Tag Archives: ammyy

Should TalkTalk block TeamViewer?

It’s hardly a secret that TalkTalk has had problems with tech support scams. Or at any rate its customers have, leading to suspicions that some of the scammers “… know more about their intended victims (and their issues with TalkTalk) than they should.” I don’t suppose for a moment that TalkTalk is actively cooperating with known scammers, of course, but it was widely reported last year that three call-centre workers at Wipro, to which TalkTalk outsourced some support services in 2011, had been arrested on suspicion of – according to the BBC – selling TalkTalk customer data.

The BBC’s recent report also asserts that TalkTalk customers are targeted by “an industrial-scale fraud network in India”. Commentary from Sophos hints that the issue is ‘related not to TalkTalk but to one of its subcontractors’.

TalkTalk has set up a site in cooperation with Get Safe Online called Beat The Scammers, which it describes as “an education and awareness campaign … designed to help you protect yourself from the growing threat of scams”. The site does seem to offer some reasonable advice and offer a certain amount of insight into how these particular scammers appear to be operating, though it seems focused on old-school cold-calling rather than on pop-ups directing victims to ‘helplines’. Still, most of the old tricks are still used by ‘next-generation’ scammers.  And in fact, I quite like the idea of ‘The Nevers’, a short list of things that a TalkTalk representative ‘will never do’. For instance:

  • Ask for a customer’s full password (apparently they may ask for two digits)
  • Ask for bank details to process a refund (details the company should already have)
  • Ask the customer to send money through services like MoneyGram or Western Union (two services very commonly used by scammers)

However, the company has also upset some of its customers, according to Kat Hall (writing for The Register), by blocking TeamViewer, a remote access/desktop management tool – TalkTalk blocks TeamViewer – Wants to protect customers from phishing and scamming.

It’s perfectly true that TeamViewer, like AMMYY and several similar tools/sites, is widely used by support scammers. But it’s a legitimate service also widely used for entirely legitimate desktop management purposes. A blanket ban on its use is rather like an anti-malware application deciding to make it impossible for a customer to run ‘Possibly Unwanted’ or ‘Possibly Unsafe’ applications. We don’t do that – well, most of us don’t – because although it might make some customers safer, some people would be seriously inconvenienced by it. Apart from the fact that those people would have to take their business elsewhere, it hardly seems appropriate for a security company to deny its customers access  to legitimate services. There is a classic tripod model of security, said to consist of Confidentiality, Integrity, and Availability. Take away availability, and what you have is no longer security.

David Harley

Buhtrap and Ammyy

It’s common for tech support scams to be referred to as ‘the AMMYY scam’ or ‘the TechViewer scam’: not because these remote access utilities/services are not legitimate (they are), but because they are commonly misused by tech support scammers to access their victims’ systems. (Which is why some security products flag it as ‘potentially unwanted’ or potentially unsafe’.)They do this for two main reasons:

  • To fabricate ‘proof’ that the system is compromised by malware or otherwise at risk, so that the victim will pay for ‘assistance’ from the scammer.
  • To make changes to the victim’s system (or, sometimes, to pretend to make changes) that are meant to prove that the scammer is providing a chargeable service. Sometimes the scammer will add useful utilities, but in that case they’re usually applications that the victim could get for free elsewhere. Sometimes the additions are less useful, and might even be harmful.

In addition, the scammer will sometimes make changes to the system that are downright malicious: in particular, if the victim gives him access to his system but is reluctant to proceed with allowing the changes or making payment, the scammer will often deprive (or try to deprive) the victim of the ability to use the system at all.

The Buhtrap operation described in a blog by my ESET colleague Jean-Ian Boutin isn’t directly connected with tech support scams, as far as I know, but it did involve the misuse of the Ammyy Admin utility. People who downloaded the free version from the Ammyy site while it was compromised would, in Jean-Ian’s words have been served…

…a bundle containing not only the legitimate Remote Desktop Software Ammyy Admin, but also an NSIS (Nullsoft Scriptable Installation Software) installer ultimately intended to install the tools used by the Buhtrap gang to spy on and control their victims’ computers.

It’s not clear how the site came to be compromised – Ammyy’s designers apparently never responded to ESET’s warnings – but it’s now clean: however, the malicious installation bundle was being served for about a week. Jean-Ian comments:

If you downloaded and installed Ammyy Admin recently, your computer might be compromised by one of the malware described above. Since we do not know exactly when the attack started nor if the site is still compromised, we recommend that you take precautionary measures and use or install a security product to scan and protect your computer.

Obviously, this could include tech support scam victims directed to that specific page, as if they hadn’t been victimized enough already. 🙁

David Harley

Biting the Biter

Darren Pauli reports for the Register that Matthew Weeks has released a Metasploit module that exploits a flaw in Ammyy Admin 3.5 to attack a machine being used to ‘take over’ a client machine.

The rationale here is that Ammyy software is frequently used by support scammers to take over a victim’s machine in order to ‘prove’ that the machine is infected by malware, or to install ‘protective’ software, or for other nefarious purposes. Well, if you found this post, the chances are you’re well aware of support scammer operations, and if you’re not, there’s lots of information on this site here.

I don’t, of course, have any interest in defending the activities – far less the systems – of support scammers, but this approach gives more than a little old-school AV queasiness. Weeks explains:

I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims. The primary users at risk of compromise are the scammer groups.

Primary users at risk? Well, he may not be able to see much risk to other groups, but I suspect that others can. In any case, who is going to make use of this? Probably not Weeks, since he acknowledges:

No scammer group has ever called me, and I have never used this except to test it and in demonstrations.

It’s certainly not an approach that’s going to be available to the victims of the scam, by definition: if they don’t have the technical knowledge to recognize the (techno)logical flaws in an attacker’s spiel, metasploit means nothing to them. I can see some of the many people who go out of their way to waste a scammer’s time trying this out, but in doing so they may well (as Pauli suggests) place themselves in legal jeopardy (vide UK Computer Misuse Act, for example), even if they feel ethically secure hacking a hacker. There may be an ethical justification there by analogy with sinkholing a botnet, for example, but botnet countermeasures also have to be done within legal limits.

Will it be a deterrent to scammers? Perhaps, though I suspect that once scammers get to know about this kind of countermeasure, they may be quicker than legitimate users of Ammyy software to patch. Or simply move to one of the many alternative remote access systems used in support scams.

David Harley