Tuesday, 21 February 2012

Scamming the scammers – catching the virus call centre scammers red-handed

Tuesday, 21 February 2012

A few months back I got a call one evening which was clearly a virus call centre scam; you know, the ones that call you out of the blue, tell you your PC is infected with all sorts of nasties and offer to fix it for you? Or maybe you don’t know, which of course is why these scams have been going on for quite some time and are still very active today.

Fortunately I did know about such things so rather than summarily dismissing them with a level of disdain I normally reserve only for telemarketers, I recorded the audio of the call right up until the point where they were ready to take control of my PC. I published the whole episode in my post titled Anatomy of a virus call centre scam.

But I was left wondering; what exactly were they going to do to my PC once they got remote control? Try and squeeze some cash out of me for “fixing” things? Install their own variant of “antivirus”? Or just plain old enslave my PC into being part of a botnet? So I decided to find out by letting them do whatever they wanted whilst recording the audio and the screen so the entire experience could be shared.

The setup

For this exercise I created a brand spanking new Windows 7 trial install on a spare hard disk and physically disconnected every other disk from the machine. I then unplugged every other device from the router and disabled wifi. I now had a totally isolated, disposable machine with nothing more than an internet connection.

I installed enough of the basics on the machine to make it look legitimate (Office, Acrobat Reader, Skype, etc.) and also installed Microsoft Security Essentials. I then ran Windows Update repeatedly until every single service pack, patch and even language pack was installed. The machine was as up to date and as secure as it could be without going to third party products.

I then added various items to the desktop which might appear a bit tempting such as “Passwords.txt” and “2011 Finances.xls”. I wasn’t expecting them to be accessed, but it helped the machine appear more legitimate.

The call

I’d asked around about other people having received scam calls and was given a phone number in the UK (01916451644) and one in Australia (0872001644), both having previously been left by the scammers. A quick Google on either of these numbers will give you numerous results with people complaining about being cold-called by scammers. Both of these numbers also appear on Comantra’s website.

So who is Comantra? They’re an Indian firm specialising in remote computer support which, on the surface of it, is a perfectly legitimate business. Problem is, they’ve got a long history of scamming people and had their Gold partner status revoked by Microsoft back in September last year as a result.

The Comantra website

I started Camtasia running on the machine capturing both screen and microphone then gave them a call. After a couple of false starts, I ended up acquiring a pre-paid SIM card for my phone as each time I called they absolutely insisted on calling me back before doing anything nasty and I wasn’t about to hand out my personal details. Finally, on Saturday a few days ago, I got through to them.

Here’s what happened next:

Debrief

Let give you the abridged version here in case you (quite rightly) didn’t feel like sitting through the entire thing:

  1. The operator explains that the PC is infected with malicious files.
  2. He directed me to Ammyy which he then used to gain remote control of my PC.
  3. He started the Event Viewer then explained that errors and warnings are signs of serious problems with the PC.
  4. He then had me go the LogMeIn website and attempted to start a remote support connection without entering a PIN code. Naturally this failed after which he explained it’s the “software loyalty key” for the computer and its expiration is the cause of all the “problems”.
  5. Next, I was assured numerous times that there is absolutely no cost involved for him to “fix” the warranty.
  6. I was then told the free warranty would cost a one-time payment of $160. Annually.
  7. After explicitly prompting him, he confirmed this payment is for the software key for my Windows.
  8. A PIN was given to me which I then entered into the LogMeIn website and granted them remote control to my machine. Again (on top of the Ammyy session).
  9. The operator then controlled my PC and downloaded Advanced SystemCare 3, a legitimate (albeit twice superseded) product. He explicitly told it not to create a restore point when prompted.
  10. SystemCare made numerous findings which the operator leveraged to explain the poor health of my PC, including an explanation that fragmented files indicated “These are all of the hardware problems”.
  11. I was directed to a registration form where I registered with false information.
  12. I was then forwarded to a payment gateway where credit card information was requested using a service provided by India’s Bank of Baroda.
  13. At this stage I came clean and confronted the operator. Numerous excuses were made with the general gist of it being that they are honest, have not misled me and are providing a legitimate service.
  14. When reviewing the system the next day whilst disconnected from the internet, the LogMeIn software loads automatically and attempts to re-establish a connection. It appears that there is now a persistent ability for Comantra to take remote control of the machine.

The whole process was a completely disjointed, muddled experience involving jumping around between a number of legitimate services which were used to create fear, uncertainty and doubt. Even the Comantra processes of registration then payment don’t actually appear to be related which makes you wonder if there’s any service provided at all after handing over cash.

One thing that was a little interesting was the use of two different remote control products; Ammyy then LogMeIn. My best guess at the rationale behind this is that Ammyy is used first because it’s an entirely free service which doesn’t require them to divulge any sort of subscription key. However it also doesn’t give them persistent remote control beyond that initial session so I suspect it’s used to validate that the “mark” is willing to go along with the scam before divulging something of value to them – the LogMeIn PIN.

Now, I want to be absolutely crystal clear that this is a scam from the outset. The end of the call descends into the operator vehemently defending the legitimacy of the Comantra service so I’m going to specifically quote a number of the things he said during the call. Also keep in mind the pretence with which these calls are initiated; this is a “cold-call” – one made without opting-in on the premise that they have been alerted to malicious activity on your PC. This is clearly a lie.

Here are some of the more significant quotes from throughout the encounter:

  1. “Your computer has accidentally uploaded some unwanted malicious files”.
  2. “The Windows operating system and the software part of your computer is getting infected”.
  3. “Whenever you go online or browse internet, unwanted junk files are downloaded to your computer” and then “The application views the entire part of the software part of the computer”.
  4. When viewing the Event Log: “This is the errors and the warnings that are in the computer, these are the very harmful files in the computer” followed by “That is the reason your computer is having a lot of problems”.
  5. When asked about the errors and warnings in the Event Log: “These are the corrupted files” then “This are not functioning properly in the computer” and “The software part of your computer is getting corrupted day by day”.
  6. When asked if Microsoft Security Essentials protects the computer: “No, no, no, it’s a security warning that comes up”.
  7. When I suggested I might just buy a new computer: “If you buy a new computer, you will face all the problems in the new computer as well”.
  8. When trying to connect to the LogMeIn service without a PIN: “This six digit code is the software loyalty key for your computer” then “This six digit code is expired from the computer, that's why your computer is having a lot of problems” followed by “All the folders has been corrupted as there is no software key yet within the computer, your software part is not functioning properly”.
  9. After I said the PC was 5 years old: “You've got two types of warranty on the computer, one is the software and another is the hardware” then “The software one is for 4 years and the hardware one is for 5 years” and “As the software warranty expired from the computer that's why your computer is experiencing problems”.
  10. When explaining the costs: “From now on you don't have to pay a single penny for the services” then “They will provide you the services and the software absolutely free of cost” and “You have nothing to pay a single penny neither for the services and neither for the software” followed by “You will get each and everything absolutely free of cost”.
  11. Shortly after the previous point: "You just have to pay $160 annually".
  12. When asked if I can pay the warranty directly to Microsoft: “No, as we are the service providers of Windows operating system”.
  13. In justifying their service: “We take care all the users of Windows operating system all over the world”.
  14. When asked about what a defragmented files was: “These are all of the hardware problems”.
  15. When asked why Microsoft dropped Comantra as a partner: “People like you who are always behind who full of themselves they blame the person who fix up the problem” and “Microsoft dropped us because of you kind people”.

Summary

Despite the operator protesting to the contrary, this is an outright scam in every sense of the word. The Australian government has this on their Scam Watch website, it’s widely reported in the UK press and it’s rampant in the US as well. I very much doubt these three countries are the only targets too; they’re simply the ones I’ve had reports from when I asked about other people experiencing the same thing.

The modus operandi is a familiar one; load the Event Viewer to demonstrate all the “problems”, get remote control and install third party software then charge the customer for the service. I knew better than to get caught the first time, as would most of you reading this on a technology blog.

But it’s not always that way; innocent people who are not tech-savvy enough to recognise the scam are frequently being caught and it’s often the people who can least afford to part with the cash. The scam centres around finding victims who are vulnerable and easily exploited for the benefit or crooks on the other side of the world.

I was a little tongue-in-cheek in the video but this really is a serious matter. Now that this has been posted I’m contacting each and every innocent party involved in the scam (Ammyy, LogMeIn, iObit and obviously Microsoft) and submitting it to the Australian Scam Watch site and AusCERT. I’ll update this post with any responses of interest I can share.

So what can you do? Talk to those around you who may fall victim to this scam, share this post, make them aware of the risks and above all, hang up on crooks who call out of the blue in the hope of parting you from your hard-earned cash.

Update 1 (09:30): Within hours of publishing this post, I have contacted each of the following and provided details of their role in the scam. I’ve also asked each if they’re willing to provide any feedback that I can share here:

  1. IOBit (their Advanced SystemCare software was used to show “malicious files”)
  2. Ammyy (the first remote control software used)
  3. LogMeIn (the second remote control software used)
  4. Bank of Baroda (used to process the payment)
  5. Microsoft (legal department though an Microsoft contact of mine)

I’ve also submitted it to:

  1. Scam Watch (Australian government site tracking scams running down here – also submits to the ACCC)
  2. AusCERT (Australian Computer Emergency Response Team)

Update 2 (21:00): AusCERT responded within hours of my contacting them and issued an alert on their website. They also put out an advisory on the Australian Government’s Stay Smart Online website. Big kudos to them for acting so promptly.

Ammyy has also responded with the following:

Thank you for contacting us. You are right, all we can do is to post warning on our main page.

Somebody also pointed out to me that during the video, you can actually see text on the Ammyy website which says “Got phone call and asked to launch Ammyy Admin? Important info on malicious use.” and links to a warning page. Is this enough? I certainly didn’t see it during the call and you could argue that Ammyy could do more to verify legitimate use (email verification, for example), but of course this also increases the barrier to use. Of course you could also argue that there is no incentive for Ammyy to prevent these sort of scams so I’m not expecting anything to change on that front any time soon.

Update 3 (Feb 22): I’ve had a response from LogMeIn with the important bit relating to this video being as follows:

Use of our software for nefarious or illegal purposes violates our terms and is immediate grounds for account termination -- it is something we take very seriously. The code you provided can be used as a fingerprint to immediately ID the account. And it was forwarded to our team to investigate and shutdown, as soon as we received it last night.

Hopefully that means life has just been made a little bit harder on Comantra, but then again, they’ve been running the same scam over and over again using the same Ammyy and LogMeIn software so clearly having one account terminated is nothing more than a small hurdle to them. The response form LogMeIn continues:

A major safety and security feature of an on-demand support solution like is that it requires mutual consent: No action can be taken by a support technician without a computer owner granting access.

The problem, of course, is that Comantra are socially engineering people into consenting to what amounts to little more than a software install. Certainly there are no big warning signs put up by LogMeIn. I totally understand this from LogMeIn’s perspective (barrier to use and all that), but the fact remains that scammers are able to repeatedly abuse their service times and again and have done so for a long period of time.

Update (March 28): As pointed out in the comments below, Comantra has ceased "further inputs into novel registrations". The grammatically challenged entry on their site effectively states that due to "some fellow critics in the industry", they will no longer be making unsolicited approaches to consumers. There is no mention of whether they will continue to screw existing customers.

Update (May 8): I've interviewed the man behind this scam in my post titled Interview with the man behind Comantra, the "cold call virus scammers".

Tags:

comments powered by Disqus

Leaving comments is awesome, please do. All I ask is that you be nice and if in doubt, read Comments on troyhunt.com for guidance.