AMMYY warning against tech support Scams

By posted 24 Aug 2012 at 08:08AM

support scams

21

tags

We now interrupt my usual workflow to bring you some encouraging news from the less-than-wonderful world of PC tech support scams. (Courtesy yet again of Virus Bulletin’s Martijn Grooten: Martijn, where do you find the time to track all this stuff?)

When a support scammer tries to get you to hand over your credit card details in exchange for a fraudulent virus removal and system protection ‘service’, an important part of the scam involves persuading you to give them remote access to your system. They do this partly to convince you that there is a problem with your system, and partly to ‘help you’ by installing the software you’re paying them for. The software is often legitimate, but it’s also usually stuff you could get for free elsewhere, and usually has very little to do with protecting you from imaginary viruses. According to reports from the UK, the scammers often use the logmein.com remote access service (I see reports of Team Viewer being used, too), but in the US, they make use – more often than not – of ammyy.com, a service apparently operating out of Seattle. In fact, the scam is often referred to in the US as the ammyy scam, though I haven’t seen much in the way of serious suggestions that Ammyy LLC is directly implicated in the fraudulent use of its service.

However, it seems that Ammyy is aware of the problem and is eager to disassociate itself from the scam.

!!! If you receive a phone call claiming to be from ‘Microsoft’ or someone claiming to work on their behalf, telling you that you have a virus on your computer or some errors which they will help you to fix via Ammyy Admin, it is definitely a scam.

Can’t argue with that. But judging by some of the questions I get asked by people who’ve been caught out by scammers, wondering how they can be sure the crooks can’t regain access, this is a passage that many people will appreciate:

“…make sure Ammyy Admin Service isn’t installed and doesn’t run in automatic mode. For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.”

The company also assures us that if you don’t want to use Ammyy Admin, you don’t have to uninstall it, just delete the .EXE.

Ammyy have just taken several steps up in my estimation. Perhaps we can hope for similar advice from Logmein?

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Related Articles

PC Support Scams: a Forensic View
Telescammer Hell: What's Still Driving The PC Support Scammers?
Virus Bulletin 2012 Slides
Defeating anti-forensics in contemporary complex threats
FTC cracks down on tech support scams and feds nail fake AV perps
  • Louis Verberne

    On August 23 I've been phonecalled by a person who said he called on behalf of Microsoft. A few minutes later during that phone-call, there was another man who spoke to me. Both men had an asiatic accent, I think India or Pakistan. They knew (or they said they knew) I have a PC with Windows XP with problems. They said I don't have a Fire Wall, and I gave them permission to take over my PC, but I assure them that I have different Fire Walls, one in Norton and one in Windows. They took over my PC and they said they should fix my Windows Fire Wall (from Microsoft) for only 91 euro's. I refused to pay, because I paid already for Windows, and at that moment I thougt it were scammers, but they had took over my pc and I saw them search on my harddisk for a very long time. I told them that I would stop this  contact and after stopping I took out my connection to my WiFi-router. Today I've read a warning by an ombudsorganisation in the Netherlands (named Kassa) who will bring attention about this item, and I took a look at my XP-PC today. I saw one new program from Ammyy Admin with connections to Ammyy LLC, the program aa_v3.exe and the websites and . What do you advise me to do?

    • David Harley

      Louis, it looks as if you put in a link which has been automatically stripped (that’s done by this site as an anti-(comment)spam measure. In any case, I don’t have enough direct experience of Ammyy Admin to give you authoritative advice. However, aa_v3.exe is the name of an ammyy executable, and ammyy’s warning states that its sufficient to delete the executable.

      Of course, a malicious executable could call itself by that name, but under the circumstances it seems reasonable to assume that ammyy is what they used to get onto your system, and that all you need to do is delete the file. It’s possible that the scammers left some sort of shortcut on your system, but if they did, it would probably still rely on the ammyy executable being there.

  • John

    AMMYY needs to do more rather than put a statment on several websites. They could easily add a 'signup' section first before you can download the software. A simple adjustment like this would make people receiving those phone calls think this could be a scam. Also, it make it harder for the scammers to carry it out (maybe add an additional false story). If Ammyy has genuine customers that want to use the product they would sign up and download the product.

    • David Harley

      Well, they haven’t solved the problem by making that statement. But they’ve been a little more responsible than other remote access providers whose products have been misused. This gives me a bit of an idea, actually. I might come back to that in a separate blog.

  • Lorrie

    AMMY again today from these ID scammers from India!

  • William Smith

    Thanks for Posting David. Agree with the above comments, more does need to be done than just making the statement.

  • Steve Seals

    I can't stand seeing scammers doing these things with free, useful software.  Adding an additional step for signing up for ammyy would just make it more of a hassle for the end user.  I've never used ammyy myself, and until last night when my mother got the scam call at midnight with "ma'am, the hackers are trying to get into your system RIGHT NOW", I hadn't even heard of it.  But it sounds like something I would like.  Abusing good things will only make the good things "less good."

  • Jose Torres Romero

    This is terrible. My girlfriend just got hacked by them & they shut down her computer when she attempted to comment on here

    • Stephen Cobb

      I doubt the shutdown was triggered by commenting, more likely a coincidence of timing. We are not aware of any attacks targeting the comment system.

      • http://twitter.com/Rena_OConnor Rena

        My mom just got a call from them and she told them that she will do some further investigating of them, then a “supervisor” got on the phone and told her that if she didn’t go to the website they suggested they would shut down her pc… she hung up on them

        • Stephen Cobb

          Thanks for sharing Rena. Yes, these guys are really nasty!

  • Ari

    WOW! they called me minutes ago and when I saw hey wanted me to download sth from this web site with its weird name, I told them let me call you back. give me microsoft windows technical department! ha ha ! This is their number they gave me 02081446007 ;don’t know for sure but it must be faked !

  • MikeC

    My mother just got taken in by these people. Same situation. An indian sounding tech from “Microsoft” contacted her, remoted in and started doing some “simple maintenance”. He then explained that her computer had been infected, that he could fix the issue and offered her a yearly service subscription for an insignificant 500 dollars. When she declined and stated that she wished to talk to me about the service, he then dropped the price to 50 dollars for a single month of the service. She declined once again and was left with a number to call.

    Upon speaking to my mom and having discovered what happened, I disconnected the model and discovered the “ammyy” program. I then removed a number of programs. The issue though was when we restarted the computer. Immediately after the black reboot screen, a new password window pops up that prevent logging into the computer.

    THe way I explained what happened to my mom is as follows….A mechanic calls saying that he was “notified” her car had an issue and would be happy to take a look. The mechanic in the midst of “looking” at the car removes the starter. When you fail to start your engine, you call the friendly mechanic who just took a look at your car…..who then steals your credit info…..

    • Stephen Cobb

      Thanks for sharing Mike. It looks like they are getting more aggressive all the time. And some of them are so convincing it is no wonder people fall for the scam if they have not heard of it before.

  • AB

    They just called me!!! I go to AMMYY.com to give them control of my computer (like I would do that), I told the woman no and she put a supervisor on the phone. I told him it was b.s. and he was giving me an argument. “How would I have your phone number if microsoft didn’t give it to me?” I have a block for no caller ID/not allowed and they broke through that!!! They don’t appear on caller id. Shrewd people – both with accents supposedly calling from Brooklyn, NY haha…sure. Anyone know how they got our number?

    • Stephen Cobb

      AB – Thanks for sharing.

      Did they call you on your landline? They may just be robo-calling every number in an area.

      Stephen

  • http://www.facebook.com/jessica.maddoxnichols Jessica Maddox Nichols

    I just had them call me too…I kept the creep on the phone for 45 minutes and even had him calling me “MOMMY” lol…my kids and I were dying laughing at this guy. I am gonna have to youtube the call…I think I will name it ammy mommy…search it cuz its so funny

  • disqus_HDN9yRwCWb

    I just received a call from someone claiming to be Tech Support working with Microsoft and asking me to go to http://www.ammyy.com. When I refused to go to the sight, I insisted on a phone number to call him back after I checked it out. He gave me a cell phone number in Miami. (786)600-1027. So sorry to anyone who happens to have that number.

  • Tom

    Was called by a man called Ryan Wilson wanting to refund me some moeny becuase the said I had paid up for 5 years on pc helpline. Thing is he wanted to pay me £300
    and i dont remeber ever paying more than £40. He wanted me to fill in my credit card details, which I refused. Anybody else with anything similar??

    • dharleyatESET

      I’ve heard other instances of the same ploy being used. It’s also somewhat similar to 419 scams where the scammer claims he’s offering you recompense for having been scammed by a 419. Astonishingly cheeky. I would assume in this case that the caller is interested in getting your credit card details, not in getting you a refund. It’s his pockets he’s interested in filling, not yours.

  • EasternOrGuy

    Just experienced the same scenario as badwolf303. Took me to an error logging admin page, where there were 17,0000 plus errors, told me we caught it just in time. I was a bit skeptical, because my computer has been working fine. He claimed he was from Microsoft, had an Indian accent, and knew my home address.

Follow Us

FacebookYoutubeTwitterLinkedInGoogle+RSS

Automatically receive new posts via email:

Delivered by FeedBurner

11 articles related to:
Hot Topic

Linux malware

07 May 2013
11
Linux/Cdorked.A malware: Lighttpd and nginx web servers also affected
06 May 2013
10
Linux Apache malware: Why it matters to you and your business
02 May 2013
9
The stealthiness of Linux/Cdorked: a clarification
26 Apr 2013
8
Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole
24 Jan 2013
7
Linux/SSHDoor.A Backdoored SSH daemon that steals passwords
View more
Popular articles Tags
.ASIA domain name scams still going strong
Close call with a Caribbean cruise line scam
DNSChanger temporary’ DNS servers go dark soon: is your computer really fixed?
Java zero day = time to disable Java, in your browser at least
AMMYY warning against tech support Scams
ESET Virus Radar

Archives

Select month
Copyright © 2013 ESET, All Rights Reserved.