A client of mine received a suspicious email while using AOL through Firefox. They claimed not to have clicked anything in it, but then emails were sent from their account to people in their contact list. I opened the email just to analyze it without clicking any links. Within a few minutes, the screen on the client's computer suddenly changed to a fake Windows update screen, which raised my suspicions because there were no updates pending. Then, the mouse pointer started moving on its own! I quickly moved the mouse, and the suspicious screen disappeared. Just to be sure, I checked for Windows updates, and none had come through that day. While browsing through installed programs, I found Screen Connect, which had been installed that very day. I immediately uninstalled it, confirming it was still running in the background when I tried to remove it. Looking further, I found that Screen Connect had also been downloaded the same day. This led me to wonder: How could something download all by itself without any interaction from the client? Could there be a setting in AOL that allows scripts to run just by opening an email? I've never seen anything like this, and it's quite unsettling, reminding me of old-school drive-by email viruses. I ran a Malwarebytes scan with no issues detected, but I plan to reset or reinstall the operating system. What do you think could have happened here?
2 Answers
It sounds like your client got scammed. Those fake Windows update screens are often used to cover up shady activities. It’s worth asking the client if they've been dealing with any so-called 'support' over the phone because they might have inadvertently given access. I'd suggest wiping the machine clean and starting fresh to ensure no remnants are left behind.
Thanks for the feedback! I still find it odd how Screen Connect showed up after just opening the email, but I guess it’s possible the client clicked something unknowingly. I’ll make sure to wipe the machine. Happy new year!
I dealt with something similar just this morning. It turned out Screen Connect was installed as a service, and there were multiple instances running in the background. A security tool like Huntress caught it due to their visibility with programs like Screen Connect. Definitely something to look into!
Yeah, users often click on links without realizing it. I had a similar case where a user followed a phishing link to a fake captcha site. Thankfully, our EDR caught it and isolated the infection right away. Always keep security software updated!