Support Scams: FTC Targets Fake Alerts

Here’s an interesting article from The Register – FTC fells four tech-support operations in scammer crackdown – by Shaun Nichols, about the FTC’s latest move in the war against support scams.

It won’t come as news to regular readers of this blog and my other articles at ESET and elsewhere (or some excellent articles by Jérôme Segura et al for Malwarebytes, come to that) that it ‘Turns out Microsoft and Apple don’t use pop-up ads for tech support‘.

It’s certainly a Good Thing, though, that the FTC (the US Federal Trade Commission) has turned its attention to ‘four companies and four individuals in its legal complaint (PDF) alleging violations of both the FTC Act and the US Telemarketing Act’.

The violations cited here are in the form of fake system alerts, fake browser alerts, or fake security software alerts of the type I’ve addressed here (and even at Mac Virus – e.g. Pop-ups and Support Scams), that advise the victim of a ‘problem’ with their device and direct them to a ‘helpline’ that purports to represent one of the major operating systems, not only for old-school computers (Windows, OS X, Linux) but for mobile devices such as smartphones.

A preliminary injunction ordered by The United States District Court for the Eastern district of Pennsylvania names eight defendants, and prohibits them from fraudulent marketing and billing, and effectively freezes their assets while the FTC’s complaint is investigated.

What impact the FTC’s actions will have on the international support scam industry is hard to say, but any impact has to be better than none.

David Harley


Buhtrap and Ammyy

It’s common for tech support scams to be referred to as ‘the AMMYY scam’ or ‘the TechViewer scam’: not because these remote access utilities/services are not legitimate (they are), but because they are commonly misused by tech support scammers to access their victims’ systems. (Which is why some security products flag it as ‘potentially unwanted’ or potentially unsafe’.)They do this for two main reasons:

  • To fabricate ‘proof’ that the system is compromised by malware or otherwise at risk, so that the victim will pay for ‘assistance’ from the scammer.
  • To make changes to the victim’s system (or, sometimes, to pretend to make changes) that are meant to prove that the scammer is providing a chargeable service. Sometimes the scammer will add useful utilities, but in that case they’re usually applications that the victim could get for free elsewhere. Sometimes the additions are less useful, and might even be harmful.

In addition, the scammer will sometimes make changes to the system that are downright malicious: in particular, if the victim gives him access to his system but is reluctant to proceed with allowing the changes or making payment, the scammer will often deprive (or try to deprive) the victim of the ability to use the system at all.

The Buhtrap operation described in a blog by my ESET colleague Jean-Ian Boutin isn’t directly connected with tech support scams, as far as I know, but it did involve the misuse of the Ammyy Admin utility. People who downloaded the free version from the Ammyy site while it was compromised would, in Jean-Ian’s words have been served…

…a bundle containing not only the legitimate Remote Desktop Software Ammyy Admin, but also an NSIS (Nullsoft Scriptable Installation Software) installer ultimately intended to install the tools used by the Buhtrap gang to spy on and control their victims’ computers.

It’s not clear how the site came to be compromised – Ammyy’s designers apparently never responded to ESET’s warnings – but it’s now clean: however, the malicious installation bundle was being served for about a week. Jean-Ian comments:

If you downloaded and installed Ammyy Admin recently, your computer might be compromised by one of the malware described above. Since we do not know exactly when the attack started nor if the site is still compromised, we recommend that you take precautionary measures and use or install a security product to scan and protect your computer.

Obviously, this could include tech support scam victims directed to that specific page, as if they hadn’t been victimized enough already. :(

David Harley

Tech Support Scam Updates

The following links have been added to the tech support scam resources page:

“Since May 2014, Microsoft has received over 175,000 customer complaints regarding fraudulent tech support scams. This year alone, an estimated 3.3 million people in the United States will pay more than $1.5 billion to scammers.”


David Harley

Support scams: fake Apple site

I’ve just added some links to the Support Scam Resources page:

David Harley

More Support Scammer Phone Info

After my article yesterday about support scammer phone info shared by several people on Twitter – Support scammer phone numbers – Jérôme Segura pointed out that there is a list of scammer-related phone numbers on the Malwarebytes page here. As I’ve pointed out previously, there’s lots of other useful info there too.

[Added to resources page, of course]

David Harley

Support scammer phone numbers

Several phone numbers have been shared today on Twitter, apparently associated with support scammers. I haven’t checked them personally,.

@bartblaze  has listed several numbers associated with the sort of fake alert pop-ups and related sites I described in Tech Support Scams: Top of the Pop-Ups. His list is here. He also has a list here of numbers associated with cold-calling scammers, and a more general article on support scams here.

 added +47 64 74 78 57

@xme (Xavier Mertens) apparently has some numbers on his diary, but I don’t have a link for that unless he’s referring to the Internet Storm Center diary, in which case you’d need to do some searching there, if you’re interested in more information.

Resource page updated accordingly.

David Harley

Pop-up Support Scams – on a screen near you

I’ve added a link to the another article to the support scam resources page: this one is by me for ESET, on the way support scams are gradually moving away from simple-minded cold-calling to fake-AV-like pop-ups, intended to trick victims into making the initial telephone contact. The scams are aimed not only at Windows users but at users of OS X and iOS, Android, and even (rather ineptly) Linux. How many Linux users believe their system uses an NT Kernel? (And no, Wine doesn’t either: it implements the App Binary Interface in userspace, not in a kernel module.)

Here’s the direct link to the ESET article: Tech Support Scams: Top of the Pop-Ups

And an article for Mac Virus expands on the cross-platform issues.

David Harley

Tech Support Scams Latest

I’ve just added a link on the resource page to another article from Malwarebytes on support scams using a fake Blue Screen of Death, this time by Chris Boyd: Avoid this BSoD Tech Support Scam. Also some comment by John Leyden for The Register.

I also noticed today a comment to one of my ESET articles of some possible interest to support scam watchers. Actually, I think I approved the comment some time ago, but never got around to flagging it elsewhere.

I know these are scams, and I work in IT, but I had only heard these stories from my mom about them calling her. I wondered if this was a scam targeting older people, since I had never been called. Now they have started calling. 

While these scammers certainly seem more than happy to defraud older people, probably because they expect them to be less conversant with technology and therefore likelier to fall for the pitch, I doubt if the cold calls are, in general, actually targeting my generation. (I’m happy to note that – in the UK, at any rate – my generation is less gullible than you might think.)

The first time they call, about 3 weeks ago, the guy tells me my computer is infected. When I asked which computer he says my windows computer. I tell him I have, which computer is the problem. He tells my I am lying, that I don’t have 7 windows computers. He them hangs up on me for wasting his time. 

Today they called again. I played along, though I did say I had multiple computers, this guy said they were all likely infected. I asked him to verify the IP of the infected machine and he tells me he can’t but he can verify the CL SID. He rattles of the CLSID listed here and asks me to run the assoc command.

So far, so typical of many of the hundreds of reports I’ve seen.

By this time I already have this site open.

(The comment is one of nearly 500 attached to this article: Support desk scams: CLSID not unique.)

I string him along for a little bit when I finally tell him, politely, that I know this is BS. At first he denies it, then he actually acknowledges it, acknowledges that he is in Calcutta. Tells me a little about his family, and that he is in school. Tells me that work is hard to find, and asks if it’s as hard here as it is there. He tells me that the scam jobs make 14,000 a year, but the legit ones that he can find only make 7,500 a year. At the end of the call, he thanked me for not yelling and screaming profanities at him. Overall I was on the phone for 40 minutes and 20 of that was after I told him I knew.
Weirdest call ever. 

Well, it’s not quite the first time that a conversation somewhat like this has taken place. My friend and former colleague Craig Johnston recounted a similar encounter in Virus Bulletin back in 2011, which he also talked about in our joint presentation at Virus Bulletin with Steve Burn and Martijn Grooten. The guy Craig talked to was a little more self-deluded: as Craig said, ‘While the caller admitted that the methods used to convince the ‘customer’ were dodgy, he was keen to assure me that the product being sold was legitimate and that it would benefit the customer.’

In this case, the scammer didn’t try to offer such self-justification, but may give us some insight into the economics of scam versus legitimate call-centre jobs (though we believe that some call-centres use both scam and legit approaches to support). I’ve talked before about scammer motivation, but it does at least seem that not all support scammers are bullies and worse (like the unspeakable monsters who try to block their victim’s access to their own systems if they allow the scammer access and then decide not to purchase his ‘services’) and may even have the grace to be less than proud of the way they make their living.

David Harley
ESET Senior Research Fellow


Support Scams: Old Dog, New Teeth

[Also posted on Mac Virus and Chainmailcheck, and link to ESET article now posted on the Tech Scam Resources page]

Further to the issues with tech support scams on OS X and iOS that I flagged herehere and here, I recently included some information on those and many other recent support scam trends in an article for ESET on Support scams, malware and mindgames without frontiers. The article concerns the expansion of tech support scamming across platforms and into languages other than English, as well as scam activity associated with real malware.

Unfortunately, there’s life in this rabid old dog yet. I’m referring to the scamming, not me. This is an attack whose scope, evolution and impact is still underestimated.

David Harley