Support Scam Resources Update

Leave a reply

Added a link to the AVIEN support-scam resources page: to be precise, an article for ESET in which I commented on some recent developments in the support scam landscape, including a pointer to Jerome Segura’s article for the Malwarebytes blog: Support Scam Cold-Calling: the Next Generation.

Also referenced in the article and well worth a read is a recent post by Jean-Ian Boutin (also for ESET).

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Support scammers & repeat business

Leave a reply

For Virus Bulletin, Martijn Grooten recounts in Phone support scammers attempt repeat business how – a year after the encounter with ‘Clinton’ that he talked about in our joint presentation (with Craig Johnston and Steve Burn) at the 2012 Virus Bulletin Conference in Dallas (My PC has 32,539 errors: how telephone support scams really work) – the scammers came back for a second bite of the cherry.

He summarizes:

Phone support scammers have found a new way to make easy money: by calling back people whom they have previously tricked into paying for their services, and tricking the same innocent users into paying for a ‘renewal’ of the service.

While I got a certain amount of amusement from the continuing ineptitude of the scammer he talked to this time, it’s not so amusing for victims of the scam, as Martijn points out:

While it is easy to laugh at the scammers’ lack of professionalism, they have taken advantage of many victims in the past: people who have become worried after hearing the many stories about malware infections, or people for whom the call just ‘made sense’.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Anti-malware testing resource

Leave a reply

Testing security software has been part of my life for almost as long as I’ve been involved with computing: not only in terms of evaluating the efficiency of products and technologies for the organizations I worked for, but as an independent tester (especially of Mac AV) way back in the 90s. I stopped testing when I began to foresee a time when I simply wouldn’t have the time or resources to do justice to what even then was a difficult job. There was a time around 2006 when I was discussing roles on both sides of the vendor/tester divide, but for better or worse, I went over to the dark side and focused on supplying consultancy services to the AV industry (primarily ESET). However, I didn’t escape the testing controversy, being involved almost from the beginning in in the Anti-Malware Testing Standards Organization (AMTSO) and even serving for nearly three years on its Board of Directors.

While I’m still in sympathy with the ultimate aims of AMTSO, when the organization decided that the blog I set up on behalf of the Board no longer met its needs, I found myself needing a platform where I could continue to provide independent commentary on testing issues. Hence, the Anti-Malware Testing blog. While most of the material there right now consists of articles I originally posted to the AMTSO blog (as an independent commentator, not on behalf of AMTSO) that are no longer available elsewhere, it’s primarily intended for new articles. (I am, however, currently working on a resource page similar to the one on the extinct amtso.wordpress.com blogsite, with links to useful articles, papers and other testing-related resources.)

Right now there are three new articles there:

  • Explaining the Anti-Malware Testing Blog is what the title suggests it is.
  • Imperva-ious to Criticism looks at Imperva’s continued defence of its flawed quasi-test methodology, which inappropriately tried to use VirusTotal as a measure of the detection abilities of anti-virus/anti-malware products.
  • A Little Light Relief is a little lighter in tone. Literally. It points to an entertaining article by Robert Slade. After all, if I had to take testing seriously all the time, I’d get very depressed.

Compliments of the season to all our readers, and very best wishes for the New Year.

David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus
ESET Senior Research Fellow

Support scams: new resources

Leave a reply

Well, not new resources, unfortunately. Just a couple of blogs I haven’t got around previously to flagging here: PC ‘Tech Support’ Cold-Call Scam Resources. I have lots of other material to add, but no time to edit it down to be readable at the moment, unfortunately.

Still you might find the additions (and the resources elsewhere that they point to) of some use and interest.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

PC Support Scam Resources Page – some additions

Leave a reply

Also on the resources page, of course, but these are the additions.

Support scam info

Leave a reply

Here are some recent (unedited) comments to one of my ESET articles on support scamming.

The latest comments to How to recognize a PC support scam include three particularly interesting comments. The first includes a couple of phone numbers that might be worth investigating. The second indicates an oddity as regards the scammer’s caller ID, and the third (by my colleague Aryeh Goretsky, who has experience in the telephone industry) explains its significance:

  1. We recieved several phone calls today from this same identity, he proclaims himself to be from the national computer security.  I felt scam from the beginning but I wanted to know his ploy, he had already tried to extract info from my teenage son(15) but very computer savey(too many gaming hackers for friends). The caller called w/o giving name but caller id showed (4-905-512-3123) however when told he was being traced, he gave a number (510-314-4990)(person not available). They try to convince you that any caution or failed service history notices are dangerous hackers.  Don’t delete but talk w/ their tech reps and they will tell you what to do.  My oppinion, bad idea.  My neighbor is w/ cyber crimes for our city, I’ll ask his help and have my compuiter checked out by a local reputable source
  2. I got several calls from this weird NODID caller ID wich isn’t what my phone usually displays when I get an anonymous caller id. And today I was home and answered to this guy who sounds like he is from india, telling me he works for PC support and that my computer is sending them online error reports. It seemed obvious it was a scam so I told him to stop calling me because I am not interested in whatever he had to offer. He then asked if I thought it was a sale call, I replied that I think it’s a scam. And he hung up immediately. I looked up pc support on the internet and found this page. They do still try to fish with this scam. My phone number is in east coast Canada
  3. Hello Jonathan, I wonder if your Caller ID might have displayed “NO DID”? D.I.D. is an abbreviation for “direct inbound (or inward) dialing” and is a term used in telecommunications to refer to phone line assigned to a specific device. In this case, I have to wonder if the scammer who called was had hacked into some company’s VoIP phone system to steal phone service for their calls, and this was displayed as a result of that action.

David Harley
ESET Senior Research Fellow

Tech support scammers claiming to be from Creative Solutions Online

Leave a reply

Report received via the ESET blog of a scam call using the ASSOC and Event Viewer ploys: scammer used the name Alex Parker, and said his company was Creative Solutions Online: creativesolutionsonline.net.

Whocallsme.com came up with a number 4034563615 used by scammers claiming to represent the same company, or for Windows Internet

Office address given as Clearwater, Fla., and phone numbers in UK, US, Australia

REGISTRANT CONTACT INFO
Sibyl Technology Solution
Rubel Debnath
339, purbasinthi
kolkata
west bengal
700030
IN
Phone: +91.9230062065
Email Address:

Also added to support scam resources page in case someone is interested in following up on data like this.

David Harley

 

 

More about Dorifel as a scammer ploy, and Ammyy warns of misuse of its service

1 Reply

More about PC support scams.

First, here’s a somewhat free translation of part of an article at http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Softwarelekken/WD-2012-069+Malware+besmetting+infecteert+office+bestanden.html that describes the support scam gambit described in Dorifel/Quervar: the support scammer’s secret weapon whereby victims in the Netherlands, where Dorifel is somewhat prevalent, have been rung by scammers offering ‘help’ with removal of the virus. (By the way, interesting though Quervar is to researchers – see Quervar – Induc.C reincarnate? – it isn’t that prevalent, though there has been a spike in reports in that region. Most people are never going to see it.)

Currently, there are reports from people who are approached by phone by Microsoft offering to assist them in removing the Dorifel virus that is currently in the news.

The caller tells the prospective victim in (flawed) English claimed that the he or she has malicious software on his or her computer and that to the scammer can help them solve this over the phone. In almost all cases the scammer requires an extortionate amount of money for a (non-functional) antivirus package, asking for personal information and credit card data.

It also appears that the caller refers victims to a website where software can be downloaded to their PC. They seem to be offering help via remote access but in reality an uninfected PC might finish up infected, and an infected system could pick up an extra infection.

What are your options?

  • You can’t stop the scammers calling. [Actually, it might be possible with some services in some countries, but they don't take any notice of do-not-call registries (DH)]
  • Ask for a local (Dutch) telephone number that you can call back on.
  • On no account give them remote access to your computer.
  • Be very cautious with the transmission of personal data and credit card numbers over the phone. [Don't give them to anyone whose credentials you can't verify (DH)]
  • If you have any suspicions of bad intent, hang up as quickly as possible. [Feel free to put the phone down on 'em, though they may call again. (DH)]

[Translation ends here.]

And now, the good news: ammyy.com, a remote access service very frequently misused by support scammers, has warned users of Ammyy Admin about the scam, and even given some advice for the victims who’ve fallen for it.

  • Turn off their internet connection: that makes sense as a short term measure to reduce the risk from something they’ve left to call home, as they may have tried to do in an incident described in The Tech Support Scammer’s Revenge.
  • Contact their bank to freeze their bank accounts – that may be overkill, but I can’t say it isn’t worth considering the possibility of your financial services having been compromised
  • Reboot and scan for viruses. Again, a sensible precaution, even if we haven’t seen confirmed reports of out-and-out malicious software so far.
  • And to ensure that the scammers don’t (assuming they used Ammyy) manage to get back onto the system:

“…make sure Ammyy Admin Service isn’t installed and doesn’t run in automatic mode. For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.”

The company also points out that Ammyy Admin doesn’t have to be uninstalled: you can just delete the .EXE. Hat tip to Martijn Grooten for flagging this. Steve Burn’s post also refers. (Not surprisingly: we tend to share information about this stuff as we see it.)

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Recent scam resources page updates

Leave a reply

It occurs to me that I haven’t flagged here a couple of updates to the scam resources page that I’ve made this month. 

  • Misrepresenting System Utility Output [6th August]
  • Support Scam Anna-lytics and a very dodgy phone number [9th August 2012]

I need to put in some anchors to those sections, but at the moment they’re at the top of the page anyway.

David Harley CITP FBCS CISSP
AVIEN Chief Dogsbody
ESET Senior Research Fellow