You cant make this stuff up…In this story i become a computer tech, cyber security analyst, counselor, private detective and an audience member of a bad reality show.
A few months ago I was referred by a friend to an elderly woman who claimed she was being hacked and spied on. Immediately I wondered how does she know she is being hacked or even targeted? So many non-technical people use the word “hacker” as a noun to describe any type of computer issue that is out of their control. Anyway I ended up calling Mrs. X on a Sunday afternoon. I thought the phone call was going to be a simple exchange of “Hi my name is…tell me whats going on… yeah that sounds like….. ok see you soon”. I was super wrong on this one. Mrs X laid an very weird story on me. She told me that her husband had been cheating on her. She was like “He is with his mistress right now!! and I think his mistress logs into my computer to mess with me.” After going over what the possible problem may have been, I got off the phone in disbelief because of what I had just heard.
A few days later I went to her house to look into the issue. First thing I did is check the event logs. I did not see anything suspicious. Afterwards, I ran Malwarebytes to remove some malware and ran a few more tools. Every so often Mrs X would ask me questions but for the most part she was kinda over my shoulder as I worked on the computer. After about 45 minutes or so my work was done…so I thought.
About 3 days later I get another phone call from Mrs X. DOUG!!! she says at the other end. Heeeeey Mrs X (answering confusingly) It happened again! she stated. What happened again? I asked. I tried to look up how many times my husband has been married but she blocked me again from the site! I don’t understand why she keeps messing with me. I went to the site to get more information but she kept blocking me! She even made entries showing that I was married 18 times (more than likely she saw 18 similar names on the site she was on) Let me explain what was going on. Mrs X went to a find a person / search personal records type of site in which you have to register to get access to more information. She wasn’t being blocked by anyone, she was probably greeted with a nice please register page when she tried to look for more information. She was on the site trying to get some kind of information to see if her husband had been married before. Mrs. X kept asking me could I look into tracking down the mistresses IP address. I told her finding an IP address was possible in this case. To do so I ran Wireshark for 24 hours on her machine to capture all network activity. I called her the next day, remoted into her computer with Teamviewer and reviewed the Wireshark packet captures (PCAPs) which displays all network activity and connections. After a run through of the PCAP file, i did not see any suspicious external IP addresses, but i did see an internal IP that had connected to her machine.
In addition to running Wireshark and looking to see what else was installed on the machine, I noticed a program called KMSpico. KMSpico is software that is used for permanently activating a copy of Windows. In this case it was used to activate Windows 7. KMSpico can also be used as a backdoor into a persons computer. By using a backdoor method into a persons computer, the attacker can gain control of the computer and do malicious things unannounced. So after doing research on KMSpico and learning of the malicious possibilities, I removed it. So after I explained what I found, I told to just let me know if it happens again. In the mean time I ran Wireshark again to further investigate and to follow up on later that week.
A few days later she called me again. This time she was sure someone had messed with her again. She swore up and down that the attacker was now living on a boat at a near by marina. While she was explaining the events, Mrs. X just broke down crying. I was in shock because my main goal was to help her by fixing the computer, not to become wrapped up in what seemed like a real live episode of a crazy reality show. As she cried over the phone she stated that she could not take it any more. She said “My husband just left the house to go see his mistress. He told me to stay home because he has company coming over”. I’m on the other end trying to process all of this because remember I’m just there for the computer issue. After the awkward conversation, I remoted into her machine for what would be the last time and do some more digging. I took a look at her wireless router settings and noticed a bad situation almost immediately. Mrs X. had the AT&T router set up with the default password. Even worse there were 17 devices using her Wi-Fi. 17 different devices were piggybacking onto her wireless network. Out of the 17 devices, she only recognized 6-7 devices. To make sure this was taken care of immediately I advised her to call AT&T tech support and have them assist her thoroughly with changing her password. Since changing her password things have returned back to normal for her PC usage, as for the relationship I have no idea.
Moral of the story PLEASE secure your devices with strong passwords.