Fake IT service ransoms customers using a remote administration tool

Back in February, I received a phone call from a woman we’ll call Maria. Maria had been referred to Rubica because she was suspicious that someone had access to her computer, and after hearing her explain what led to her distrust…it looked like Maria was right.

Maria recounted that she had recently been looking for an IT Service to help her with her technology needs. She knew herself not to be tech-savvy, so she felt it best to hire outside professionals to help. As most of us do, Maria used Google to try find a suitable vendor, and specifically searched for people who could help her remotely. Maria stumbled across the website of an IT company that seemed to fit the bill, so she solicited their help and they immediately gave her their full attention.

The perfect victim of cybercrime

The fact that Maria was looking for remote help made her the perfect victim. The IT company instructed Maria to immediately install a remote client that would allow them to administer her computer remotely. This would give them the access they needed to help Maria, they said. They proceeded to serve some legitimate needs, like installing antivirus and some ad-blocking plug-ins into her browser. After completing their work, all seemed fine and Maria now had a computer she thought was better-secured with an on-call IT team to help her with any future needs.

One day later, Maria was working on her computer when a random window popped up on her screen. The pop-up contained inappropriate images and was completely out of context for what she was doing online at the time. She had not prompted the pop-up—it just appeared. Not long afterward, she received a phone call from her IT company exclaiming that they had seen something odd on her computer and that she needed to remove it immediately. The IT guy made it sound urgent and as if there was a threat on her device. The IT guy offered to help her remove it, but for a hefty fee. Maria paid the fee and the problem went away, so all seemed fine. That is, until she received the same pop-up followed by the same phone call a few days later, with the same ask for a hefty fee to remove the supposed problem. Maria realized she had been duped. Her IT Service was not who they claimed to be, and Maria had a feeling they had taken over her device and were trying to take advantage of her.

Finding a partner she could trust

Maria was then referred to Rubica by her friend. She called me, and as she recounted what happened, it was clear that there was an issue. First, we asked Maria to install and scan her computer with antivirus software. The antivirus did not identify a problem. Based on her story, I had a hunch about how the IT team had ‘seen’ there was an issue on her device but needed to confirm that hunch.

Next, I had Maria download and install Rubica. Then I explained to our Security Operations Center (SOC) team the context of this client’s device. I specifically asked them to look for a Remote Administration Tool (RAT). We made sure to keep our anonymous customer protocol that separates the customer’s data from their identity (so Customer Service knows the customer but our SOC just knows their pool of device data). Sure enough, there seemed to be traffic from two RATs calling out from her machine. Our analysts were even able to pinpoint the name of the tools. From there, I was able to walk her through searching for these tools and uninstalling them. As it turns out, my hunch was correct: the attackers used the RAT they installed to take over Maria’s computer at will, using the IT Service setup as a ruse to gain access to her device.

The power of proactive cybersecurity protection

It’s hard to know if your vendor is legitimate, but to me, this shows the power of having a cybersecurity service with proactive threat hunters sitting in your Security Operations Center. In this case, our customer did not have an actual malicious program installed on her device that opened her up to compromise. She had knowingly allowed someone to install a legitimate remote tool used by many people to service their devices remotely. This is why her antivirus did not pick up the threat. The RAT was legitimate but was being used in a malicious way. No machine alone would have flagged the RAT activity as abnormal but merging the expertise of human analysis with machine tools creates a much more powerful investigation.

Human teams can make connections machines alone cannot, which is why Rubica believes personal cybersecurity should involve both tools and the human eye. And it’s not just our SOC; having human first-tier customer support means we understand the narrative of the customer—and what to do next much more quickly than a chatbot would.

The Rubica app is a portal into a full-spectrum personal cybersecurity service, so stay safe out there and call us if you need help.