ProperBlog

Security for the masses

Skip to: Content | Sidebar | Footer

PC Support Phone Scam

31 July, 2011 (10:47) | A cat called password. | By: Blogkeep

On the 20th of July my telephone rang at 12:31pm the callers number was witheld. The caller informed me that my PC was infected with viruses and that it has sent messages over the Internet to the company he worked for, he said the company was called Internet Control. Out of curiosity I played dumb and went along with him, the guy had a heavy Indian accent.

He guided me through the opening of the windows inf and prefetch folders and told me that all the files within those folders were viruses. (These are infact windows system files that Windows needs to function correctly) He then guided me to open Windows event viewer and told me that all the Warnings in the application events log were evidence of infection. Playing dumb I asked him what I could do about it.

He passed me on to another person whom he said was his supervisor. This “supervisor” had an Eastern European accent. This supervisor asked me to download a program from the Internet to help him diagnose and fix the problem. The program he asked me to download was ammyy admin from ammyy.com this is a remote desktop server. I am unaware if Ammyy are complicit in anyway with this scam, I have no evidence to support such a claim. However the Whois for Ammyy.com reports that the registrant is protected by WhoisGuard. A company that hides the true owners of a domian from a whois lookup. I would advise the looking up of ammyy and ammyy.com in a search engine and you to drawn your own conclusions. Just because one has nothing to fear doesn’t mean one cannot choose to hide anyway.

I quickly fired up a VM of XP pro and downloaded the Ammyy software. After running the software it connected to an IP address owned by plusserver.de. This supervisor then ran through exactly what I had been asked to do previously, showing me the contents of Windows inf and prefetch folders and telling me that all the files in those folders were viruses.

Whilst remotely connected to my VM XP he didn’t notice the shortcuts to Immunity and IDA, nor the folder marked analysis tools or the Virtual box tool icon in the icon tray.

I asked him what I could do about all the “viruses” on my PC. He opened notepad and pasted a price list into it. I was told I could purchase a support contract that would rid my PC of viruses and keep it clean for a year. He then asked for an email address to which he could send information on how to pay. Under pressure to provide him with an email address quickly I made the mistake of giving him a propergander.org.uk email address. He was expecting me to use the VM XP install he was connected to to retrieve my email, as I use this VM to analyse malware I don’t have email set up on it. When I told him I use a different machine for my email he began to get suspicious and opened the propergander (this) website in a browser. Well game up, I never got the email. He was very angry that I had strung him along and asked why. I told him I was investigating how the scam he was running worked and that this little episode would make an ideal entry in my blog. He protested that he was not running a scam, I replied that I had recorded the conversation and had evidence of the lies and deception used to convince me my PC was infected. He then immediately hung up the phone.

I reported the abuse of this IP address to abuse@plusserver.de who replied “Our staff has investigated your complaint and checked your data. There are several indications that your complaint is well-grounded.”

Overall this was very amusing, but not so for ordinary users with no clue as to how operating systems work. This is a nasty scam. One that all computer users should be aware of.

Write a comment