I have a client that encountered something last night, still trying to wrap my head around it.
They are a retired senior couple, in their 70's. She was trying to log into http://rogers.my.yahoo.com/ and the password was not being accepted.
She reset the password, tried again, and was still unable to access.
She then clicked on help, then contact, and clicked on the Rogers Live Help button.
An attendant came on, installed LogMeIn "Trial" and Teamveiwer. LogMeIn seemed legit except the "Trial" part, Rogers doesn't install trial. But I know Rogers doesn't use Teamveiwer, at least I've never heard of then using it.
The tech at this time told them that their computer was hacked and were being accessed between 1am and 5am. Notified them that he changed their IP, but to fix the problem it would cost $399, and would be covered for 1 year.
The client then asked if that was per computer, the "tech" asked how many there were in the house. She told him 2, and he said for 2, he'd charge $299 for both. Then finally it came down to $199 to fix the problem.
At this time, she unplugged the PC. As soon as she unplugged it, the phone rang, a 0123456 number, person stated they were from Rogers and continued to try to get them to pay to fix the computer.
They hung up the phone and would not answer it again. Thats when I was called.
Initially, I removed the LogMeIn and Teamveiwer, then ran malwarebytes, proceeded by a ESET NOD32 full scan on all computers. Nothing turned up in the scans on any of the computers. Checked that there were no proxy set in the browser connection settings, and the hosts file was empty.
We reset the password at http://rogers.my.yahoo.com/, which I confirmed changed as the password had to be changed in Outlook. However still the password still would not be accepted at http://rogers.my.yahoo.com/. Would kick out, not as a failed log in, but asking to re-enter the password. Re-entering the password did nothing.
I'm going back to inspect the network again tommorrow, but I've got a suspicion that maybe there is a dns proxy going on somehow and the hackers built websites that look simular to Rogers support site.
The version that Rogers (and I) use is called LogMeIn Rescue. The client is emailed a file or is directed to a download link to load a temporary file, no software is installed permanently, and it does not show the word "trial" in the header. Regardless...
I had seen the http://www.rogers.com/web/content/techxpert but the the prices were no where near close to what they were quoted on the phone.
This all resulting from not being able to access Rogers webmail from a password issue, and everything else was working fine, and the tech escalated it to a virus that hacked their computers.
We will check tommorrow if Rogers has any reference to this techs conversation. I truly hope it is not Rogers using fear tactics to try to fraud senior citizens. I skipped some details of the conversation, such as the "virus" had the ability to turn a computer on by itself and give access to the hacker while they were sleeping. I mean I couldn't believe some of the stuff they were telling me the tech was telling them.
Just spent a couple hours on it again this afternoon. Verified there was nothing wrong with any of their computers, no malware, rootkits or any other type of virus. No dns forwarders.
I had her repeat the steps she did to get into this situation, she was at the http://rogers.my.yahoo.com/ trying to log in. When it wouldn't accept the password, clicked onto the help. She was in Rogers support pages. I thought maybe she went into the Yahoo live chat support, but as soon as you enter a Rogers email address, it declines your chat request and directs you to Rogers.
I called Rogers, Rogers said they had not had a tech call from this residence since 2011. And that is any online technicians were speaking with them, that it should have been commented on their account if they called them.
They did tell me however that if they were speaking with Rogers TechXpert that it would not appear, said they're not connected.
Done all I can do, I'll report it to the Canadian Anti-Fraud Center so they have it on record.
dsharp, I am curious if you ever contacted Techxpert directly to see if they had record?
I suspect it was legit. I think "virus" is the stock answer for any 'weird' activity surrounding passwords and such, though I do think $400 is a bit steep for a disinfection, you probably well know how many hours are involved, even using automated tools, and 2 cases are never the same.
Plus FWIW, there *ARE* indeed 2 logins when moving between the webmail/Yahoo interface and the Rogers account interface when you can change passwords even though they use the same password. You're already signed in looking at mail, but if you go to access your your email account settings, you will be prompted to log in again. It's not that the password is not accepted, it's that you're accessing 2 systems. It's either for extra security to protect your account or they're just not synched up more than likely since the one's on Rogers network vs Yahoo.