I was wondering that too, It shouldn't prompt a MFA request if the password doesn't work for the hacker.   Or at least the MFA setups I'm familiar with work that way. OP: change that PW again.

The more scary possibility here is that there's a keylogger involved and the bad actor actually has OP's new password and but is getting blocked by MFA.

They aren’t burning zero days on him so figure previous scans would have caught that

so you don't need those amazon gift cards you emailed me about? you said it was urgent!

Didn't consider the prompt meant that the bot figured out the new password.  I'll definitely change that again!  

How would I find a keylogger?  Is it sitting in my email, windows, google account somewhere?   I wouldn't think it'd be in my phone as Verizon said it was clean.  And I'm no longer using the Dell and am on a horrible Chromebook that hurts my eyes.

I'd do a credit freeze right now OP, that'll shield you from major BS, while you work on the little fish.

From a different computer and DO NOT SAVE passwords in Chrome

Also,
If you are running a business, you need to hire a consultant or something to go over this.  
Part of doing business these days is to make sure you have a good security platform, process in place.

Everyone should have mfa enabled for their emails. Your email gets compromised they can easily reset your passwords to the majority of other accounts while locking you out of your email leaving you helpless.

Double tap

You need to change your password again.  You shouldn’t be getting mfa request unless they still have your current password.

This is a good point.

Sorry for the OP's issues.  I had my bank card compromised in 2017 and 2021 from some place in the middle east and that was a PITA to get sorted and new card numbers updated.

I never shared passwords for banking but they wasn't always strong until I started using Apple's keychain feature.  It will automatically generate  and store strong passwords like "kEtuyc-siokug-hibny5" for instance and when you click on the login box on a site it will prompt you to automatically fill the login info.  Will also work across all your signed in apple devices.

I recently built a desktop PC after years only using a Macbooks/iPhone.  I installed Brave browser for some extra security and have been happy(chrome based) and never felt real comfortable having imported all my passwords into it's manager and have balked at finding a good alternative.  And keeping passwords synched between Apple keychain and Brave's password manager on the PC was tiresome.

Thanks to this thread I looked at my stored passwords and found I still had some weak ones on an e-mail account as well as Ebay and Paypal. I just checked out that Bitwarden password manager and they seem to have nice easy to use features that work on both operating systems and Safari and Brave browser.  It is free for personal use (click on 'plans' then 'personal').  I see they also have a browser extension that you can install to have the same auto-fill and auto generate strong passwords as I was used to having on the Apple products.

Who the heck still uses Hotmail in 2024... Wow.

I'm on Yahoo

Staring at this lower quality Chromebook screen is really hurting my eyes.  I need to ensure my Dell is safe to use again.  I was going to call around to Best Buy, Staples, etc. to see if they offer cleaning services without doing anything with my files (yes, my business files are always backed up on a thumb drive).  I know I should buy a SSD just haven't yet.  In any case....what are your suggestions on where to take this Dell or what to do to ensure it's clean and safe to use?

BTW, things have been pretty quiet today.  I completely changed my email password so no more prompts to verify it's me on my phone.  How will I know when the bot has finally left me alone?

Thanks!

Attached File

Have a long unique password and MFA on all accounts, using a risk-based approach (email first, then banking, etc)

I think Best Buy would just charge a lot to do the equivalent of a windows defender scan.

What version of windows is the dell again? If you just run a full defender scan and then check your programs (sort by install date) and see if you’ve got some new Remote Desktop software or something you’re probably good.

Again, this is most likely a breach that occurred off your system (you being tricked into exposing creds via phishing, or a site was compromised and you reused credentials).

OP still hasn't answered this question.

Yeah, OP, maybe bringing the Dell rig to an Indy shop and telling them the whole story, step by step, would be warranted.

I have to replay/trace the chain of events in my mind.  Working now, will give it more attention tomorrow.  But yes, there was interactions with microsoft that I also had last year.  We can go all kinds of places with that.  Maybe it was a long con.  However, once I share the sequence of events, I'm leaning toward it not being because in those emails I not once ever shared any log in info or any personally valuable info that I can remember.  

To be continued.

So just download full "defender" and run that?  I did a full scan yesterday and nothing turned up.  But not sure what program was used.  

Thanks

You should already have full Defender. He means a full scan versus a quick scan.

Oh ok.  Yes, I did a full scan yesterday and it showed zero threats/concerns IIRC.  I still have it on the screen just haven't opened it since I thought the computer itself was infected.  Just want to make sure, as much as is possible, that it's safe to open the thing before I do.

Thanks

If you’re using Hotmail, go to the App Store for your phone and add Microsoft Authenticator. Go into Live 365/Hotmail account and follow the steps to set up two factor authentication. You can use the internet browser on your phone to do it. Hackers will have a harder time accessing your account if they need your phone to approve logins.

ETA: all caught up- harder to login to your accounts unless the hacker in fact cloned your SIM card.

You know you have a tech savvy victim when their email is aol.com

And make sure you get the real Microsoft Authenticator, not one with in-app purchases. Do you have iPhone or android?

lol whut?

I agree he shouldn't use ProtonMail but not for that reason. He's got a lot of knowledge gaps to fill in and using a service that wipes out the data when you forget and reset the password isn't for beginners.

I've been doing the 2 factor authentication everywhere I can think of to do it over the past 24hrs.  Not just email.  

Thanks!

Me?  Android/Samsung.

.....

@RR_Broccoli

As of last year, gsuite flagged all protonmail emails as spam, and I know at least two large companies that have avanan setup to quarantine protonmail.  A a significant amount of illegal activities and fraud are conducted using protonmail, and fair or not, its going to wind up on various blocklists, etc.

I stand by that "in some organizations" protonmail is a redflag, and isn't a good idea for OP for multiple reasons.  Google or Microsoft is where he should be at, with app based MFA.

I do, I've had the same email since 1998 I think.  I also have had MFA and different passwords for all of my logins for years.

When we first started seeing it, it was used by nothing but frauders.  

-Manager, loss/fraud prevention

MS Auth on google play

Yup I'm using that for email and PayPal.  Thanks though!!

Awesome

Ya know what really sucks?  I am up to my eyeballs in guns and armor!  Yet some techno-dick half-way around the world wherever they are can almost cripple me with a few key strokes!!!  

If only I could get my hands on them!!!

So back to the issue of what interaction I had with Microsoft....

Last year a less intense version of this happened.  The email account was locked and I had to write a request to Microsoft through their website to unlock it.  What was happening back then is a little 'M' icon would pop up on my phone up at the top.  When I clicked the message, it asked for my credentials due to a security risk, or frequent log ins, etc... but it would keep chiming (sounded like a text) to alert me until I actually put in my credentials.  Email would stay locked until proper creds were entered.  So I had to write to them and explain the issue and then they unlocked it.

Fast forward to this week.  Same thing.  Sunday my phone started beeping again with the 'M' from Microsoft saying I had to log in through the message and then my email would open up.  So it wasn't being sent through email it was through the phone.  And I would see the same block if trying to use the computer.  A block page saying too many attempts, unknown devices, etc.  So it would send me a code, I had to enter the code and then it would let me see my emails.  

Oh and I forgot to mention, the Microsoft email replies from their tech people came to my alternate email.  I can copy/paste the latest response.  

"This is in response to your request for an appeal on the suspension of your Microsoft Account. Your ticket number is SIR18229731 and has been sent to our team for review. The team will reach out to your contact email if any updates are required for this request.

While waiting for a response,please review the following information:

If you forgot your username or email address: https://support.microsoft.com/en-us/account-billing/you-forgot-your-microsoft-account-username-b2049472-3b8f-27d3-61c6-67a668453f4c
To create a new Microsoft Account, use this link: https://support.microsoft.com/en-us/account-billing/how-to-create-a-new-microsoft-account-a84675c3-3e9e-17cf-2911-3d56b15c0aaf
If you are unable to login to your account or have forgotten the password: https://support.microsoft.com/en-us/account-billing/reset-a-forgotten-microsoft-account-password-eff4f067-5042-c1a3-fe72-b04d60556c37
If you want to know more about Microsoft Accounts: https://support.microsoft.com/en-us/windows/what-is-a-microsoft-account-4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa
Kindly,



Microsoft Online Safety"

Then the account was unlocked the next morning and I could access it.  

So maybe this was from me responding to a phishing scam but the phone prompts, locked and then unlocked emails, codes to unlock said account, etc....seemed pretty official from Microsoft.

I was wrong....this is the response from the following morning...

A suspension was placed on the account to protect you from a possible compromise situation.  Our systems detected an unusually high number of one of the following;



contact requests

searches

abuse reports

impersonating Microsoft support



If you used these features a high number of times in a short period, please respond and let us know why – so we can continue to improve our system detections. The account is at risk of suspension again in the future, if more detections of abuse occur.



For now, the suspension is removed and the account was placed into a recovery flow for your convenience and safety.



Login to the account using account.microsoft.com.  You will be asked to provide proof that you are the account owner.  If you have problems proving account ownership, review the options using this link.  https://support.microsoft.com/en-us/help/10494/microsoft-account-get-back-compromised-account



After recovering the account, it is imperative you visit the Security section within your profile and update all the information associated with keeping your account secure, including a new strong password.





Sincerely,

Racquel

Microsoft Consumer Protection"

Account.microsoft.com should be legit, but any message asking you to “kindly” do something can fuck off. Xenophobia is an excellent security control.

The first thing does sound like a website notification impersonating a legit site. Browser “notifications” are the worst “feature” ever. Disable all.

Are you using two factor auth everywhere you can?

As per my lengthy post on Page 2 you really need to freeze your credit with the various credit agencies.  If they have enough info on you (and they do) to get into your bank account they will start opening up new accounts under your name.   What you have been experiencing so far is the tip of the potential iceberg.

I'm a little confused at this point.   This has to be a human on the other end.  They seem to be going through each and every website I've ever joined linked to that email.  Sites I haven't gone to in 10-15yrs!  Thing is, it's hours between the attempts.  Not all at once.

Plus today I found out the fuck stick got into my TV service, changed the login and password to lock me out of it!!  Same shit they pulled with my banking!  

When does this end???  Any way I can find them and crush their nuts?

Do you have family that can help? I just went through this with my parents. Do not have anyone from "microsoft" attempt to help you or get in your computer. Go to your banks in person and tell them what happened.

This is important.  That email with the word kindly likely came from a scammer not from Microsoft support.  The links look legit but I bet if you hover over them (DON'T CLICK THEM) or you hover over the "from" email address so you can see the actual URL, they redirect to a non-Microsoft site.

So, you go to that site, enter your creds, and you just gave away the keys to your electronic kingdom.

I still have a MSN email

OP, I see that 2FA has been echoes many times for good reason and you have been addressing it.
I didn't see a straight answer to your question about the Dell PC other than asking you which version of Windows it is running.
Please answer that.
In addition, run this online virus scanner as a second opinion to Defender.
eset online scanner

Since they now got into additional accounts, you really need to keep resetting passwords everywhere using unique strong passwords, ideally generated for you by a password manager like 1password, bitwarden, or similar.

Check the IP log for your accounts they accessed. If they have a 2nd grade education, they are running a VPN. If they are in RUS or CHN, they don't need to. They can run their real IP and nothing will be done.

ETA-

Here is the microsoft one. Super easy to do and it is interesting to see the attempts.

https://support.microsoft.com/en-us/account-billing/check-the-recent-sign-in-activity-for-your-microsoft-account-5b3cfb8e-70b3-2bd6-9a56-a50177863357

Here is my screenshot. Each one can be expanded and IP info provided.

Attached File

If the OP ever comes back...

Yes it is a human trying to hack you and steal from you.  Probably an Indian in Calcutta or Bombay.   They have a folder on you with all your information and treat this like a business.  It's a scamming theft ring business.   They do this all day long.  

You need to be taking more steps to protect yourself since you are currently an active target.  Locking your credit is an important step to prevent further identity theft and monetary loss.

"Microsoft" never calls you. That's the most common scam.