510 Software Group

2013-05-10 I am calling from Microsoft Support

We received yet another call from someone with a strong Indian accent, calling from Microsoft Support because our computer is infected with a virus and they want to help. This is always amusing since we have no computer running Windows, but this time I managed to simulate a slightly confused older person running a Windows machine given to him by his children.

I suppose I should insert a warning here for some folks. Microsoft will never call you - these calls are a scam.

This may be simply two people, but I got the impression it was larger than that. The first person that I spoke to was female. After a few questions, when it appeared that she had hooked a fish, she passed me to her male "supervisor". They may have a bunch of level one folks, feeding the fish to a smaller number of level two folks.

The second person claimed that my machine was having problems, and was going to show me these problems. He walked me thru starting up eventvwr on my (non existant) Windows machine. He wanted to open a custom view, but I could not remember what my correct response should be to that, so I just pretended to be confused.

He then walked me thru connecting to www.ammyy.com, and asked if I could see the green background. I was not sure what to say, since I did not have a browser up at the moment, and did not want to make too much noise on the keyboard. So I claimed that I saw a "blocked by McAfee" message and was very confused since I had never seen that before.

He then walked me thru connecting to www.support.me, and I again claimed that was also blocked by McAfee.

He then tried to verify that my internet connection was working, by walking me thru connecting to www.google.com. I told him I could see that, but it seemed that I was not likely to get much more information out of him without a real Windows test machine. So I just hung up in a way that might (if I am lucky) be interpreted as a random phone disconnect.

So lets look at the two sites that he tried to convince me to visit. The first one, www.ammyy.com indeed has a green background, but it also has a bright red warning about malicious phone calls like this one. I think that warning could be more prominent, but at least they have something. If you google for "ammyy.com", almost all of the links on the first page are warnings about this scam.

The second one, www.support.me, redirects (at least for me) to https://secure.logmeinrescue.com/Customer/Code.aspx, which has a link for "report abuse" but no warning message. If you google for "support.me", many of the links are warnings about this scam.

If you google for "eventvwr" most of the hits are similar to this one, various stories of scammers trying to take over machines.

From reading some of the other writeups on this scam it is clear that there are multiple independent groups doing this scam, and that they are using multiple remote access web sites, including:

www.ammyy.com - warning on their web page
www.support.me - no warning
www.logmein123.com - no warning, same as support.me above
www.teamviewer.com - no warning on their web page
www.help22.com - does not exist?
www.microwindowssupport.com - does not exist?

Well, I happen to have a spare ethernet port on the Vyatta router, and an old spare machine where I can install an ancient copy of Windows XP (yes, it is legal - I just have not used that for many years). So I now have a disposable machine with internet access, but it has NO access to my network. Next time they call, I can let them play for a bit.