There
is a widespread scam on the rise in many English-speaking countries. It's been
dubbed the "Ammyy Scam" by many due to a website that the scammers
try to direct the victims to. The scam has been extremely successful and has
duped many users into falling for it.
Here's the basics of the
scam:
1. The victim usually
receives a phone call from someone claiming to work as a security person for a
large company such as Microsoft or Dell.
2. The caller claims that
there is a new security vulnerability that they have detected that is very
dangerous and affects "100% of the computers in the world" or
something to that affect. They also state that they are alerting users as a
courtesy and that they will offer to walk the victim through the installation
of a tool that will prevent the problem from affecting their computer.
3. The scammer will then
ask the victim to go to their computer and open up the event log viewer program
and will ask them to read something back from it. No matter what the victim
reads back to them, they will say that this information confirms that the new
virus / vulnerability is present and that they must act immediately or the
victim's data will be destroyed. They will also insist that no other virus
scanner is able to detect the threat.
4. The caller will then
direct the victim to a website which is often ammyy.com, but may have been
changed to something else since the scam has gotten some media attention. They
will ask the victim to install the Ammy.exe file (or something similar) and ask
for a code that the software generates. This code will allow them to remotely
access the victim's computer. The Ammyy tool itself may be a legitimate tool
for providing remote access to a computer for support purposes, but in the
hands of these guys it merely provides a backdoor into your system so they can
take it over and install other malicious software and/or steal valuable
personal data from your computer.
5. After they scammers
have confirmed that they can connect to the victim's computer (and take control
of it so they can install their malware) they will claim that the problem is
fixed.
Some of the scammers may be even so bold as to sell victims a
fake antivirus product (Scareware), that
will further infect their computers. Yes, that's right, they ask the
unsuspecting victim who just allowed them to infect their computer to shell out
cash to further infect their computer. These people have no shame. Some victims
opt to purchase the fake antivirus software out of fear, and now the scammers
have their credit card information as well as access to their computers.
So what do you do if you
have already fallen for this scam?
1. Immediately isolate
your computer and disinfect it with anti-malware software installed from a
trusted source.
Pull the Ethernet cable out of the computer's network port and
shutdown the wireless connection. This will prevent further damage to your
computer and ensure that the scammer can't reconnect to the PC. Additionally
you should follow the steps in my I've
Been Hacked, Now What? article.
2. Contact your credit
card companies and report it.
Letting your credit card companies know what happened will allow
them to issue a fraud alert for your account so they can be aware that fraudulent charges may be pending on your account(s)
Remember that the Ammyy
tool itself is just a gateway for the bad guys to get into your system. They
could have victims install any number of other legitimate remote administration
tools that would still allow them to accomplish their goal.
The key to avoiding scams
like these is to remember some basic scam fighting guidelines:
1. Microsoft and other
major companies are likely not going to call you to help you fix a problem in
this manner.
2. Caller IDs can be easily spoofed with Voice Over IP software.
Many scammers use phony caller ID information to help build their credibility.
Google their phone number and look for other reports of scam reports coming
from the same number.
3. If
you want to fight back, the best way is to report the scam to the Internet Crime Complaint Center (IC3).
Andy O'Donnell
Internet / Network Security Guide
Andy O'Donnell
Internet / Network Security Guide