Support scammers - at your service!

PhoneThe Windows Service Center. Sounds reassuring, doesn’t it?

Here’s a typical scenario.

Someone claiming to be working on behalf of Microsoft rings you out of the blue to tell you that there was a problem with your PC, or even that your virus-infected PC is causing problems on the internet, and that your Microsoft licence is going to be suspended unless you give them access to your PC so that they can clear it up.

So they direct you to a site that has a vaguely authentic sounding name and ask you to download and run the software that gives them access to your PC.

(Later on, they’ll tell you that you have to pay them for service and/or installing security software and/or some sort of licence fee, if you let them get that far.)

Fortunately, Paul, who commented recently on one of my articles about support scams on the ESET We Live Security blog, says that he didn’t let them get that far.

When asked to connect to a site calling itself the Windows Service Center, he found that this resulted in downloading an executable file which he declined to run until he’d checked it with anti-virus software.

At this point the scammer told him that his ‘Microsoft licence’ would be withdrawn: instead of being panicked into complying, Paul told him to go ahead and the scammer hung up.

Here’s a screenshot of the "Windows Service Center" at mwgs.webs.com:

Windows Service Center

Note that webs.com is a legitimate provider of free webspace, and I’m certainly not suggesting that they have any complicity in support scamming. In fact, they reacted quickly and responsibly when we told them of the issue.

This particular page doesn’t actually claim to be a Microsoft site, but it’s more common nowadays for scammers to indicate that they’re working with Microsoft or on Microsoft’s behalf rather than suggesting that they are Microsoft.

In fact, all this page does is serve up remote access software.

Close-up

  • The "WELCOME TO SERVER ONE" button links directly to a TeamViewer QS (Quick Support) executable on TeamViewer’s own site

  • "WELCOME TO SERVER TWO" links directly to the AMMYY Admin executable on the ammyy.com site

  • "WELCOME TO SERVER THREE" doesn’t link to anything, the last time I looked...

  • "WELCOME TO SERVER FOUR" links to a ShowMyPC executable on the ShowMyPC site

  • The oddly titled "MAC WINDOWS SERVER" button is more interesting as it links directly to a OS X disk image file, TeamViewQS.dmg, from which a Mac program can be installed. Support scammers have paid less attention to Mac users in the past, though they have been targeted occasionally)

All such software can be used legitimately for real support. Unfortunately it is also widely used by support scammers.

As previously mentioned, webs.com was also notified, with an explanation of why support scams and sites supporting them are a problem, and it now looks as if the site has been suspended.

Suspended website

There are a few points worth noting here.

  • If you know how unlikely it is that someone at a call centre somewhere knows anything about your PC, or can magically associate your PC and/or IP address in some way with your phone number, you can head off this sort of rubbish at the start of the conversation. Not that I’d want to spoil the fun for all you guys who enjoy wasting a scammer’s time.

  • Being cautious when asked to run unfamiliar software is absolutely the right thing to do. Even when the software is known to be used by legitimate support services, there are plenty of trojanized copies of legitimate software out there.

  • It’s a bad idea to assume that a company not known to you isn’t going to make dishonest use of honest software because they cold-called you and told you that they’re legitimate.

  • The famous CLSID number used via ASSOC to prove that the scammer knows all about your PC is not some sort of licence number and doesn’t uniquely identify your PC. Many millions of Windows PCs have exactly the same entry.

  • Practically anyone can implement a web site calling itself something that sounds as if it might actually have something to do with Microsoft. It isn’t even necessarily illegal (depending partly on where it is): there is probably a brand infringement issue, but scammers tend not to worry too much about things like that.

  • Using a service like webs.com and a generic website template is either rather unprofessional (I don’t think Microsoft would do it) or a sign that someone is trying to launch a site with a minimum of cost and effort because they don’t expect to get away with it indefinitely.

    However, be aware that services like webs.com, wordpress.com etc. may offer a custom domain name at relatively small extra cost, so you cannot assume that sites hosted by such providers are always recognizable by the domain name alone.

    In any case, there are other sources of cheap domains.

Be on your guard, and stay safe out there.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

3 Responses

  1. Coyote

    July 4, 2014 at 3:57 pm #

    I love when I get these calls. I belittle them to tiny bits (not even bits, a single bit) and then do a little bit logic, leaving them at zero and then hang up on them. That's the technical way of explaining it. But thank you for writing this. I think unfortunately that far too many people do not realise the implications here and it is good that at least here it is written about. This scam is far too common and to those who do know what they are doing, give 'em hell and even better waste their time (as long as possible and as long as you have the time to spare and not in the middle of something). It is doing every good person a very good service!

  2. Steve Yates

    July 5, 2014 at 9:10 am #

    I have been getting these calls for a few months now, about 1 a week. What is strange is that the call are in English but I live in France so they are obviously targeting expats. Sometimes their number is obviously fictitious (00123456789), sometimes with a Philippines country code. Accents are always Indian.

    My response varies from playing along with them but v e r y s l o w l y till they get fed up, or putting the phone down next to the speaker so they can listen to whatever I have on the BBC IPlayer. This week I changed tactics and gave them a rendition on my newly found harmonica.

  3. Peter Haydon

    July 9, 2014 at 12:47 pm #

    Had a number of these calls (both in UK and France) but I always ask them how it affects my Apple Mac. It seems to take them a while to understand what I'm asking so they would appear to be drones (with South-Asian accents) working from scripts. I incensed the last caller so much he told ME to 'bu**er off' (twice). I call that a result on my part !

Leave a Reply