The PayPal image shown was alarming enough to encourage the victim in this case to call the number shown. Through a variety of social engineering techniques, the threat actor convinced the victim grant them remote access to their computer.
So far, this is all bad news. Some good news was that the victim never left the screen unattended, and so they were able to see everything the threat actor did. It was partly because of this vigilance that we were able to verify there was no Williams account compromise.
But what about the targeted victim? The threat actor gained access to the individual’s PayPal account (stored credentials in the browser, perhaps…) and initiated a $500.00 transfer to a foreign bank account. But, just before hitting submit, the threat actor added some zeroes, suddenly attempting to transfer $50,000. The victim, monitoring this, quickly identified the fraudulent attempt and tried to interrupt the transaction, including going to their banking institution, stopping the transfer and closing the linked accounts. This left the victim stressed, anxious about residual risk and having to deal with a banking disruption.
It was not a good afternoon. From this event, we should remember the following:
- Do not trust emails sent to you from unknown sources. Assume they are malicious!
- Never allow a non-Williams OIT staff member remote access to your computer.
- Do stay with your computer if you’ve granted someone remote access and monitor their activity
- Don’t let your browser save your passwords for sites, especially sites linked to forms of payment.
- Do get your bank involved immediately in cases of fraud or criminal activity.
- Report any event like this to OIT as soon as possible so we may assist directly.