Support Scams update from Jérôme Segura

Jérôme Segura talks about his paper Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam, which he just presented at Virus Bulletin 2014, on the Malwarebytes blog: Tech Support Scams exposed at VB2014. The blog includes a link to a PDF version of the slide deck.

Support scam paper at Virus Bulletin 2014

If you keep an eye on the support scam resources page on this site, you’ll have noticed that Malwarebytes’ Jérôme Segura has written quite a few pieces on the topic (more than I have recently), demonstrating that the game is still afoot, even if the rules have changed.

At Virus Bulletin, later this week, Jérôme presents his paper ‘Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam‘: it’s scheduled for 16.00 on Thursday 26th. I’m sure it will be well worth hearing, and I’m only sorry I can’t be there to hear it. (Though I do have a paper being presented there by my co-authors Aleksandr Matrosov and Eugene Rodionov:

You may also recall that back in 2012 I wrote a paper with Martijn Grooten of Virus Bulletin, Steve Burn of Malwarebytes, and independent researcher Craig Johnston (a former colleague at ESET): My PC has 32,539 errors: how telephone support scams really work. (The same team also wrote a related paper for CFET: FUD and Blunder: Tracking PC Support Scams. As part of the run-up to Virus Bulletin 2014, Martijn gives a preview on the Virus Bulletin blog of what to expect from the presentation: VB2014 preview: Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam.

Biting the Biter

Darren Pauli reports for the Register that Matthew Weeks has released a Metasploit module that exploits a flaw in Ammyy Admin 3.5 to attack a machine being used to ‘take over’ a client machine.

The rationale here is that Ammyy software is frequently used by support scammers to take over a victim’s machine in order to ‘prove’ that the machine is infected by malware, or to install ‘protective’ software, or for other nefarious purposes. Well, if you found this post, the chances are you’re well aware of support scammer operations, and if you’re not, there’s lots of information on this site here.

I don’t, of course, have any interest in defending the activities – far less the systems – of support scammers, but this approach gives more than a little old-school AV queasiness. Weeks explains:

I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims. The primary users at risk of compromise are the scammer groups.

Primary users at risk? Well, he may not be able to see much risk to other groups, but I suspect that others can. In any case, who is going to make use of this? Probably not Weeks, since he acknowledges:

No scammer group has ever called me, and I have never used this except to test it and in demonstrations.

It’s certainly not an approach that’s going to be available to the victims of the scam, by definition: if they don’t have the technical knowledge to recognize the (techno)logical flaws in an attacker’s spiel, metasploit means nothing to them. I can see some of the many people who go out of their way to waste a scammer’s time trying this out, but in doing so they may well (as Pauli suggests) place themselves in legal jeopardy (vide UK Computer Misuse Act, for example), even if they feel ethically secure hacking a hacker. There may be an ethical justification there by analogy with sinkholing a botnet, for example, but botnet countermeasures also have to be done within legal limits.

Will it be a deterrent to scammers? Perhaps, though I suspect that once scammers get to know about this kind of countermeasure, they may be quicker than legitimate users of Ammyy software to patch. Or simply move to one of the many alternative remote access systems used in support scams.

