First, good on you for terminating that call. While it may have obviously been a scam to you and me, I continue to hear that many people fall for it.
But the big question is, you let a stranger with malicious intent use your machine remotely. How worried should you be?
Unfortunately, there’s no clear answer.
Become a Patron of Ask Leo! and go ad-free!
What could that “technician” have done?
There’s no way to know what the technician (perhaps the wrong thing to call him, but we’ll run with it) has done.
If you know what you’re watching, you might see what they’re doing. Their willingness to answer questions about what you see might be a clue.
Unfortunately, the tools and tricks available to them also include things you might not see once they’ve established a foothold of some sort.
So, we end up playing the odds.
He could have done nothing…
This is perhaps the most likely scenario.
The technician was probably only after your money in the form of purchasing his “services” to clean your machine. It’s possible this was the extent of the scam. By not falling for it and disconnecting as you did, nothing malicious was left behind.
From the scammer’s point of view, that’s the easiest, safest way to go. Beyond commonly-available remote access software, no additional hacking tools are required. It’s simply social engineering to get you to hand over your credit card information.
As long as enough people fall for the scam, it’s a success. Nothing else is needed.
He could have done something you’d see…
Most remote access utilities allow you to see what the remote user is doing to your machine.
That’s true with the tools the scammers commonly use — in part so they can show you all the “errors”1 on your machine, usually by exploiting the mess that is the event viewer’s log. But that means you would see whatever else they were doing as they did it.
If the technician downloaded or transferred software onto your machine, you’d see it being done.
If they ran a program, you’d see it.
If they ran a setup, you’d see it.
Now, of course, you’d have to understand what you were seeing as it happened, and of course, they rely on most people not being able to do that. If you question them, they’ll make up a reason and say it’s nothing to worry about.
If they downloaded and installed anything, you need to assume they installed malware.
He could have done something you wouldn’t see…
Here’s where things gets difficult.
It is certainly plausible that the remote connection set up by the scammer included connections you would not see.
Perhaps a sleight-of-hand move while they’re confusing you with the Event Viewer allowed them to run a program and set up a malicious back-door connection. Perhaps the type of remote connection they set up allowed them to bypass your firewall. Perhaps this back door will keep running after you’ve hung up, allowing them access any time in the future.
Perhaps, perhaps, perhaps…
Perhaps the entire time they had you on the line, they were surreptitiously loading your machine up with all sorts of malware.
From what I’ve heard, it’s not common, but it could happen.
Assume you’re infected
The safest thing for you to do, of course, is to assume your machine has been infected.
Just how drastic the steps you need to take next depend on what you experienced, what we find, and your own level of security and/or paranoia.
Here’s what I would do:
- Immediately run a full anti-malware scan.
- Run a full scan using the free version of Malwarebytes Anti-malware.
- Keep a close eye out for anything that looks the least bit like suspicious, incorrect, or most importantly, new behavior by the computer.
If that all comes up clean, then it’s probably enough.
If there’s even the slightest problem with the scans or the computer’s behavior, or if you’re simply not certain that “probably” is good enough, you really have only one solution.
And learn from the experience.
1: Which typically aren’t errors at all, or if they are, are completely benign.