More about PC support scams.
First, here’s a somewhat free translation of part of an article at http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Softwarelekken/WD-2012-069+Malware+besmetting+infecteert+office+bestanden.html that describes the support scam gambit described in Dorifel/Quervar: the support scammer’s secret weapon whereby victims in the Netherlands, where Dorifel is somewhat prevalent, have been rung by scammers offering ‘help’ with removal of the virus. (By the way, interesting though Quervar is to researchers – see Quervar – Induc.C reincarnate? – it isn’t that prevalent, though there has been a spike in reports in that region. Most people are never going to see it.)
Currently, there are reports from people who are approached by phone by Microsoft offering to assist them in removing the Dorifel virus that is currently in the news.
The caller tells the prospective victim in (flawed) English claimed that the he or she has malicious software on his or her computer and that to the scammer can help them solve this over the phone. In almost all cases the scammer requires an extortionate amount of money for a (non-functional) antivirus package, asking for personal information and credit card data.
It also appears that the caller refers victims to a website where software can be downloaded to their PC. They seem to be offering help via remote access but in reality an uninfected PC might finish up infected, and an infected system could pick up an extra infection.
What are your options?
- You can’t stop the scammers calling. [Actually, it might be possible with some services in some countries, but they don't take any notice of do-not-call registries (DH)]
- Ask for a local (Dutch) telephone number that you can call back on.
- On no account give them remote access to your computer.
- Be very cautious with the transmission of personal data and credit card numbers over the phone. [Don't give them to anyone whose credentials you can't verify (DH)]
- If you have any suspicions of bad intent, hang up as quickly as possible. [Feel free to put the phone down on 'em, though they may call again. (DH)]
[Translation ends here.]
And now, the good news: ammyy.com, a remote access service very frequently misused by support scammers, has warned users of Ammyy Admin about the scam, and even given some advice for the victims who’ve fallen for it.
- Turn off their internet connection: that makes sense as a short term measure to reduce the risk from something they’ve left to call home, as they may have tried to do in an incident described in The Tech Support Scammer’s Revenge.
- Contact their bank to freeze their bank accounts – that may be overkill, but I can’t say it isn’t worth considering the possibility of your financial services having been compromised
- Reboot and scan for viruses. Again, a sensible precaution, even if we haven’t seen confirmed reports of out-and-out malicious software so far.
- And to ensure that the scammers don’t (assuming they used Ammyy) manage to get back onto the system:
“…make sure Ammyy Admin Service isn’t installed and doesn’t run in automatic mode. For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.”
The company also points out that Ammyy Admin doesn’t have to be uninstalled: you can just delete the .EXE. Hat tip to Martijn Grooten for flagging this. Steve Burn’s post also refers. (Not surprisingly: we tend to share information about this stuff as we see it.)
David Harley CITP FBCS CISSP
ESET Senior Research Fellow