Professor Klaus Brunnstein

Many people in the security industry have expressed their regret at the passing of Professor Dr Klaus Brunnstein, who died on 20th May 2015, just a few days before his 78th birthday, as I noted in an article for ITSecurity.

I’ve been particularly struck, though, by the fact that so many people were willing to share their thoughts: not only at ESET (where so many people expressed their regret that I felt I had to post the article at a vendor-neutral site so that it wouldn’t look like some kind of twisted PR exercise), but also by the many people who responded to requests for comments before the article was published and even after it was published. I’m only sorry I couldn’t include all the commentary I received.

I think it all indicates just what a legacy Klaus leaves behind him, not just politically, and not just to the security industry (including CARO and EICAR) and to academia (notably the Virus Test Center at the University of Hamburg), but to the entire online world. The article and the links it includes give only barest impression of how immense his contribution was, and just how much he’ll be missed personally. As Andrew Lee observed:

A thoroughly decent man. Sadly missed, he wasn’t able to make it to the CARO conference a couple of weeks ago. I only met him a few times, but it was always memorable.

David Harley
ESET Senior Research Fellow

Nepal earthquake scam: out for a duck…

(But there are plenty more where he came from…)

It was, I suppose, inevitable that the earthquake in Nepal would provide an opportunity for scammers to capitalize on the misery of others. I haven’t been tracking this particular subcategory of scamming nastiness, but a pingback on one of my articles written in 2011 for the AVIEN blog about Japanese earthquake-related scams and hoaxes – actually, a link to some of the many articles relating to those scams – drew my attention to a blog by Christopher Boyd for Malwarebytes on Nepal-related scams.

In that article, the Nepal earthquake scam he highlights is a bizarrely-expressed donations scam message claiming to be from the weirdly named ‘Coalition of Help the Displaced People’:

We write to solicits [sic] your support for the up keep [sic] of the displaced people in the recent earth quack [sic] in our Country Nepal.

He also flags an assortment of Nepal themed scam emails listed at Appriver, and a ‘dubious looking donation website’ covered in detail by Dynamoo.

Appriver’s collection includes:

  • A classic 419 claimed to be from one of the earthquake victims (daughter of a deceased politician – stop me if you’ve heard this story before…)
  • Another giving the impression it’s on behalf of the Salvation Army and World Vision: who’d have guessed that big organizations like those would use Gmail accounts? ;)
  • An exercise in guilt tripping from ‘Himalaya Assistance’ whose real purpose seemed to be to distribute a keylogger.

US-CERT also warns of ‘potential email scams’. As well as generic advice about mistrusting links and attachments and keeping security software up to date, the alert very sensibly advises the use of the Federal Trade Commission’s Charity Checklist. The FTC’s page includes sections on:

There are a number of ways of checking the bona fides of a charity, including Charity Navigator ( and Charity Watch, formerly the American Institute of Philanthropy (

In the UK, GetSafeOnline also has a guide to protecting yourself from charity scams, including resources for checking the status of UK charities:

I’ll leave the last word to Chris Boyd, since I couldn’t agree more and couldn’t have put it any better:

Scammers riding on the coat-tails of disasters are the lowest of the low, and we need to remain vigilant in the face of their antics – every time they clean out a bank account, they’re denying possible aid to the victims of the quake and creating all new misery elsewhere. That’s quite the achievement…

David Harley 

Alleged US support scam site temporarily shut down

This is one of my articles for IT Security UK about the FTC securing an injunction against Pairsys Inc, which (according to The Register) is is “banned from deceptive telemarketing practices, and may not sell or rent their customer lists to any third party. The injunction requires that their websites and telephone numbers must be shut down and disconnected, and their assets be frozen.”

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Emsisoft, Bleeping Computer and a Support Scammer

I was contacted on another blog by ‘Steve’ at Emsisoft about a blog he put up recounting an encounter with a support scammer who cold-called Bleeping Computer. There isn’t an awful lot in the account that’s really new: the Event Viewer gambit, remote access with TeamViewer, misrepresentation of Task Manager, the claim that the ‘victim’s’ anti-malware is ‘incompatible and useless’, even the misrepresentation of the ‘tree’ command, with the crude interpolation of ‘virus alerts’ typed in by the scammer. Some of the conclusions reached in the blog are slightly misleading. However, the detailed transcription of the conversation is interesting, and there are a few details that are probably worth discussion in another article. Watch this space.

Added to the support scams resource page, of course.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Support Scams update from Jérôme Segura

Jérôme Segura talks about his paper Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam, which he just presented at Virus Bulletin 2014, on the Malwarebytes blog: Tech Support Scams exposed at VB2014. The blog includes a link to a PDF version of the slide deck.

Added to the AVIEN resources page, of course.

David Harley
ESET Senior Research Fellow

Support scam paper at Virus Bulletin 2014

If you keep an eye on the support scam resources page on this site, you’ll have noticed that Malwarebytes’ Jérôme Segura has written quite a few pieces on the topic (more than I have recently), demonstrating that the game is still afoot, even if the rules have changed.

At Virus Bulletin, later this week, Jérôme presents his paper ‘Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam‘: it’s scheduled for 16.00 on Thursday 26th. I’m sure it will be well worth hearing, and I’m only sorry I can’t be there to hear it. (Though I do have a paper being presented there by my co-authors Aleksandr Matrosov and Eugene Rodionov:

You may also recall that back in 2012 I wrote a paper with Martijn Grooten of Virus Bulletin, Steve Burn of Malwarebytes, and independent researcher Craig Johnston (a former colleague at ESET): My PC has 32,539 errors: how telephone support scams really work. (The same team also wrote a related paper for CFET: FUD and Blunder: Tracking PC Support Scams. As part of the run-up to Virus Bulletin 2014, Martijn gives a preview on the Virus Bulletin blog of what to expect from the presentation: VB2014 preview: Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam.

David Harley
ESET Senior Research Fellow

Biting the Biter

Darren Pauli reports for the Register that Matthew Weeks has released a Metasploit module that exploits a flaw in Ammyy Admin 3.5 to attack a machine being used to ‘take over’ a client machine.

The rationale here is that Ammyy software is frequently used by support scammers to take over a victim’s machine in order to ‘prove’ that the machine is infected by malware, or to install ‘protective’ software, or for other nefarious purposes. Well, if you found this post, the chances are you’re well aware of support scammer operations, and if you’re not, there’s lots of information on this site here.

I don’t, of course, have any interest in defending the activities – far less the systems – of support scammers, but this approach gives more than a little old-school AV queasiness. Weeks explains:

I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims. The primary users at risk of compromise are the scammer groups.

Primary users at risk? Well, he may not be able to see much risk to other groups, but I suspect that others can. In any case, who is going to make use of this? Probably not Weeks, since he acknowledges:

No scammer group has ever called me, and I have never used this except to test it and in demonstrations.

It’s certainly not an approach that’s going to be available to the victims of the scam, by definition: if they don’t have the technical knowledge to recognize the (techno)logical flaws in an attacker’s spiel, metasploit means nothing to them. I can see some of the many people who go out of their way to waste a scammer’s time trying this out, but in doing so they may well (as Pauli suggests) place themselves in legal jeopardy (vide UK Computer Misuse Act, for example), even if they feel ethically secure hacking a hacker. There may be an ethical justification there by analogy with sinkholing a botnet, for example, but botnet countermeasures also have to be done within legal limits.

Will it be a deterrent to scammers? Perhaps, though I suspect that once scammers get to know about this kind of countermeasure, they may be quicker than legitimate users of Ammyy software to patch. Or simply move to one of the many alternative remote access systems used in support scams.

David Harley


Malvertising leading to fake support

Chris Larson, for Blue Coat, reports finding a site with a fake anti-virus scan masquerading as Microsoft Security Essentials. However, instead of being prompted as with old-time fake AV to download fake AV, he was prompted to connect with a ‘live’ support specialist via LiveChat.

That’s not quite as novel as it may seem – see Scareware on the Piggy-Back of ACAD/Medre.A  by Righard Zwienenberg (from 2012) about a 24/7 chat support service that wasn’t, and Netflix Phishing Scam leads to Fake Microsoft Tech Support by Jerome Segura (2014). Facebook Likes and cold-call scams (2011) describes sites sitting waiting for people to find them rather than (or as well as) proactively coldcalling. And I seem to remember writing before about support scammers trying to evade legal measures by persuading the victim to contact them rather than coldcalling, though as far as I’m concerned it’s fraud either way if you offer to fix problems that don’t exist. I can’t remember where, but the chances are it’s buried somewhere on the support scam resource page on this site.

David Harley
ESET Senior Research Fellow