Don’t Be an April Fool: Inside a Common Phone Scam

Robert Falcone


Category: Unit 42

One of our team members on Unit 42 recently received a phone call from a scammer, and today being April Fool’s Day we decided to write about how we played along with the scammer to learn about his operation.

Unit 42 analyst Robert received a phone call from a Tech Support scammer who told him his system was compromised and was seen performing illegal activities. The scam relied solely on social engineering, which is a technique to manipulate a victim into doing something or to give up information, but in this case was intended to get Robert to pay the scammer for unneeded system protection services. Social engineering is used in a majority of cyber crime and espionage attacks, albeit in this scam it was conducted over the phone and not via e-mail or social networking.

This blog, in Robert’s voice, recounts the story of this unsolicited call and provides a glimpse into this scam operation. We intend this story to be light reading for security professionals, but hope that it provides awareness for less technical folks into the social engineering techniques used in these types of scams.

Note: We have redacted some portions of this blog, specifically the domain involved with this scam while law enforcement investigates.

The Scam

On March 30, 2016 at approximately 12:45 PM EST, I received a call on my house phone showing a caller I.D. of “1-161-565-4328”. An individual greeted me and told me that a hacker had infected my Windows system. The individual told me that the hacker used my system to do illegal things, which is the reason they were calling me to help clean up my system. I feigned shock and surprise that someone had used my system to carry out illegal activities and responded that I was very grateful that they brought this to my attention. The individual told me he would transfer me to a technician to clean my computer.

The technician walked me through the various buttons on my keyboard, specifically focusing on the buttons on the bottom left corner of the keyboard. He asked me to read off the different keys, so I told him it was CTRL, ALT and Windows even though I do not run Windows as my operating system. Once he heard me say the Windows key, he instructed that I press and hold it while pushing the “R” key. The technician then had me type in a command to the Run window, specifically reading off each letter using acrophony (like “R” as in wrench) in the following command:

eventvwr

To stall him, I had him read it out several times while I set up my virtual machine and its network interfaces. With the event viewer open, I was instructed to click “Custom Views” and then “Administrative Events” and the operator asked what I saw. I saw the warning and error messages seen in Figure 1, which I was told was confirmation that my computer was compromised, even though all the displayed messages were caused by failed DNS lookups and DHCP requests.

April Fools 1

Figure 1 Event viewer application showing DNS and DHCP errors, not a compromise

I was then instructed to close the event viewer application and press the “Windows” key and “R” again to run another command. The technician told me to run another command that he read off, again using acrophony and again with me wasting his time by having him repeat the command several times:

iexplore www.support.me

The technician then asked me what I saw. My virtual machines’ network interfaces were set up correctly but I had to fix my DNS settings, so I told the technician the page was unreachable and that he would have to help me fix my Internet connection before we could continue. The technician said he would transfer me to his supervisor who would be able to assist me in fixing my Internet connection. Meanwhile, I fixed my DNS settings while I was being transferred.

The individual I was transferred to again had me open the event viewer application. Again, I was told all of the warnings and errors are issues with my computer, which I needed to fix or else I could lose my computer. I responded by asking “Where would my computer go if I lost it and how would I go about finding it?” I chuckled to myself, but the supervisor then asked my age and if my parents or I owned the computer. I told him I was 28 years old and assured him I owned the computer.

I continued the conversation by telling him my Internet connection was fixed, so the supervisor told me to open my Google application and type in “www.support.me”. I visited the URL and it redirected me to “secure.logmeinrescue.com”, as seen in the following HTTP 301 redirection:

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: https://secure.logmeinrescue.com/Customer/Code.aspx
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 30 Mar 2016 19:32:13 GMT
Content-Length: 174

The website displayed in the browser, seen in Figure 2, has a form that requires a six digit code to download a LogMeIn application that would allow the technician to interact with my system. The technician provided me a six-digit number of 242137 and instructed me to download the resulting application that had a filename of “Support-LogMeInRescue.exe” (SHA256: 3196ac75120fad5eed97801768d33e74f452194cf7ebd0dbf4775c53a052fe46) and run the application.

April Fools 2

Figure 2 Support.me requires a 6-digit access code to download and install the LogMeIn Rescue Application

After I executed the application, the technician told me to click “Ok” to all of the popups, which was Windows’ UAC telling me that I should be careful about running such an application. The application is LogMeIn Rescue, which is a legitimate application that allows IT support to interact with remote systems. However, in this case, the scammer used the aptly titled HappyToAssist application to gain access to my virtual machine. As you can see in Figure 3, the technician used this application to transfer a file named “AA_v3.exe” (SHA256: 1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed) to my system.

April Fools 3

Figure 3 HappyToAssist application used to transfer AA_v3.exe file

The technician then ran the “AA_v3.exe” executable, which is a variant of the Ammyy Admin tool seen in Figure 4.

April Fools 4

Figure 4 Ammyy Admin tool used to transfer additional file

The technician used this tool to transfer another file, specifically a batch script with a name of “Route Tracer.bat”. The batch script was a further attempt to show me that my computer was compromised, as the technician told me that the application would show me the current activity on my system.April Fools 5

Figure 5 Batch script printing fake hack attempts to the screen

According to the output of this batch script, my virtual machine was hacked by China from an IP address currently belonging to a wireless provider in the United States. I asked the technician why China would be hacking my computer and he said to gain access to my banking information.

At this point, the technician changed hats from security expert to professional salesman, by opening the Notepad application and typing out the services they offer to clean the system. As you can see from Figure 6, the now salesman offered me three service plans to keep my system protected for 3 years, 5 years or a lifetime for prices ranging from $199 to $299.

April Fools 6

Figure 6 Notepad document the technician used to show the services available for purchase

I told the salesman that I never want this to happen again, so I wanted to purchase the lifetime plan, which he was generous enough to open an Internet Explorer window and navigate me to a billing page. The billing page, seen in Figure 7, is hosted at http:// [redacted] /billing_us.php.

April-Fools-7

Figure 7 Billing page for scam

At this point, I disconnected the adapters to my virtual system, which effectively removed the technician/salesman’s access to my system. I asked if he recognized any icons on my system, specifically the icons of malware analysis tools. I heard rustling on the other end of the phone and a click when the individual hung up the phone.

While this call was ongoing, I kept several of my team members amused with the progress in a separate chat window. As I was documenting the scammer’s activity, my colleague Simon took a look at who might be behind the site.

Attribution

The domain [redacted] hosting the billing page was created on February 28, 2014. It has resolved to the IP address [redacted], and used the DNS name server (NS) [redacted] consistently from when the domain was created, through to the present time.

The current WHOIS information for this domain is anonymized using a WHOIS protection service; however, up until July 2014 the WHOIS was not anonymized and gave us the information used during registration. The email address used to register the [redacted] domain is associated with two social networking accounts, both of which we have passed to law enforcement to provide further scrutiny of the individual’s involvement in this scam operation.

Historic captures of the site at archive.org show fundamentally the same site content throughout the history of this domain. The website currently lists their contact phone number as “[redacted]” (Figure 8), however prior to 2016 it listed a different number “[redacted]” (Figure 9).

April-Fools-8

Figure 8 Website March 2016

April-Fools-9

Figure 9 Website September 2014

Victims

Searches on the domain [redacted] and on both of these numbers finds multiple reports of support scam calls, referring to the site or referencing these as call-back numbers (Figure 10).

April Fools 10_1

April-Fools-10_2

April-Fools-10_3

Figure 10 Examples of complaints linked to this operation

Although this call instructed the victim to supply a merchant reference code “my computer” during payment, which might be used as an affiliate code, the reports offering a call-back number suggest it’s unlikely that this is using an affiliate model.

Hanging Up

It is unlikely that readers of this blog would fall for a tech support scam like the one discussed in this blog. Security minded individuals would likely notice the absurdity in the tricks used by the scammers to confirm that the system is compromised, and even more likely to forbid the installation of a remote administration application on their system. Sadly, these scammers prey on less technically knowledgeable individuals, who are often tricked out of hundreds of dollars if they fall victim to these types of scams.

While it is unlikely that these scammers would call a business, we suggest that organizations consider putting controls in place to limit only authorized remote administration applications from running on their network. Palo Alto Networks identifies 93 different remote access applications with App-ID, including Ammyy-admin and LogMeIn Rescue that were used in this scam. We suggest that organizations should use the remote access App-ID’s to block these tools from running on their networks to protect their user base in the event they fall victim to such a scam.

Additionally, for individuals not protected by the Palo Alto Networks platform, the FTC offers consumer guidance that can help detect this type of tech support scam and how to file a complaint with the FTC. We have notified the FTC of this scam and handed over all pertinent information. Who’s the April Fool now, scammer?

3 Reader Comments

  1. That won’t be the last time they call. Over the last year, they’ve called me no less than 30 times. I’ve asked them to not call again, I’ve wasted their time, I’ve tried telling them I have a Mac, or use Linux, or don’t have any computers at all. I’ve told them that my next-generation firewall won’t allow download of .exe files based on policy or that the URL filter won’t allow me to visit their support site. It frustrates them to no end. If you have any aspirations of doing additional research on the group, don’t worry… you’ll likely get many more chances.

  2. My computer screen had an obstructive window open on my business laptop while at work one morning. It warned me of numerous errors in my cpu which if not correccted would cause fatal problems leading to a corrupted and inopperable computer. I was running Norton 360 as I recall. I ck’d my Norton’s and nothing seemed amiss. Thinking it was a bit of malware, I didn’t have any plans to otherwise interact with it at first. After several days of watching this window be moved around. I began to notice how reasonable the offer was And it didem say free tech support and a 30 day FREE trial. If it worked and it seemed to fix my problem, then . . .well, even though alarms were going off in my head, I downloaded this new “program.” BUT, after downloading, it would not install without the unique number grouped in three’s. I was surprised when a dial-tone was heard. I heard a gentleman come onto the line who said his name was Robert though his speech was unmistakenly Indian or Pak-
    Istani. In order to obtain my registration number, it seems it was necessary to purchase a plan for one,
    two or three yrs. This man was a very good sales person and his “superior” was even better. They
    seem to work in pairs. I was in over my head as reasons for their services came at me rapid-fire. Code was discussed in a way that was suggested I, ” of course,” understood the problem as well as the solution. I was completely embarrassed. $299 was credited to my M/C. Their window on my
    screen which obstructed my view of the rest of the screen could not be dissappated without that blasted number. I told no-one of my embarrassing purchases. It would be a COLD, ICEY day in my Galveston, Texas hometown before I would return that super pair of salesmen’s phone calls and they did call every day for almost a month before the phone calls stopped!

  3. Final comment: yes, an expensive lesson.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS