible, there are several GitHub repos that have example code for what you want to accomplish, and they can be easily tweaked to avoid detection.

3 Likes

Just wanted to say this has been a very interesting thread to read. I’m not a programmer by any stretch of the imagination, just an occasional Python scripter when I need a specific task taken care of.

1 Like

who tf cares

1 Like