This evening I received another scam phone call only this time I was semi-prepared for them and recorded most of the conversation. I did go through all their steps in a controlled environment, downloaded their software and dragged them on for about 20 minutes. The more time they wasted with me the less time they are spending on getting a real victim.
Here’s how the call works. You get a call from a guy with a real heavy Indian accent, today I spoke with “Dave”, and he immediately asks you if you are the owner of the computer. You say yes. They then proceed to tell you that you got infected from the Internet and they are calling to help you clean it. Most people will feel concerned and proceed to do what they say out of fear, I proceeded to waste their time.
I fired up Oracle VirtualBox on my iMac and started a Windows 7 VM image I had standing by. My image is bare bones, used for testing and never for any personal use. I have it isolated from seeing my Mac or my network and it can get to the internet. Basically it’s a DMZ and a perfect place to let someone walk around. Once I got my image loaded that’s when I found my digital recorder and began recording the call, you can hear it in its entirety below. I urge you to send it to all your less-than-technical folks so they can hear what these scams sound like and how easy it is to inadvertently give complete control of your computer and files to someone. Very dangerous scam because it’s so easy to give up so much.
In the description below the times noted are the markers of the audio above you can use for reference.
For those that don’t know me I have close to 20 years of Windows engineering, information security and everything in between. I deliberately slowed things down by mistyping, going slow, etc… What I was really doing was doing quick research on the site he sent me to and the software he was having me run to see what it really did before I installed it.
The call starts by Dave asking me to open the Run window and goto a website. Between the start of the call and 5:30 in I spent time going to the wrong website he was giving me.
At 5:30 in I goto the main site and he tries to get me to run an exe off the webpage. The program is a legitimate program called Ammyy. It’s software to allow remote control of your machine and is used in business for troubleshooting, training, etc… However the 121usahelp.com site just links to Ammyy download to run it. Even though the Ammyy software is legitimate it’s being used as a direct backdoor into your machine to allow the scammers to steal your files, install malware and get you to install scareware fake anti-virus programs to install more malware. Nasty stuff.
At 6:20 I start to push Dave on the reasons to install this. Specifically since he told me he detected my computer is corrupted why do I have to install more software to scan it again. I didn’t want to scare him off yet so I dumbed it down and kept going.
At 7:30 Dave tells me that it’s not going to install anything, it absolutely does and did. (remember I have a sterile, isolated computer, no worries)
At 8:00 the line goes silent as I stumped him.
Between 8:00 and 9:50 I confirmed my virtual image was isolated and downloaded the software to proceed to the next phase of their scam.
Ok this is the important part. Once you give the scammers the ID from the software that’s the key for them to connect to you through the Ammyy system. The software doesn’t automatically connect you have to Accept the request. On the Accept screen there were several options and they were all checked by default, they were: View Screen, Remote Control, File Management, Audio Mic, RDP. I de-selected everything but View Screen. Dave went back and forth about 15 times to try to get me to accept with all options checked but he never came out and said to do that, even though I told him he was not going to get remote control. When I was completed I realized the remote control is not what they were going after but File Management.
I dragged this out to about 14:30. Thats when I allowed File Management and after I did that I could see through the Ammyy console what they were looking at. At 16:00 they traversed through all my directories, specifically the users/BinaryBlogger and the /Windows folder. The users folder is where most people keep their music, documents, etc… by default that’s where Windows puts those things and the Windows directory was scanned because you can do many, many bad things by altering a few lines in some of the config files in there. Because this was a bare bones image, there was nothing of interest anywhere. If they destroyed my image, so what, I build a new one with a click of a button.
However, had I been a victim they would have been able to download all my files, photos, tax returns, music, etc… that I had stored in the My Documents in the background and I would never know it.
Also, during the back and forth of getting them connected, knowing they would see my desktop, I opened Notepad and spelled out what I was doing. I said I know the scam, this is a test virtual image with nothing on it, the more time you waste with me the less time you can waste elsewhere and I threw in some colorful literature of where they could go and what I thought of them… 😉
I assume they realized I was a bust for files to steal or they saw my desktop with my little messages because they cut the line at the end.
In post I cleaned up the Ammyy software, it didn’t install like a traditional piece of software where you could uninstall it from within Windows Programs but it did drop a few registry keys. I did a Malwarebytes scan and that came back clean. I also had Avast running the whole time and nothing was transferred and not malware was detected, they never had the chance. Maybe next time I will go a little farther. I will definitely push their patience.
The more people know about this, now you can hear what the scam is like, the less likely they have of success and will go away. Take away the food supply and the trolls move on.
Spread the word, let the naive people in your life know about this, listen and stop people falling for this.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.