Tag Archives: Steve Burn

Tech Support Scams Latest

I’ve just added a link on the resource page to another article from Malwarebytes on support scams using a fake Blue Screen of Death, this time by Chris Boyd: Avoid this BSoD Tech Support Scam. Also some comment by John Leyden for The Register.

I also noticed today a comment to one of my ESET articles of some possible interest to support scam watchers. Actually, I think I approved the comment some time ago, but never got around to flagging it elsewhere.

I know these are scams, and I work in IT, but I had only heard these stories from my mom about them calling her. I wondered if this was a scam targeting older people, since I had never been called. Now they have started calling. 

While these scammers certainly seem more than happy to defraud older people, probably because they expect them to be less conversant with technology and therefore likelier to fall for the pitch, I doubt if the cold calls are, in general, actually targeting my generation. (I’m happy to note that – in the UK, at any rate – my generation is less gullible than you might think.)

The first time they call, about 3 weeks ago, the guy tells me my computer is infected. When I asked which computer he says my windows computer. I tell him I have, which computer is the problem. He tells my I am lying, that I don’t have 7 windows computers. He them hangs up on me for wasting his time. 

Today they called again. I played along, though I did say I had multiple computers, this guy said they were all likely infected. I asked him to verify the IP of the infected machine and he tells me he can’t but he can verify the CL SID. He rattles of the CLSID listed here and asks me to run the assoc command.

So far, so typical of many of the hundreds of reports I’ve seen.

By this time I already have this site open.

(The comment is one of nearly 500 attached to this article: Support desk scams: CLSID not unique.)

I string him along for a little bit when I finally tell him, politely, that I know this is BS. At first he denies it, then he actually acknowledges it, acknowledges that he is in Calcutta. Tells me a little about his family, and that he is in school. Tells me that work is hard to find, and asks if it’s as hard here as it is there. He tells me that the scam jobs make 14,000 a year, but the legit ones that he can find only make 7,500 a year. At the end of the call, he thanked me for not yelling and screaming profanities at him. Overall I was on the phone for 40 minutes and 20 of that was after I told him I knew.
Weirdest call ever. 

Well, it’s not quite the first time that a conversation somewhat like this has taken place. My friend and former colleague Craig Johnston recounted a similar encounter in Virus Bulletin back in 2011, which he also talked about in our joint presentation at Virus Bulletin with Steve Burn and Martijn Grooten. The guy Craig talked to was a little more self-deluded: as Craig said, ‘While the caller admitted that the methods used to convince the ‘customer’ were dodgy, he was keen to assure me that the product being sold was legitimate and that it would benefit the customer.’

In this case, the scammer didn’t try to offer such self-justification, but may give us some insight into the economics of scam versus legitimate call-centre jobs (though we believe that some call-centres use both scam and legit approaches to support). I’ve talked before about scammer motivation, but it does at least seem that not all support scammers are bullies and worse (like the unspeakable monsters who try to block their victim’s access to their own systems if they allow the scammer access and then decide not to purchase his ‘services’) and may even have the grace to be less than proud of the way they make their living.

David Harley
ESET Senior Research Fellow


Smartphones, Tablets and Support Scams

An interesting article by Jérôme Segura for the Malwarebytes blog: Tech support scammers target smartphone and tablet users. With particular reference to scammers advertising support for Android.

You might also find this thread, flagged by my good friend Steve Burn, also of Malwarebytes, of interest: https://www.mywot.com/en/forum/42800-microsoftsupporter-com.

Added to the Tech Support Scam Resources page, of course.

David Harley
Small Blue-Green World
ESET Senior Research Fellow 

More about Dorifel as a scammer ploy, and Ammyy warns of misuse of its service

More about PC support scams.

First, here’s a somewhat free translation of part of an article at http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Softwarelekken/WD-2012-069+Malware+besmetting+infecteert+office+bestanden.html that describes the support scam gambit described in Dorifel/Quervar: the support scammer’s secret weapon whereby victims in the Netherlands, where Dorifel is somewhat prevalent, have been rung by scammers offering ‘help’ with removal of the virus. (By the way, interesting though Quervar is to researchers – see Quervar – Induc.C reincarnate? – it isn’t that prevalent, though there has been a spike in reports in that region. Most people are never going to see it.)

Currently, there are reports from people who are approached by phone by Microsoft offering to assist them in removing the Dorifel virus that is currently in the news.

The caller tells the prospective victim in (flawed) English claimed that the he or she has malicious software on his or her computer and that to the scammer can help them solve this over the phone. In almost all cases the scammer requires an extortionate amount of money for a (non-functional) antivirus package, asking for personal information and credit card data.

It also appears that the caller refers victims to a website where software can be downloaded to their PC. They seem to be offering help via remote access but in reality an uninfected PC might finish up infected, and an infected system could pick up an extra infection.

What are your options?

  • You can’t stop the scammers calling. [Actually, it might be possible with some services in some countries, but they don’t take any notice of do-not-call registries (DH)]
  • Ask for a local (Dutch) telephone number that you can call back on.
  • On no account give them remote access to your computer.
  • Be very cautious with the transmission of personal data and credit card numbers over the phone. [Don’t give them to anyone whose credentials you can’t verify (DH)]
  • If you have any suspicions of bad intent, hang up as quickly as possible. [Feel free to put the phone down on ’em, though they may call again. (DH)]

[Translation ends here.]

And now, the good news: ammyy.com, a remote access service very frequently misused by support scammers, has warned users of Ammyy Admin about the scam, and even given some advice for the victims who’ve fallen for it.

  • Turn off their internet connection: that makes sense as a short term measure to reduce the risk from something they’ve left to call home, as they may have tried to do in an incident described in The Tech Support Scammer’s Revenge.
  • Contact their bank to freeze their bank accounts – that may be overkill, but I can’t say it isn’t worth considering the possibility of your financial services having been compromised
  • Reboot and scan for viruses. Again, a sensible precaution, even if we haven’t seen confirmed reports of out-and-out malicious software so far.
  • And to ensure that the scammers don’t (assuming they used Ammyy) manage to get back onto the system:

“…make sure Ammyy Admin Service isn’t installed and doesn’t run in automatic mode. For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.”

The company also points out that Ammyy Admin doesn’t have to be uninstalled: you can just delete the .EXE. Hat tip to Martijn Grooten for flagging this. Steve Burn’s post also refers. (Not surprisingly: we tend to share information about this stuff as we see it.)

ESET Senior Research Fellow

‘Tech Support’ Scam Resources Page updated

I haven’t updated the scam resources page on the AVIEN blog site since November 2011. Mea Culpa. However, that doesn’t mean I haven’t been beavering aways at raising awareness of this scam among readers of my blog, the security industry, and (not least) law enforcement. So I’ve finally got around to updating the page.

Firstly, I’ve changed the name to something more unwieldy (less wieldy?), but a bit more explicit as to exactly what it’s about.

Secondly, I’ve added quite a few links to resources. Depressingly, most of them are my own blogs – I can’t believe how hard it is to get people to take notice of this scam! – but I shouldn’t forget to mention my friends and colleagues Steve Burn (MalwareBytes), Craig Johnston (independent researcher) and Martijn Grooten (Virus Bulletin), with whose help I’ve put together a couple of somewhat massive papers to be presented at CFET and Virus Bulletin later this year.

AVIEN & Small Blue-Green World Dogsbody
ESET Senior Research Fellow

Support scams: what can AVIEN do about it?

In the wake of a blog I posted today at ESET, on my perennial warhorse of support scams and cold-calling, I’ve been talking to Martijn Grooten of Virus Bulletin and Steve Burn, both of whom contributed to that article. While we and other people in the industry hack away from time to time at this unpleasant but undramatic variety of fraud, the telephonic equivalent of fake AV, it doesn’t seem to have much impact on the hydra-headed scammer networks of Kolkata and New Delhi. How, we wondered, can we make more headway?

It would be nice to think that people who read those occasional articles from security bloggers get some educational value out of them, that’s a tiny number compared to the potentially exploitable Facebook users, for example, who might be tricked into endorsing a scammer’s FB page. In fact, it’s even worse than that, in that readers of security blogs are generally aware enough not to fall so easily for scams: many people comment on my ESET blogs on the topic, but most of them aren’t themselves victims.

While there’s occasionally a little more movement when the media like the Guardian, or the Register, or SC Magazine picks up the theme (as they all have), they’ll only do that now and again, and only when there’s a particularly dramatic or emotional story to hang it on.

Law enforcement doesn’t seem to be making much of an impact either. And that’s understandable: like the 419 gangs, the scammers are a volatile and scattered target, individual victims tend to lose fairly small sums even compared to some of the big 419 scores, and that lessens the interest from law enforcement in general, even assuming that cooperation betweenthe countries targeted by the scammers (US, UK, Australia, New Zealand, and to a lesser extent parts of Europe and limited regions in the Far East) and the regions of India that seem to be spawning this type of activity. Agencies might, I suspect, be more interested if the security people who work with them directly on other issues such as botnets and phishing were themselves more interested. But while there are quite a few security-oriented individuals who’d like to see more action, I’m not sure how much of a concentrated effort we can get out of the security industry, because the PR value doesn’t really translate directly into product sales.

Again like 419 scams, people are interested in reporting incidents close to home, but as the Met’s own fraudalert page suggests (http://www.met.police.uk/fraudalert/reporting_fraud.htm) there’s no clear single mechanism and precious little feedback. I’m wondering whether it might be worth trying to establish a central information resource and building on that in some or all these directions, with an initial focus on education. If so, perhaps AVIEN would be a suitable venue, since it has a lot of people with security expertise but is essentially vendor neutral, even though many AV companies still participate, or at least subscribe to our mailing lists.

I’d kind of like to put more of a focused effort into fighting this, but it isn’t something I can do all by myself. What do the AVIEN members out there think?

Small Blue-Green World/AVIEN
ESET Senior Research Fellow