Select Page
Weekly Alert  |  December 20, 2023

Hackers Take Over Your Computer – 3 Examples Two weeks ago I was visiting an elderly relative in New York City. Less than two hours after leaving his home I received a frantic call from his wife. They were in a panic, not knowing what to do as they literally watched someone take control of their Apple iMac computer to purchase $500 worth of Amazon gift cards using their personal account. Coincidentally, three days later on December 8, I received a phone call from a senior editor with a well-known news organization. She, too, was calling to ask about a threat that she believed she had (hopefully) dodged! On her Apple laptop, she had clicked a link in Facebook that triggered a set of software threats. Did she take the right steps to thwart the threat, she asked? Was she still at risk? And finally, as if this were some bizarre astrological alignment of cybercriminal-controlled planets, I received an email on December 13 from the Safety Director of a critically important U.S. chemical company. She was telling me that cybercriminals tried to take over her Windows computer when she visited a hacked informational website about Excel. But this woman’s response was perfection in motion, as she is highly skilled! She immediately shut them out and, more importantly, she was sending me a screenshot of the tricks used by the scammers to access her computer!  Buckle up, it’s going to be a bumpy ride…

Imagine getting a panic call from a 92-year old man and his 76-year old wife. They were literally screaming and frantic as I listened on speaker phone, trying to calm them and ask for details. Barbara (not her real name) was most vocal. She happened to walk past their old iMac and suddenly noticed a window popup informing them that a software update was being installed. The message urged them not to interrupt the installation, nor shut down the computer. But what most caught her attention, as if she were seeing a ghost, was that the mouse was moving quickly all over the computer screen on its own, though no one was physically handling it! She also noticed another window open underneath the window informing her of the update. It was clear to me that their computer had been breached and was controlled by hackers, but I couldn’t get their attention. Their own screaming and panicked yelling at each other prevented them from hearing me tell them to PULL THE PLUG! Finally, I heard “I can’t reach the plug!” (They didn’t realize that it is also possible to pull a plug out from the back of an iMac.) Suddenly, I heard loudly screamed expletives after Barbara took physical control of her mouse and clicked on the newly opened window behind the software update message. They were looking at their Amazon account, which is auto-logged in through saved passwords in their browser. (THIS IS NEVER A GOOD IDEA!) 

The next exclamation from Barbara’s husband, Scott (not his real name) was another expletive followed by “They just bought two $250 gift cards!”  Seconds later this was followed by a ding from Scott’s phone. The message was thanking him for his recent purchase of $500 in gift cards from Amazon. By now it was me screaming so I could get both of their attentions. “SHUT THE COMPUTER DOWN NOW!”  Barbara managed to do that. This was immediately followed by digging in her purse for the credit card used with their Amazon account. She was now on a mission to call the number on the card to cancel that purchase and told me they would call me shortly. (Not only did the CC Company confirm the unauthorized purchase and cancel it, but the company canceled their card and issued them 2 new cards immediately.) About 30 minutes later, Barbara called me back. She was much more calm, though still very upset. She apologized for her language and screaming in those panicked minutes. “How did this happen?  Are we still at risk?  Will it happen again” they both wanted to know.

After some conversation with them, I learned that their old iMac was about 10 years old. Neither of them could remember when, or if, the software had been updated. Though I cannot be certain how the hackers gained entry into their old iMac, the fact that it was so old and the operating system was not up-to-date, put it at high risk for a variety of security threats. It was very likely deficient of many software updates, including security updates for the OS and web browsers. According to many sources, such as this excellent article called “When Does an Old Mac Become Unsafe to Use?” posted on Intego.com last July, Apple computers are susceptible to security threats, though not as much as Windows-based computers. The article also points out that when a security threat is found and fixed in a newer Apple OS release, Apple may not always retroactively fix the threat in a previously released OS and re-release that older OS, leaving those older computers at risk. No doubt, however the hackers gained access to Barbara and Scott’s computer, software vulnerabilities gave them the opportunity to take remote control of it and take advantage of the access to their Amazon account. I was also concerned that their email account was compromised since that was also a saved login. (In 2020, I had helped an 81-year old man recover from a hacked computer and email account. I learned that the hackers had set up a “back door” of sorts into his email account after taking control of it by adding a forwarding email address that looked nearly identical to the owner’s real email! Check out our article “How to Deal with a Hacked Email Account”)

At my urging, they kept their computer shut down until they could hire a tech support person to lay healing hands on it. He discovered, as suspected, that it was obsolete and had multiple vulnerabilities associated with it. They have since purchased a new iMac and the tech fellow is helping them to set it up correctly! I also had him check for evidence of comprise in other accounts, such as their email, and he helped them change their passwords as well, using a simple system for creating different passwords for each of their accounts. (Check out our article about creating strong sets of passwords that are easy to remember!)  While I wasn’t shocked by what happened to elderly family members, I was surprised to get a phone call just three days later from a senior editor from a well-known news organization with the same problem! (To protect her identity, I’ll call her Kristie.)

In the late afternoon on December 8, my phone rang and I got a warm hello from Kristie.  However, almost immediately, she said this was a personal call and she needed my help if I was available. I was. Kristie said that she had been on her personal Apple laptop on Facebook. As she sometimes does, she moved her mouse to the upper right hand corner of the window to click on the link for Facebook Messenger. But, as she clicked, she noticed that the icon for Messenger appeared as a duplicate just underneath the usual Messenger icon at the top of the window. We don’t have an actual screenshot of what Kristie saw, but this representation should help…

Kristie told me that as soon as she clicked, a popup appeared telling her not to log off, to be wise, or she would be hacked if she interrupted whatever had just started!  This popup was accompanied by a “really loud beeping sound” she said.  So what did our intrepid editor do?  She immediately logged out of her account, shut down the browser, and turned off her computer!  And this was the right thing to do!  The speed of her response was also critically important! I learned later in my conversation with Kristie that she, also, had an old Macbook computer.  She thought it was at least 5 years old and wasn’t sure about the last time it had been updated. Given the speed at which she responded to the threat, I was confident that her accounts were not at risk.  However, I urged her to take three important precautionary steps upon restarting her computer…

1. UPDATE SOFTWARE: Immediately open System Preferences, select Software Updates, and install all updates waiting for her. Once complete, restart her computer and run through those steps again. (If she finds that her computer is no longer able to be updated and is “obsolete” then I recommended she purchase a new computer!)

2. CLEAR BROWSER CACHE: Once she returns to her updated computer, launch Chrome (Chrome was her preferred browser, but this step applies to whatever browser you prefer, e.g. Firefox, Safari or Opera), click the name “Chrome” in the upper left corner and select “Clear Data.”  Then be sure to select everything possible to clear and for “all time,” not just the last hour. (I’m overly cautious.) I informed her that this step will log her out of all saved accounts she was logged into and remove any site preferences she may have saved.

3. CHECK BROWSER EXTENSIONS: It’s important to note that some malware/scumware is able to install more than just tracking cookies into your browser settings. It may also install an extension or a browser hijacker that manipulates your search engine choices and other browser settings. So I also urged her to open Chrome Preferences and click on Extensions and review the extensions she finds there to make sure they seem legitimate to her. (Check out this article about removing Browser Hijackers from TechTarget.com.)

Thankfully, her quick reaction saved her both emotional and financial pain, as well as the security risks! However, I had many questions about the details of the threat that targeted her that she couldn’t provide. That was certainly not the case in my third example!  Just five days later I received an email from a Safety Officer at a well-known chemical company whom I’ve had the pleasure to know for several years. This woman is skilled and smart! To protect her identity, I’ll call her Elise. Elise was on her work PC and told me “I went to a link I had saved and had used a few years ago. Suddenly I got pop ups everywhere, along with a message that my computer is locked, and to call this number, ……”  She knew exactly what had happened to her computer and what she had to do! “I immediately unplugged my network and shut down Firefox. I’m back up and all is well but I wonder about this website. The address is www[.]handyexceltips[.]com.”  By unplugging her computer from her network, Elise prevented any possible infection from spreading from her computer throughout the company!  This was a very smart move! When I used various tools to check the safety and content of handyexceltips[.]com a few days later, I found no website available, nor any Google information about the domain/website. I also discovered that the domain is available for sale from a WHOIS tool. 

After restarting her computer, and while unplugged from the network, Elise and her tech team ran all the appropriate anti-virus/anti-spyware checks. Once she was satisfied with her safety checks, she relaunched her Firefox browser and opened up its History. She sent me this screenshot below, revealing the threats and multiple layers of the attack that targeted her when she visited handyexceltips[.]com. This is where the rabbit hole goes deep and gets really interesting! Follow the numbered steps below to see what happened to Elise

    Step 1: Elise visits a hacked website called handyexceltips[.]com

    Step 2: This website redirects her to a malicious website called thale-gds[.]com. This site was registered last May. There is an article on Malware-Guide.com about how to remove this virus-inducing website from a PC.  Also, this malicious domain is listed on the website MalwareURL.com as a threat. BUT this malicious site ALSO contained a redirect next sending Elise to…

    Step 3:  …Another malicious website called resugovex-3[.]co. It was registered in Iceland on December 1, less than two weeks earlier, through our FAVORITE Registrar called Namecheap. (**Said dripping with sarcasm**) Multiple security services have identified these two websites as malicious and hosting malware (as well as a phishing site.)

      Step 4: In a bizarre twist, Elise was also then redirected to a website called HealthyBeingCare[.]com which sounds like it should be related to health care. Google knows nothing about this website. However, check out the screenshot we took of the top page of this website. It appears to be a very suspicious dating website!

        Steps 5 – 9: As if the malicious threats in steps 1 – 4 weren’t enough, Elise’s web browser was then forced to connect with and open 5 separate mobile applications hosted by amplifyapp[.]com, a service provided by Amazon! These apps included references to two different phone numbers that Elise was most certainly urged to call: 833-743-9772 and 833-743-3360. Both phone numbers are listed on Scammer.info in just the last few days as Windows Tech Support scams! (I’ve linked each phone number to the Scammer.info page.)  The popup produced is designed to look like a message from Windows Defender software but neither of these phone numbers is associated with that security software or with Microsoft!

        What happened to Kristie’s old Macbook is, no doubt, very similar to the details that Elise was able to demonstrate by sending us her browser history. And, it is likely that some aspects of this attack, and the resulting fraud, were part of the popup that falsely told Barbara and Scott that their computer software was being updated. These threats are frightening and have an emotional impact, as well as a financial impact! And I am certain that the overwhelming majority of them are being designed and directed by cybercriminal gangs in other countries.  The four biggest lessons we hope this story leaves you with are….

        • Keep the operating and app software on ALL your devices up-to-date as needed!
        • Take steps to protect yourself and your devices before threats strike e.g. install antispyware/antimalware software. (Even Apple computer owners need this! Many people argue that iPhones/iPads are an exception and do not need AV software. Here is a recent article on Forbes about tools for the iPhone that improve user safety.)
        • Do not keep yourself logged into financial accounts or stores (e.g. Amazon) and be sure to use different passwords for these accounts than the accounts you use for your social media and email!
        • If you see suspicious or fraudulent popups, or lose control of your mouse, immediately quit the application you are in. If unable to, shut down your computer and then take detailed notes about exactly what happened so you can share those notes with a tech expert. 

        Walmart Scam Spreading on Facebook & Scam Fighter of the Year Awards! Recently, a new round of scams featuring gifts from Walmart has been spreading on Facebook. Be careful! Check out and protect yourself with this 100% FREE, all-in-one tool

        It’s time again for the Scam Fighter of the Year Awards! The awards are organized annually by the Global Anti-Scam Alliance (GASA) together with ScamAdviser to bring more attention to the importance of fighting online fraud worldwide. Last year, a substantial 25.5% of world citizens lost money to scams or identity theft, culminating in financial losses estimated at $1.026 trillion.

        The Awards are organized to bring recognition to exceptional individuals, organizations and tools dedicated to turning the tide on scams. Previous winners include Peter Depuydt (Ex-EUROPOL), Donna Gregory (Ex-FBI) and Ayleen Charlotte (Romance Scam Speaker) among other notable scam fighters.

        You are invited to nominate your picks in the following categories:

        Best Scam Fighting Individual

        Best Scam Fighting Organization

        Best Scam Fighting Tool

        Happy Holidays to All Our Readers! — December is a month filled with holidays celebrated by people all over the world, including Christmas, Hanukkah, Kwanzaa, and others!  We are also thrilled that our newsletter subscribers represent countries, religions, and cultures from all over the world! 

        To everyone, everywhere, we wish you tremendous joy and love, surrounded by family and friends. And, equally important, we hope you stay safe from the threats and bad actors of the world who target us all.  Finally, we hope that the kindness that so many of you have shown to us, in our effort to bring you information and stories that better safeguard your lives, is extended to all of our readers! Kindness matters!

        Best wishes to all and happy holidays!

        The Scamadviser / The Daily Scam Team

        PS. These good wishes DO NOT apply to you scammers who also read this newsletter! May you rot in hell, arguably a place that may even be too good for your evil souls.

        HP, SiriusXM, Amazon, and Netflix, OH MY! Readers sent us some interesting phishing scams last week that we’ve never seen before! Check out this smelly carp disguised as an email from Hewlett Packard, but sent from a free iCloud account. Apparently, you’ve purchased a Gold Plan for more than $400! What? You didn’t?! Reach for your noise-canceling headphones, Airhorn Can and call the bastards back to let them know loudly and clearly what you think of their email!

        Sirius XM has an interesting model for consumers. They sell you heavily discounted access to their radio stations for 3 or 6 months, and then quietly raise your monthly cost by A LOT!  But if you call to complain and cancel, they’ll bring the charges back down again, for another 3 to 6 months. And then the charade happens all over again. And again. But we digress… This lovely email did NOT come from SiriusXM.com! Not even close! And the link points to a website that appears to have been registered or hosted in France (“.fr”).  Fortunately, our partners at Scamadviser and the good people at VirusTotal.com are well-aware of the threat from urlz[.]fr!  Lunge for the delete key!

        What is a week without rotten phish pretending to be from Amazon or Netflix lately? By now, these phony-baloneys are like old friends. But don’t snuggle up with them under a warm blanket in front of the fireplace while holding a nice glass of bourbon, whiskey, hot chocolate or warm milk! Check out this email about “Your account under review” and claiming to be from Amazon.  Impossibly, the login button points to a Google Drive document!  And the Google drive document is total BS!

        Deeeeeleeeete!

        The link in the above screenshot, points to this Google drive document…..

        Is “YourAccount-Alerts[.]com” a legitimate domain service to help consumers?  HELL NO!  This domain is not to be trusted even though this domain was registered more than 3 years ago! (It was registered in Great Britain using a privacy service.) If this email had really been from Amazon, then the address after the @ symbol would have ended with amazon.com!  Of course the link to “update” your information points to a well-known phishing threat.  What a surprise.

        What are you streaming lately?  With holiday time on your hands, we suspect lots of you are binge-watching something! But if you get a bogus email like this from a free iCloud account about your Netflix billing information, don’t worry! The t.co link in this smelly carp will redirect you to a wanna-sound-legitimate website called SubscriptionHelpDirectory[.]com.  This bogus domain belongs in the director of domains we call The-total-BS-Domain-Group-Scammers-Use[.]com.  Now delete!

        McDonald’s Survey, NOT! “McDonald’s Survey” sounds like an oxymoron to us but that may be a bit judgemental. Fast food isn’t our thing. However, this survey from one of our reader’s inboxes caught our attention not only for its uniqueness but also for the stupidly lame hamburger emojis used to flank the business name AND the horrific curved-edge rectangular design of the graphic. In summary, this thing looks stupid. We hope it makes you smile this holiday season. ‘Nuf said.

          Victims Are Likely to be Targeted Again! —It’s important to remind everyone who has ever been victimized by scammers to always be on their guard!  Stay skeptical and be suspicious of emails and texts that you receive. We say this because our experience has taught us that victims are OFTEN heavily targeted again and again by the same scammers who successfully targeted them the first time!  Here is a small example.  In October, we wrote about a woman who lost more than $6500 to scammers when she thought she was buying a puppy from a reputable online breeder.  Just last week this woman received the email below.  Not only will the FBI NEVER contact you through an email like this, but they would also NEVER use a free Gmail address used by the fake shipping business that was part of the fraud!!!!  Can we scream any louder?…..

          DEEEEEEEEELEEEEEEETE!

          Please don’t ever believe these bogus extortion scams!  They are phony threats and contain not a single shred of evidence that they even know who you are.  If what they said were true, WHERE IS THE PROOF?  Show me a screenshot!  But they can’t. They are fake.

          Your Package Could Not Be Delivered (Again!) —Go ahead, roll your eyes! We know you’ve seen them a million times before but maybe, just maybe there is a new few dozen readers who aren’t aware of this threat.  These fake USPS package alerts have been all the rage this fall and holiday season!  They are as malicious as ketchup on crumb cake! (ewwww!)  The “usps” that appears at the start of the link is a subdomain. The real domain name in that link is pkgfollow-pack[.]shop.   It was registered using a Registrar in Singapore on the very day that this text was sent on December 15. We’ll now step off our soap box,(followed by Mic drop). And to all, a good night.

          Until next week, surf safely!

          Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
          have subscribed to it via Scamadviser.com or thedailyscam.com

          Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

          Contact Webmaster