AMMYY warning against tech support Scams

We now interrupt my usual workflow to bring you some encouraging news from the less-than-wonderful world of PC tech support scams. (Courtesy yet again of Virus Bulletin’s Martijn Grooten: Martijn, where do you find the time to track all this stuff?)

When a support scammer tries to get you to hand over your credit card details in exchange for a fraudulent virus removal and system protection ‘service’, an important part of the scam involves persuading you to give them remote access to your system. They do this partly to convince you that there is a problem with your system, and partly to ‘help you’ by installing the software you’re paying them for. The software is often legitimate, but it’s also usually stuff you could get for free elsewhere, and usually has very little to do with protecting you from imaginary viruses. According to reports from the UK, the scammers often use the logmein.com remote access service (I see reports of Team Viewer being used, too), but in the US, they make use – more often than not – of ammyy.com, a service apparently operating out of Seattle. In fact, the scam is often referred to in the US as the ammyy scam, though I haven’t seen much in the way of serious suggestions that Ammyy LLC is directly implicated in the fraudulent use of its service.

However, it seems that Ammyy is aware of the problem and is eager to disassociate itself from the scam.

!!! If you receive a phone call claiming to be from ‘Microsoft’ or someone claiming to work on their behalf, telling you that you have a virus on your computer or some errors which they will help you to fix via Ammyy Admin, it is definitely a scam.

Can’t argue with that. But judging by some of the questions I get asked by people who’ve been caught out by scammers, wondering how they can be sure the crooks can’t regain access, this is a passage that many people will appreciate:

“…make sure Ammyy Admin Service isn’t installed and doesn’t run in automatic mode. For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.”

The company also assures us that if you don’t want to use Ammyy Admin, you don’t have to uninstall it, just delete the .EXE.

Ammyy have just taken several steps up in my estimation. Perhaps we can hope for similar advice from Logmein?

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Louis Verberne

    On August 23 I've been phonecalled by a person who said he called on behalf of Microsoft. A few minutes later during that phone-call, there was another man who spoke to me. Both men had an asiatic accent, I think India or Pakistan. They knew (or they said they knew) I have a PC with Windows XP with problems. They said I don't have a Fire Wall, and I gave them permission to take over my PC, but I assure them that I have different Fire Walls, one in Norton and one in Windows. They took over my PC and they said they should fix my Windows Fire Wall (from Microsoft) for only 91 euro's. I refused to pay, because I paid already for Windows, and at that moment I thougt it were scammers, but they had took over my pc and I saw them search on my harddisk for a very long time. I told them that I would stop this  contact and after stopping I took out my connection to my WiFi-router. Today I've read a warning by an ombudsorganisation in the Netherlands (named Kassa) who will bring attention about this item, and I took a look at my XP-PC today. I saw one new program from Ammyy Admin with connections to Ammyy LLC, the program aa_v3.exe and the websites and . What do you advise me to do?

    • David Harley

      Louis, it looks as if you put in a link which has been automatically stripped (that’s done by this site as an anti-(comment)spam measure. In any case, I don’t have enough direct experience of Ammyy Admin to give you authoritative advice. However, aa_v3.exe is the name of an ammyy executable, and ammyy’s warning states that its sufficient to delete the executable.

      Of course, a malicious executable could call itself by that name, but under the circumstances it seems reasonable to assume that ammyy is what they used to get onto your system, and that all you need to do is delete the file. It’s possible that the scammers left some sort of shortcut on your system, but if they did, it would probably still rely on the ammyy executable being there.

  • John

    AMMYY needs to do more rather than put a statment on several websites. They could easily add a 'signup' section first before you can download the software. A simple adjustment like this would make people receiving those phone calls think this could be a scam. Also, it make it harder for the scammers to carry it out (maybe add an additional false story). If Ammyy has genuine customers that want to use the product they would sign up and download the product.

    • David Harley

      Well, they haven’t solved the problem by making that statement. But they’ve been a little more responsible than other remote access providers whose products have been misused. This gives me a bit of an idea, actually. I might come back to that in a separate blog.

  • Lorrie

    AMMY again today from these ID scammers from India!

  • William Smith

    Thanks for Posting David. Agree with the above comments, more does need to be done than just making the statement.

  • Steve Seals

    I can't stand seeing scammers doing these things with free, useful software.  Adding an additional step for signing up for ammyy would just make it more of a hassle for the end user.  I've never used ammyy myself, and until last night when my mother got the scam call at midnight with "ma'am, the hackers are trying to get into your system RIGHT NOW", I hadn't even heard of it.  But it sounds like something I would like.  Abusing good things will only make the good things "less good."

  • Jose Torres Romero

    This is terrible. My girlfriend just got hacked by them & they shut down her computer when she attempted to comment on here

    • Stephen Cobb

      I doubt the shutdown was triggered by commenting, more likely a coincidence of timing. We are not aware of any attacks targeting the comment system.

      • http://twitter.com/Rena_OConnor Rena

        My mom just got a call from them and she told them that she will do some further investigating of them, then a “supervisor” got on the phone and told her that if she didn’t go to the website they suggested they would shut down her pc… she hung up on them

        • Stephen Cobb

          Thanks for sharing Rena. Yes, these guys are really nasty!

  • Ari

    WOW! they called me minutes ago and when I saw hey wanted me to download sth from this web site with its weird name, I told them let me call you back. give me microsoft windows technical department! ha ha ! This is their number they gave me 02081446007 ;don’t know for sure but it must be faked !

  • MikeC

    My mother just got taken in by these people. Same situation. An indian sounding tech from “Microsoft” contacted her, remoted in and started doing some “simple maintenance”. He then explained that her computer had been infected, that he could fix the issue and offered her a yearly service subscription for an insignificant 500 dollars. When she declined and stated that she wished to talk to me about the service, he then dropped the price to 50 dollars for a single month of the service. She declined once again and was left with a number to call.

    Upon speaking to my mom and having discovered what happened, I disconnected the model and discovered the “ammyy” program. I then removed a number of programs. The issue though was when we restarted the computer. Immediately after the black reboot screen, a new password window pops up that prevent logging into the computer.

    THe way I explained what happened to my mom is as follows….A mechanic calls saying that he was “notified” her car had an issue and would be happy to take a look. The mechanic in the midst of “looking” at the car removes the starter. When you fail to start your engine, you call the friendly mechanic who just took a look at your car…..who then steals your credit info…..

    • Stephen Cobb

      Thanks for sharing Mike. It looks like they are getting more aggressive all the time. And some of them are so convincing it is no wonder people fall for the scam if they have not heard of it before.

  • AB

    They just called me!!! I go to AMMYY.com to give them control of my computer (like I would do that), I told the woman no and she put a supervisor on the phone. I told him it was b.s. and he was giving me an argument. “How would I have your phone number if microsoft didn’t give it to me?” I have a block for no caller ID/not allowed and they broke through that!!! They don’t appear on caller id. Shrewd people – both with accents supposedly calling from Brooklyn, NY haha…sure. Anyone know how they got our number?

    • Stephen Cobb

      AB – Thanks for sharing.

      Did they call you on your landline? They may just be robo-calling every number in an area.

      Stephen

  • http://www.facebook.com/jessica.maddoxnichols Jessica Maddox Nichols

    I just had them call me too…I kept the creep on the phone for 45 minutes and even had him calling me “MOMMY” lol…my kids and I were dying laughing at this guy. I am gonna have to youtube the call…I think I will name it ammy mommy…search it cuz its so funny

  • disqus_HDN9yRwCWb

    I just received a call from someone claiming to be Tech Support working with Microsoft and asking me to go to http://www.ammyy.com. When I refused to go to the sight, I insisted on a phone number to call him back after I checked it out. He gave me a cell phone number in Miami. (786)600-1027. So sorry to anyone who happens to have that number.

  • Tom

    Was called by a man called Ryan Wilson wanting to refund me some moeny becuase the said I had paid up for 5 years on pc helpline. Thing is he wanted to pay me £300
    and i dont remeber ever paying more than £40. He wanted me to fill in my credit card details, which I refused. Anybody else with anything similar??

    • dharleyatESET

      I’ve heard other instances of the same ploy being used. It’s also somewhat similar to 419 scams where the scammer claims he’s offering you recompense for having been scammed by a 419. Astonishingly cheeky. I would assume in this case that the caller is interested in getting your credit card details, not in getting you a refund. It’s his pockets he’s interested in filling, not yours.

  • EasternOrGuy

    Just experienced the same scenario as badwolf303. Took me to an error logging admin page, where there were 17,0000 plus errors, told me we caught it just in time. I was a bit skeptical, because my computer has been working fine. He claimed he was from Microsoft, had an Indian accent, and knew my home address.

  • disqus_v0LELrECIK

    Apparently this happened to my grandfather today, he ended up falling for the scam to a certain level. He got just as far to download the option for them to go into the computer. But once they asked for money and credit card, i over heard that part. I quickly looked up the site and found this. He hung up. NOW Luckily this was one on a 2003 computer, Its a old piece of crap. (Which is why he thought they were being honest about it needing help.) Well anyways, I turned off the computer, unplugged it and everything. I Just need to know,

    A. is all the information on the computer still eligible to get messed with and looked into, even tho the computer is off? Like past online transactions, bank, photos and what not? We already informed the bank of what happened, to just be safe. But it would also help to know if they can get into personal things as well.

    B. Someone said it had an effect on the wifi, Now are our laptops and tablets at risk? and if we were to get a new house computer, would that be at risk as well?

    • dharleyatESET

      No-one can get into the PC when it’s off, or disconnected from the internet. We don’t think these guys generally do a serious search of a PC when they’re connected. They’re more interested in the instant gratification of a quick credit card score. I don’t know of any scenario where wifi has been compromised by a support scammer in that way. There was one instance I wrote about in another blog where the scammer tried to trash the machine and disable the network card because the victim didn’t pay up quickly enough.

  • jo

    hi, this happened to me today. they called, and had me on the phone. they showed me error things and stuff. I believed it because my computer has been messing up. anyway they got access of my computer and they did a scan and said my security thing was invalid and that I needed protection. they then took me to a site where he wanted me to purchase some antivirus stuff. I said I didn’t want to buy it that I would fix it in my own. he said he wanted me to fill out a form. he took me there it was my billing info for PayPal and I refused. he was controlling my laptop. I told him to stop that I had to go. he said I should leave my computer on for 15 more minutes but I shutdown. I feel so stupid. I then turned back on minutes later to get some files and restored my computer to factory settings. I am scared they took my info because I pay bills and such on my computer. I have changed some of my password but I’m scared to use my computer and then still being there. I is restored to factory setting and have an antivirus. what else can I do. I didn’t fill out anything but did they get my info from my internet history or duff like that

    • dharleyatESET

      Jo, it’s unlikely that they took info from your machine that they’ll make use of in future: generally, they just want to scam you into paying via credit card right now.

  • Jamie

    I just received a call from an Indian person saying that he wanted to refund me the $159 I spent on anti-virus software on March 7th because they were going out of business. He also mentioned that he was with Microsoft when I asked what specific software did I purchase. I didn’t purchase any software recently and knew it was a scam. He pointed me to the ammyy website and told me to download the software. Crazy! I told him I wasn’t downloading software on my computer for a refund. I hang up and he called back 4 times. Crazy!!!

  • Nicholas Bellows

    I had soooo much fun messing with this lady. I strung her along for a good 25 mins. “Oh no! That is a lot of viruses” HA HA HA. Is it just me or does the “Office Ambience” in the background sound totally fake. I am pretty sure I could hear the loop end and restart. Most fun I have had all week. The best part was line clicking when I told her I was an IT professional and that I hoped I had wasted as much of her time as possible.

  • dharleyatESET

    AMMYY is legitimate software. I can’t account for the mouse behaviour you mention, I’m afraid.

  • john

    I had call from withheld number saying microsoft engineer at talk talk. I had herd about this so said just a min let me turn tel of. 3mins later after turning of my router i said o.k. better now can here you. I played dumb and made him repeat evey thing twice.he went though loads then said cancel that open run box again and type http://www.ammyy.com. ok i said he said press o.k, i said ok. He then sain can you see a green window i said know it says website not found. let him get me to try it again this is after 25 mins i have kept him on the phone. then i said it says server not found DO YOU THINK IT IS BECAUSE I TURNED OF ROUTER WHEN I NEW YOU WERE A SCAM.

    Sugest anyone who gets one of these calls do the same. Wasted 25 mins of his time.

  • Joey

    hi, this happened to me just an hour ago!!n I am a stupid! I gave they my credit card information n my $500 was gone…I really wanna cry. I called the bank immediately to cancel my credit card. I downloaded ammyy to my computer n click run, n they just can controlled my mouse on the screen, I am not sure if I installed ammyy to my computer after I clicked run, n I deleted the file which I download n cannot find any other ammyy file on my computer, how can I make sure I uninstall ammyy and what should I do next? can they still see my information in the future? please help me

  • Sick of it

    Yep same here..they just tried to scam me, but I realized that the last time I actually called Microsoft tech support, it took forever to get anyone, so why would they call me out of the blue?

  • Sick of it

    I should also note, that the name they used when they tried to scam me shows that they somehow received information on me via AT&T. So whoever is doing this has a link to AT&T.

  • Jordan

    Hi there, please don’t post that last comment. I’m worried about the repercussions of name dropping companies and stuff. Cheers!

    • dharleyatESET

      Deleted your previous comment as requested. To answer a question you raised in that comment, I’ve never seen a report of a tech support scammer going back to get further access to a system he’s accessed in the past, though I can’t say it couldn’t happen. I think they probably try the scam, run through the script if you let them, and move on. I doubt if they keep records of people they’ve tried to scam, successful or not. But I can’t guarantee that. If you’ve done a complete reinstall, I can’t see an attempt to regain access succeeding, though.

  • dharleyatESET

    It doesn’t sound as if they got access to your machine, so you should be ok.

  • MDPrineville

    I just had an encounter by MY calling 866-775-3928 which was the number on Norton’s website support page when I tried to contact them by email (after downloading Norton 360). The email did not go through and the 866 number appeared to call support. When I did, the call center employee spent an hour with to to try to resolve my issue, then wanted $400 to remove the Chineese hacker trojan and give me lifetime Norton plus 1 year of unlimited tech support for any tech issues. I declined. He said the trojan was “csrss.exe” which is an actual windows component. I hung up and called another Norton support number and that person (also with a heavy Indian accent) said it was NOT an authorized Norton support person and they never charge over $199 for 5 years…not $400 lifetime! Beware! Even if you call the number. I told Norton that I think their website page was hacked with the re-directed number. They said they would check it out. I did a full Norton scan and it detected NO security issues or viruses.

    • http://dharley.wordpress.com/ David Harley

      That number seems to be associated with an ‘independant’ [sic] support site belonging to ‘Online Tech Support’ and has a page offering Norton support. (Badly written, I’d guess not by a native English speaker.)

  • Misty

    They just called me and I almost fell for it. I got all the way to the ID screen of AMMYY, and thought…who offers to just remove a virus for free? I googled it as he was talking and when the option to reject or accept came up, I hit reject. He asked me why I was rejecting it and I hung up. Am I okay? Is there more I should do?

    • http://dharley.wordpress.com/ David Harley

      If you didn’t allow them to connect, you should be ok.

  • phil

    phildavies uk, it happened to me today 10/aug, very same process as below, as soon as they realized I would’nt purchase, he went but all my photos are gone, desktop changed, trying to recover but some files missing

  • Jens

    They called me too! I didnt pay anything, bur now I need a startup password..?!?! What should/can I do?

    • http://dharley.wordpress.com/ David Harley

      Jens, it sounds as if you might need more help than we can offer through the blog. Did you give them remote access but then didn’t pay them? If so, there’s a chance that they took the opportunity to damage your system in revenge. Your best bet, in that case, would be to consult a local PC tech specialist.

  • Cherie

    It just happened to me, but as shes is asking me to type in http://www.ammyy.com and find the green page, and download the program, I just typed it in google search and found this, pretending to follow her instructions… read this page and told her she was a scam and dont call back! Thanks you!!!

  • Philippe Desrosiers

    Bless you!!! I just received a phone call just about this and as I was reading the blog I was on the phone with someone claiming to work to a company associated with Microsoft… He wanted me to http AMMYY on the address bar of my internet browser. Instead I typed the AMMYY in my google search and saw the security warning and I hung up the phone as I was reading this blog. Craps there is more and more junk going on the web. The technician, 99% positive it was an Indu, was claiming that my computer had downloaded two viruses and he was to show me how to fix the problem.

    Good blog, good info thanks a 1000 times.

    Cheers

    Philippe

  • Charles

    I am sorry I wasn’t so creative with them. I just made them listen to “Sports Talk Radio” on ESPN. I occasionaly checked back in with them to make sure that they were still there, but they hung up after 15 min. If they call back I will try to keep them on longer. (Games with scammers…Who would have guessed it could be so entertaining; caviot, as long as you don’t fall for their shtick).

  • k e

    This happened to a friend of mine. They remoted in, and when she refused to pay them they warned her not to shut down her computer or she would “lose everything.” Doing this, they activated “SysKey” which then required a password during startup, known as SecureBoot. We ended up having to reinstall windows all together because after I took the computer for support Plug-n-Play was disabled, and my keyboard and mouse wouldn’t install properly to be usable. Oh well. The name of the company was PacifiTech. They are targeting seniors.

  • Richard – UK

    Its 6th December 2013 and it happened to me exactly as below. Yes I googled ammyy and found this web site. Thank goodness for the internet and honest people warning us all

  • mom

    god I cant believe I fell for this … gave access to my computer,but refused to pay 200.00 for this and he said he would call me back monday…now I am freaked cuz I do my banking and as well as family members on my account …not sure what to d

    • http://dharley.wordpress.com/ David Harley

      If your PC is still functioning, you might be ok. Depends on what he might have installed (or modified): if you cut the connection before he made any changes, you should be fine. It would be a good idea to run some security software, especially anti-virus and anti-spyware, in ‘paranoid’ mode. In general, these scams seem to be more about getting immediate payment for ‘repairing’ your system than leaving keyloggers and other spyware, but I can’t guarantee that was the case here. If you have a good local tech support company, you might find their fees worth the peace of mind.

  • Basil Forthrighly

    Just had a round of this, strung them on long enough to find out what they wanted me to download. They directed me to winithub.com and wanted me to click on a link labeled “Technician 1″. I told them my anti-virus was blocking it, my little helper couldn’t handle that one and apparently tried to forward me to someone else. I got bored and hung up.

    The download payload is still AA_v3.exe from ammyy.com BTW.

  • Gemma L F Knight

    I just received a phone call this morning (Indian guy). As soon as they said they were from Microsoft, that was a big red flag to me. I decided to try keep them long enough to find out information from them so I could Google it. As soon as he wanted me to run the AMMYY program site, I typed it into Google and came across this page. As soon as I called him out on it, he started laughing and saying ‘this isn’t a scam, I don’t think you’re stupid enough for a scam, you’re very clever’…What an idiot…hung up on him and went to my Facebook to warn my friends.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
24 Aug 2012
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.