These scammers made their own remote connect software.
They can remotely take files, put keylogger, syskey and more.
They don’t tell the victim that they can see their screen, just that they are connected to Microsoft Safe and Secure Server. All they need is the internet ID, not the password.
Then they tell you to login to your Online Bank, first I did not realise he can see the screen yet and I was setting up the new VM to make it look more real, and he said “What are you doing on Spotify miss” Then I logged in to Northwatch and he hung up on me.
The download for it is Windowshelp.online
I called that scam
I might try get the source code
Indian scammer based in Gurgaon, Haryana, near Delhi airport
Registered by: Nitin Sharma
windowshelp-online.com
Date of creation Feb 03, 2020
844-291-4432
@drwat#128961 They are using dropbox to host the file, I’m sure you can report it, just do it during usual scam bushiness hours to disrupt their operation.
The windowshelp.online url redirects to a dropbox and the actual download is from:
https://uce27bd2c53cbfc3650dcb295af1.dl.dropboxusercontent.com/cd/0/get/AyXaL8dt2KtMmuyFqaamS9dW8mKQZzN77bWcS7TUSuvX0PGp27J51xgPUALiH_6Kg268_4ONq3JpyxXvnbF8QcOmdeH5lGbUfmBufLfRpxTd4GqXG7-w6l5KTSEmlq1smIc/file?dl=1#
Domain Information
Name: windowshelp.online
Registry Domain ID: D169240616-CNIC
Domain Status:
serverTransferProhibited
clientRenewProhibited
clientTransferProhibited
clientUpdateProhibited
clientDeleteProhibited
Nameservers:
ns07.domaincontrol.com
ns08.domaincontrol.com
Dates
Registry Expiration: 2021-02-02 23:59:59 UTC
Updated: 2020-02-14 00:50:39 UTC
Created: 2020-02-02 21:54:14 UTC
Contact Information
Registrant:
Mailing Address: Haryana, India
Technical:
Mailing Address: Haryana, India
Administrative:
Mailing Address: Haryana, India
Billing:
Mailing Address: Haryana, India
Redacted for privacy: some of the data in this object has been removed.
Registrar Information
Name: GoDaddy.com, LLC
IANA ID: 146
Abuse Contact Email: [email protected]
Abuse Contact Phone: tel:480-624-2505
DNSSEC Information
Delegation Signed: Unsigned
Authoritative Servers
Registry Server URL: https://rdap.centralnic.com/online/domain/windowshelp.online
Last updated from Registry RDAP DB: 2020-02-17 23:20:12 UTC
Registrar Server URL: https://rdap.godaddy.com/v1/domain/windowshelp.online
Last updated from Registrar RDAP DB: 2020-02-17 23:20:13 UTC
I send a email to dropbox about it
If anyone else wants to
[email protected]
@hammythesyrianhamster#128962 Yes good idea. will do tomorrow morning
The software is by Remote Utilities LLC and you can download both the Viewer (30-day trial) and the Host/Agent (Free) right from their website.
Windows | Remote Utilities
@MKHNT#128969 Thats cool, is this a safe download for personal use?
@hammythesyrianhamster#128970 Yes it is safe, but meant for IT techs to use on company computers they service, that is where the scammers got it from. It is still dangerous for the victims who download it and let scammers access their computers though.
@grabscammersip#128967 Windowshelp.online is a GoDaddy Domain, Report it, but while scams are running to make the scammers lives harder
@MKHNT#128971 So then we should report to them that the scammers are using it
@hammythesyrianhamster#128982 Alerting the software company might get them to place a warning on future versions, but I don’t know how it would help with the current one the scammers are using, since they have edited it to look like it is Microsoft.
The dropbox download was removed and the scammers just uploaded it to another one:
https://uc44aa13e32a7bc158d224f6d613.dl.dropboxusercontent.com/cd/0/get/AyU3o0pWmJVwdyUTxcmoazNOqfxYrKXhDy_ftPWUC5ZJ-nnGb5t-EMMS_jTryFw3h0ESv9Zcv7ovBdBKtumdehVfPpvsv2Yh38XELXPBV0ch63I1WYkYB4qC7kOanulOcIc/file?dl=1#
I reported it to dropbox and I guess we will have to just keep checking & reporting.
@MKHNT#128996 Its not a free software, unless they are using a cracked version. Then they can just disable connections to their account.
@hammythesyrianhamster#129020 Yes, the Viewer is most likely a paid account they use and more than likely they use multiple accounts. The download they are using is the free Agent, but you will need to get them to try scamming you to try getting their account information to report.
I do not have a VM currently set up nor do I know who they are to get them to try scamming me. Simply downloading their "altered" agent version won't auto connect to them, you still need to give them the access ID.
@MKHNT#128996 I’m doing this one as well I’ll add a reply
@grabscammersip#129042 Wouldn’t it be possible for them to make changes to the program to automatically read/send that information to a server that they host and from there they connect?
I'm guessing these scammers aren't smart enough for that, but we're probably not far away from that being commonplace...
The file is an archive file which can be opened and searched through by those not using a Windows Computer (not recommended).
Within the archive is your standard windows installer stuff from what I can see, but there was a file called version.txt which contained the following:
FILEVERSION 6,10,10,0
PRODUCTVERSION 6,10,10,0
FILEFLAGSMASK 0x3F
FILEFLAGS 0x0
FILEOS VOS_UNKNOWN | VOS__WINDOWS32
FILETYPE VFT_APP
FILESUBTYPE 0x0
{
BLOCK "StringFileInfo"
{
BLOCK "040904E4"
{
VALUE "CompanyName", "Remote Utilities LLC"
VALUE "FileDescription", "Remote Utilities"
VALUE "FileVersion", "6.10.10.0"
VALUE "LegalCopyright", "Copyright 2019 Remote Utilities LLC. All rights reserved."
VALUE "ProgramID", "com.remoteutilities.SfxExtractor"
VALUE "ProductName", "Remote Utilities"
VALUE "ProductVersion", "6.10.10.0"
}
}
Oh well looks like I'm late with this information anyway..