ScreenConnect used by scammers

Question

This might be of interest to any of the forum users who are the go-to tech-support person for their friends and family.

I have just been asked to look at a PC where a scammer had gained remote access as part of a tech support scam. Nothing particularly untoward noticeable at first glance and no obvious signs of any remote access software installed or running.

Browsing through the list of processes running I found 'screen connect client' and 'screen connect client service' were running. This is legitimate support software which had been customised by the scammers to be pretty much 'invisible' to the general steps you might take when searching for a remote access program (including no record of it being installed). Windows Defender picked up nothing and Malwarebytes only identified the installation file as a potentially unwanted program.

The most interesting (troubling) thing about it is that it offers a 'back stage' feature which allows the scammer remote command line and powershell access while the computer is in use without any sign of the scammer being connected (no screen takeover or moving cursor etc.).

A bit of Googling shows this has been around for a little while but it was the first time I had come across it and how it had been deployed in such a covert way.

Tudor · Answer

Good spot, glad I’m now only using Macs.

Forum Discussion

ScreenConnect used by scammers

1 Reply

Related Content

Using existing Asus router

use my own DNS

Received filfthy used Hub5

Can't login to VM account, old customer, but came back and used the same email address

Frequent connectivity dropout using GlobalProtect VPN