November 30, 2011 | San Diego, CA

Support-Scammer Tricks

Having been blogging this topic for quite a while, I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs (anonymized, of course). You might also be interested in a resource page I've started here at AVIEN.

One prospective victim instructed to connect via the Run window to www.support.me. This turns out to belong to logmein.com, the home of one of the (legitimate) remote access tools used by scammers to "fix" their victim's computer, install "better" antivirus or antispyware, and so on. (ammyy.com is another, apparently more favoured by scammers calling victims in the US.) If anyone goes as far as getting a box like this, it would be interesting to know what code they are instructed to enter, since this may help in tracking scam sites.

However, the fact that a scammer might be using legitimate remote access software doesn't, of course, make it safe or even legitimate. Once the scammer has access to your machine, he can download anything he likes, in principle. (I first became aware of this type of scam because one or more scammer was downloading cracked or trial versions of ESET software: we got to hear about it when they didn't work or stopped working.) One correspondent tells us that his wife was scammed and that when he examined the machine using AVAST!, it identified the file AMMYYadmin.exe Win32:PUP-GEN. Of course, I don't work for AVAST!, but that sounds like a generic identifier for a Possibly Unwanted Program: ESET uses the similar acronym PUA (Possibly Unwanted (or Unsafe) Application), so it could have been the legitimate program. This kind of identifier is used for programs that may have legitimate uses, so cannot be flagged as malware, but may be used for malicious purposes. (I'd say that fraud is malicious, wouldn't you?) (See Aryeh Goretsky's paper Problematic, Unloved and Argumentative for more information on "possibly unwanted" and "possibly unsafe".

According to that last commenter, part of the scam pitch was to tell his wife that AVAST! is not compatible with XP. Clearly, that's one to look out for.

Victim: I already have X antivirus and Y antispyware installed.

Scammer: But those products are not compatible with Windows XP (or Vista, or 7)

Unfortunately, this approach may well become more convincing: as Microsoft's support for XP sinks into the West, it may well be that some security products will also discontinue support for it. But it hasn't happened yet, as far as I know!

Most of the scam calls I get are flagged as International Withheld, but here are a few phone numbers that according to other blog comments, have been used by support scammers:

+2538020308 (whereabouts of commenter unknown)

0800 520 0304 (interesting: that's the number on the efix.co web site…)

00016076259911 (from a reader in New Zealand)

It seems that numbers are being derived from a variety of sources. I've had calls where the scammer had clearly got my details from a telephone directory, but some comments indicate that their ex-directory numbers have been called. That could indicate random dialling in some cases, especially where the scammer asks for some equally random name and quotes a random address (as described in Facebook Likes and cold-call scams). However, some of these instances don't seem to be random. I'll be looking into that.

Finally, here's an interesting variation on the CLSID trick I described in an earlier blog: blog.eset.com/2011/07/19/support-desk-scams-clsid-not-unique. One of the comments on that blog tells us that a scammer told him that “Your Microsoft’s Computer Licence Security ID has been identified as obsolete and needs to be renewed”. That is not what the CLSID is or does, and it isn't at all unique: many millions of PCs have the same ID.

If you have any information on this type of scam, feel free to comment here or email askeset (at) eset.com.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow