Fake remote assist popup... from an email

Saw an interesting one today. User reported that every time he opened a particular mail, he got a fake remote assistance popup, that featured one of our support analysts network IDs in the dialogue box text, even though said analyst wasn't attempting to connect to his PC. Unfortunately, he deleted the email... but we are working to recover it now. I suspect it contains some javascript that examines the remote assist logs for the usernames of previous genuine helpers, and uses this in the popup box dialogue.

Comments