Support-Scammer Tricks

I have been blogging about support scams for quite a while and I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs (anonymized, of course). You can also find more about these support scams on the resource page I've started at AVIEN, the Anti-Virus Information Exchange Network.

One prospective victim was instructed to connect, via the Run window, to a site called www.support.me, which requests a connection code, as you can see here:

This site turns out to belong to logmein.com, the home of one of the (legitimate) remote access tools abused by scammers to "fix" their victim's computer, install "better" antivirus or antispyware, and so on. (Another site is ammyy.com, apparently more favoured by scammers calling victims in the US.) If anyone goes as far as getting a box like this, it would be interesting to know what code they are instructed to enter, since this may help in tracking scam sites.

However, the fact that a scammer might be using legitimate remote access software doesn't, of course, make it safe or even legitimate. Once the scammer has access to your machine, he can download anything he likes, in principle. (I first became aware of this type of scam because one or more scammer was downloading cracked or trial versions of ESET software: we got to hear about it when they didn't work or stopped working.)

One correspondent tells us that his wife was scammed and that when he examined the machine using AVAST!, it identified the file AMMYYadmin.exe Win32:PUP-GEN. Of course, I don't work for AVAST!, but that sounds like a generic identifier for a Possibly Unwanted Program: ESET uses the similar acronym PUA (Possibly Unwanted (or Unsafe) Application), so it could have been the legitimate program. This kind of identifier is used for programs that may have legitimate uses, so cannot be flagged as malware, but may be used for malicious purposes. (I'd say that fraud is malicious, wouldn't you?) See Aryeh Goretsky's paper Problematic, Unloved and Argumentative for more information on "possibly unwanted" and "possibly unsafe".

According to that last commenter, part of the scam pitch was to tell his wife that AVAST! is not compatible with XP. Clearly, that's one to look out for.

Victim: I already have X antivirus and Y antispyware installed.

Scammer: But those products are not compatible with Windows XP (or Vista, or 7)

Unfortunately, this approach may well become more convincing: as Microsoft's support for XP sinks into the West, it may well be that some security products will also discontinue support for it. But it hasn't happened yet, as far as I know!

Most of the scam calls I get are flagged as International Withheld, but here are a few phone numbers that according to other blog comments, have been used by support scammers:

+2538020308 (whereabouts of commenter unknown)

0800 520 0304 (interesting: that's the number on the efix.co web site…)

00016076259911 (from a reader in New Zealand)

It seems that numbers are being derived from a variety of sources. I've had calls where the scammer had clearly got my details from a telephone directory, but some comments indicate that their ex-directory numbers (that’s “unlisted numbers” for American readers) have been called. That could indicate random dialling in some cases, especially where the scammer asks for some equally random name and quotes a random address (as described in Facebook Likes and cold-call scams). However, some of these instances don't seem to be random. I'll be looking into that.

Finally, here's an interesting variation on the CLSID trick I described in an earlier blog: http://blog.eset.com/2011/07/19/support-desk-scams-clsid-not-unique. One of the comments on that blog tells us that a scammer told him that “Your Microsoft’s Computer Licence Security ID has been identified as obsolete and needs to be renewed”. That is not what the CLSID is or does, and it isn't at all unique: many millions of PCs have the same ID.

If you have any information on this type of scam, feel free to comment here or email askeset (at) eset.com.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

 

 

Author David Harley, ESET

  • NA Campbell

    Stupid and lazy people.

    • David Harley

      Not sure if you’re referring to the scammers, the victims, the comment posters, or me. :)

  • NA Campbell

    The smammers harley lol.
     

    • David Harley

      Phew! :)

  • NA Campbell

    Sorry Harley, I should have said Stupid and lazy people those smammers are lol. :)

  • Phil Wilson

    David Harley – not sure if you did this, but 00016076259911 has an international prefix. A search on 6076259911 and variations such as 607-625-9911 or (607)625-9911 shows lots of people getting "Windows Tech" calls from that number. One lookup claims the number to be in Apalachin, NY.  No, I haven't called it ;)

    • David Harley

      I was actually slightly confused by the number as it was posted: yes, you prefix an international call with two 0s, but that one had three 0s. Still, looking at sources like whocallsme.com does get lots of hits on that +1 (N. America) number.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

6 articles related to:
Hot Topic
30 Nov 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.