Category Archives: cold call scams

Alleged US support scam site temporarily shut down

This is one of my articles for IT Security UK about the FTC securing an injunction against Pairsys Inc, which (according to The Register) is is “banned from deceptive telemarketing practices, and may not sell or rent their customer lists to any third party. The injunction requires that their websites and telephone numbers must be shut down and disconnected, and their assets be frozen.”

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Tech support, accident insurance and PPI scams

An article by me for ESET that I should have posted here ages ago: Scams: Tech Support, Accident Insurance, PPI, Oh My My.

Of course, Indian call centres don’t spend all their time (and waste ours) on tech support scams asking for payment for help with non-existent problems: they also have a nasty habit of ringing with other types of scam: accident insurance scams and PPI (Payment Protection Insurance) scams.

And I just realized that I didn’t actually post a link to an excellent post by Martijn Grooten that’s briefly referenced in the same blog: Tech support scammers won’t give up.

Naturally, both links have been added to the scam resources page.

David Harley
ESET Senior Research Fellow

Another tech support scam resource

Added to the resources page at http://avien.net/blog/pc-support-scam-resources/: a blog for ESET on support scams. To be precise, how support scammers sometimes convince you that they’re providing product support on behalf of the vendor.

  1. By social engineering in the course of a cold-call.
  2. By seeding the web with sites and using SEO to promote them that support their claims to provide AV tech support, though they’re unlikely to claim there that they’re directly affiliated with individual companies.

I had a lot of helpful discussion with ESET’s support team that inspired the article. And I regard this kind of fraud as an insult to the sterling work that real AV tech support teams do.

Tech Support Scammers: Talking to a Real Support Team

David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow

Support scammers & repeat business

For Virus Bulletin, Martijn Grooten recounts in Phone support scammers attempt repeat business how – a year after the encounter with ‘Clinton’ that he talked about in our joint presentation (with Craig Johnston and Steve Burn) at the 2012 Virus Bulletin Conference in Dallas (My PC has 32,539 errors: how telephone support scams really work) – the scammers came back for a second bite of the cherry.

He summarizes:

Phone support scammers have found a new way to make easy money: by calling back people whom they have previously tricked into paying for their services, and tricking the same innocent users into paying for a ‘renewal’ of the service.

While I got a certain amount of amusement from the continuing ineptitude of the scammer he talked to this time, it’s not so amusing for victims of the scam, as Martijn points out:

While it is easy to laugh at the scammers’ lack of professionalism, they have taken advantage of many victims in the past: people who have become worried after hearing the many stories about malware infections, or people for whom the call just ‘made sense’.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

More about Dorifel as a scammer ploy, and Ammyy warns of misuse of its service

More about PC support scams.

First, here’s a somewhat free translation of part of an article at http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Softwarelekken/WD-2012-069+Malware+besmetting+infecteert+office+bestanden.html that describes the support scam gambit described in Dorifel/Quervar: the support scammer’s secret weapon whereby victims in the Netherlands, where Dorifel is somewhat prevalent, have been rung by scammers offering ‘help’ with removal of the virus. (By the way, interesting though Quervar is to researchers – see Quervar – Induc.C reincarnate? – it isn’t that prevalent, though there has been a spike in reports in that region. Most people are never going to see it.)

Currently, there are reports from people who are approached by phone by Microsoft offering to assist them in removing the Dorifel virus that is currently in the news.

The caller tells the prospective victim in (flawed) English claimed that the he or she has malicious software on his or her computer and that to the scammer can help them solve this over the phone. In almost all cases the scammer requires an extortionate amount of money for a (non-functional) antivirus package, asking for personal information and credit card data.

It also appears that the caller refers victims to a website where software can be downloaded to their PC. They seem to be offering help via remote access but in reality an uninfected PC might finish up infected, and an infected system could pick up an extra infection.

What are your options?

  • You can’t stop the scammers calling. [Actually, it might be possible with some services in some countries, but they don’t take any notice of do-not-call registries (DH)]
  • Ask for a local (Dutch) telephone number that you can call back on.
  • On no account give them remote access to your computer.
  • Be very cautious with the transmission of personal data and credit card numbers over the phone. [Don’t give them to anyone whose credentials you can’t verify (DH)]
  • If you have any suspicions of bad intent, hang up as quickly as possible. [Feel free to put the phone down on ’em, though they may call again. (DH)]

[Translation ends here.]

And now, the good news: ammyy.com, a remote access service very frequently misused by support scammers, has warned users of Ammyy Admin about the scam, and even given some advice for the victims who’ve fallen for it.

  • Turn off their internet connection: that makes sense as a short term measure to reduce the risk from something they’ve left to call home, as they may have tried to do in an incident described in The Tech Support Scammer’s Revenge.
  • Contact their bank to freeze their bank accounts – that may be overkill, but I can’t say it isn’t worth considering the possibility of your financial services having been compromised
  • Reboot and scan for viruses. Again, a sensible precaution, even if we haven’t seen confirmed reports of out-and-out malicious software so far.
  • And to ensure that the scammers don’t (assuming they used Ammyy) manage to get back onto the system:

“…make sure Ammyy Admin Service isn’t installed and doesn’t run in automatic mode. For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.”

The company also points out that Ammyy Admin doesn’t have to be uninstalled: you can just delete the .EXE. Hat tip to Martijn Grooten for flagging this. Steve Burn’s post also refers. (Not surprisingly: we tend to share information about this stuff as we see it.)

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Support desk scams – some updates

Having been blogging this topic for quite a while, I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs: as the comments I quoted were all to ESET articles, I’ve posted that information on the ESET blog too, in Support-Scammer Tricks, but I’ve also linked to it from the AVIEN PC Support Scam Resources page.

David Harley CITP FBCS CISSP
AVIEN Scapegoat
ESET Senior Research Fellow