There have been suspicions before that TalkTalk customers have been targeted by tech support scammers who know more about their intended victims (and their issues with TalkTalk) than they should. I’ve alluded to them in some articles on this site.
I don’t, of course, know the facts behind those suspicions, but I note that Graham Cluley has encountered another curious incident – I won’t say coincidence…
My first engagement with and introduction to the malware problem was back in 1989. Surprisingly, that first encounter was not a virus, even though through the 80s viruses were the aspect of security that most people were aware of, and Trojans – or trojans, as some of my colleagues in the industry nowadays insist on spelling it – comprised at that time a very small proportion of the virus-dominated malware scene. However, the ‘AIDS Trojan’ was pretty big news at the time in the fledgling anti-virus industry, even though it targeted a fairly specialized sector of the medical research community.
In fact, I still have one of the disks sent out carrying the ‘AIDS Trojan’, sometimes cited as the first ransomware, at the end of the 1980s, retained for purely sentimental reasons.
However, the impact and scale of the ransomware problem seems to have increased dramatically in recent months, so I though perhaps it was time to set up a page somewhat along the lines of our tech support scams page. Unfortunately, it’s not as polished as I’d like, due to pressure to meet other commitments. But I figured this might be one of those ‘something is better than nothing’ moments. Not that there isn’t already good information out there, but I wanted to have some links and commentary in one place.
So here it is, warts and all.
It’s common for tech support scams to be referred to as ‘the AMMYY scam’ or ‘the TechViewer scam’: not because these remote access utilities/services are not legitimate (they are), but because they are commonly misused by tech support scammers to access their victims’ systems. (Which is why some security products flag it as ‘potentially unwanted’ or potentially unsafe’.)They do this for two main reasons:
- To fabricate ‘proof’ that the system is compromised by malware or otherwise at risk, so that the victim will pay for ‘assistance’ from the scammer.
- To make changes to the victim’s system (or, sometimes, to pretend to make changes) that are meant to prove that the scammer is providing a chargeable service. Sometimes the scammer will add useful utilities, but in that case they’re usually applications that the victim could get for free elsewhere. Sometimes the additions are less useful, and might even be harmful.
In addition, the scammer will sometimes make changes to the system that are downright malicious: in particular, if the victim gives him access to his system but is reluctant to proceed with allowing the changes or making payment, the scammer will often deprive (or try to deprive) the victim of the ability to use the system at all.
The Buhtrap operation described in a blog by my ESET colleague Jean-Ian Boutin isn’t directly connected with tech support scams, as far as I know, but it did involve the misuse of the Ammyy Admin utility. People who downloaded the free version from the Ammyy site while it was compromised would, in Jean-Ian’s words have been served…
…a bundle containing not only the legitimate Remote Desktop Software Ammyy Admin, but also an NSIS (Nullsoft Scriptable Installation Software) installer ultimately intended to install the tools used by the Buhtrap gang to spy on and control their victims’ computers.
It’s not clear how the site came to be compromised – Ammyy’s designers apparently never responded to ESET’s warnings – but it’s now clean: however, the malicious installation bundle was being served for about a week. Jean-Ian comments:
If you downloaded and installed Ammyy Admin recently, your computer might be compromised by one of the malware described above. Since we do not know exactly when the attack started nor if the site is still compromised, we recommend that you take precautionary measures and use or install a security product to scan and protect your computer.
Obviously, this could include tech support scam victims directed to that specific page, as if they hadn’t been victimized enough already. 🙁
Jérôme Segura talks about his paper Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam, which he just presented at Virus Bulletin 2014, on the Malwarebytes blog: Tech Support Scams exposed at VB2014. The blog includes a link to a PDF version of the slide deck.
Added to the AVIEN resources page, of course.
ESET Senior Research Fellow