Biting the Biter

Darren Pauli reports for the Register that Matthew Weeks has released a Metasploit module that exploits a flaw in Ammyy Admin 3.5 to attack a machine being used to ‘take over’ a client machine.

The rationale here is that Ammyy software is frequently used by support scammers to take over a victim’s machine in order to ‘prove’ that the machine is infected by malware, or to install ‘protective’ software, or for other nefarious purposes. Well, if you found this post, the chances are you’re well aware of support scammer operations, and if you’re not, there’s lots of information on this site here.

I don’t, of course, have any interest in defending the activities – far less the systems – of support scammers, but this approach gives more than a little old-school AV queasiness. Weeks explains:

I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims. The primary users at risk of compromise are the scammer groups.

Primary users at risk? Well, he may not be able to see much risk to other groups, but I suspect that others can. In any case, who is going to make use of this? Probably not Weeks, since he acknowledges:

No scammer group has ever called me, and I have never used this except to test it and in demonstrations.

It’s certainly not an approach that’s going to be available to the victims of the scam, by definition: if they don’t have the technical knowledge to recognize the (techno)logical flaws in an attacker’s spiel, metasploit means nothing to them. I can see some of the many people who go out of their way to waste a scammer’s time trying this out, but in doing so they may well (as Pauli suggests) place themselves in legal jeopardy (vide UK Computer Misuse Act, for example), even if they feel ethically secure hacking a hacker. There may be an ethical justification there by analogy with sinkholing a botnet, for example, but botnet countermeasures also have to be done within legal limits.

Will it be a deterrent to scammers? Perhaps, though I suspect that once scammers get to know about this kind of countermeasure, they may be quicker than legitimate users of Ammyy software to patch. Or simply move to one of the many alternative remote access systems used in support scams.

David Harley

 

Malvertising leading to fake support

Chris Larson, for Blue Coat, reports finding a site with a fake anti-virus scan masquerading as Microsoft Security Essentials. However, instead of being prompted as with old-time fake AV to download fake AV, he was prompted to connect with a ‘live’ support specialist via LiveChat.

That’s not quite as novel as it may seem – see Scareware on the Piggy-Back of ACAD/Medre.A  by Righard Zwienenberg (from 2012) about a 24/7 chat support service that wasn’t, and Netflix Phishing Scam leads to Fake Microsoft Tech Support by Jerome Segura (2014). Facebook Likes and cold-call scams (2011) describes sites sitting waiting for people to find them rather than (or as well as) proactively coldcalling. And I seem to remember writing before about support scammers trying to evade legal measures by persuading the victim to contact them rather than coldcalling, though as far as I’m concerned it’s fraud either way if you offer to fix problems that don’t exist. I can’t remember where, but the chances are it’s buried somewhere on the support scam resource page on this site.

David Harley
ESET Senior Research Fellow

 

 

Support Scammers lose a service game

Sorry about the tennis metaphor, but it is Wimbledon fortnight…

Actually, this is another article for Graham Cluley’s blog about a site used to direct support scam victims to remote access software: Support scammers – at your service!

Added to the resources page, of course.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

The Wisdom of Solomon applied to support scams

I’ve known Graham Cluley and Dr Alan Solomon for many years, going back to the days when they worked together in Alan’s own company on the much missed ‘Dr Solomon’s Anti-Virus Toolkit’. Indeed, I recently added a link to a blog article Alan had put up on his own blog to the AVIEN scam resource page.

That article seems to have grown into a whole series of descriptions of Dr Solly’s adventures in tech-support-scam-land, so it seemed an entirely suitable topic for my first blog for Graham’s independent blog site. And so here it is: Tech support scams and the wisdom of Solomon. I’ll be adding it shortly to the scam resource page, along with the links to the individual articles by Dr Solly.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Dr Solomon’s anti-fake-virus toolkit?

Some of us remember with affection Dr Solomon’s Antivirus Toolkit. Alan Solomon hasn’t been so active in the AV scene in recent years, but recently he had quite a lot of fun with a support scammer: Technical support scam, with a few ideas that I’m tempted to add to my own anti-scammer toolkit.

Added to the scam page on this site, of course.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Support scam using (MS-)DOS attack: ESET blog

Yet another Harley support scam article for ESET’s WeLiveSecurity blog: Support Scam Using (MS-)DOS* Attack

The never-ending Windows support scam often misrepresents obsolete MS-DOS utilities. But three simple rules will bypass most of that social engineering.

Added to the support scam resources page, of course.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

More tech support scam resources

Here are a few recent articles that have hit my radar on the topic of tech support scams. Of course, I’ll be adding them to the resources page as well.

There’s another article of mine to come shortly.

David Harley
Small Blue-Green World
ESET Senior Research Fellow 

Tech support, accident insurance and PPI scams

An article by me for ESET that I should have posted here ages ago: Scams: Tech Support, Accident Insurance, PPI, Oh My My.

Of course, Indian call centres don’t spend all their time (and waste ours) on tech support scams asking for payment for help with non-existent problems: they also have a nasty habit of ringing with other types of scam: accident insurance scams and PPI (Payment Protection Insurance) scams.

And I just realized that I didn’t actually post a link to an excellent post by Martijn Grooten that’s briefly referenced in the same blog: Tech support scammers won’t give up.

Naturally, both links have been added to the scam resources page.

David Harley
ESET Senior Research Fellow