Block LogMeIn, Ammyy and TeamViewer to counter fake Microsoft callers

vbimport

#1

Although the fake Microsoft support cold call scams have been going on for a few years, it’s surprising just how many still keep falling for them. My neighbour, an elderly lady has already fallen for the scam a third time. The last time I helped her out, I tried my best explaining to her that no matter who calls about your computer, hang up immediately. She was quite shaken that second time, so I was sure she was not going to fall for it again, that was until yesterday. Luckily she doesn’t have a credit card.

As there seems to be no way of blocking the calls, one idea I just thought of is to try to block the remote access services they use, where viewing an affected website will display a clear “Hang up now!!” message instead. With the elderly lady I helped out, they used TeamViewer previously and LogMeIn this time. From a quick search, Ammyy is another popular remote access tool they use.

Probably the simplest way to block websites is with the hosts file. You can edit it by running Notepad as an administrator (not necessary with Windows XP) and open up “%windir%\system32\drivers\etc\hosts”, then add the following lines to the end:

127.0.0.1 logmein.com
127.0.0.1 secure.logmeinrescue.com
127.0.0.1 www.support.me
127.0.0.1 www.logmein.com
127.0.0.1 logmein.com
127.0.0.1 secure.logmein.com
127.0.0.1 logmeinrescue-enterprise.com
127.0.0.1 logme.in
127.0.0.1 hamachi.cc
127.0.0.1 internapcdn.net
127.0.0.1 LogMeIn123.com
127.0.0.1 123rescue.com
127.0.0.1 support.me
127.0.0.1 join.me
127.0.0.1 cub.by
127.0.0.1 cubby.com
127.0.0.1 www.ammyy.com
127.0.0.1 ammyy.com
127.0.0.1 www.teamviewer.com
127.0.0.1 teamviewer.com
127.0.0.1 master1.teamviewer.com
127.0.0.1 master2.teamviewer.com
127.0.0.1 master3.teamviewer.com
127.0.0.1 master4.teamviewer.com
127.0.0.1 master5.teamviewer.com
127.0.0.1 master6.teamviewer.com
127.0.0.1 master7.teamviewer.com
127.0.0.1 master8.teamviewer.com
127.0.0.1 master9.teamviewer.com
127.0.0.1 master10.teamviewer.com
127.0.0.1 master11.teamviewer.com
127.0.0.1 master12.teamviewer.com
127.0.0.1 master13.teamviewer.com
127.0.0.1 master14.teamviewer.com
127.0.0.1 master15.teamviewer.com
127.0.0.1 master16.teamviewer.com

I got most of the hosts above from looking around online what hosts LogMeIn and TeamViewer uses. I couldn’t find a similar list for Ammyy, but blocking its main website should be enough to show the warning before the rogue caller suggests something else.

With all the above hosts redirected to the localhost (127.0.0.1), a simple HTTP server utility can be used to show a clear warning screen. In my case, I wrote a simple HTML file with large writing “Hang up NOW!!” and a line of text below saying “If the person is calling about your computer, you are being conned!”.

One such utility I came across is QuickPHP which is a small 3MB download and extracted it somewhere handy (e.g. C:\http). I then added a folder inside it (e.g. web) to place the following in a HTML file called “index.html” in that folder.

<!DOCTYPE html>
<html>
<head>
<title>Website blocked</title>
</head>
<body style="text-align: center;">
<br><br><br><br><br><br><br><br>
<h1 style="font: 100px arial, sans-serif; color: red">Hang up NOW!!</h1>
<p style="font: 25px arial, sans-serif">If the person is calling about
your computer, you are being conned!</p>
</body>
</html>

To run it, I created a shortcut in the Startup folder that runs the following (adjust the paths as necessary):

c:\http\QuickPHP\QuickPHP.exe /Root=“c:\http\web” /Minimized /Bind=“127.0.0.1” /Port=80 /Start /AllowDirList=false /NoConfirm=true

The first time it runs, it’ll ask whether to trust it and unblock it. Tick the boxes to not ask again, otherwise the user will get these messages each time the computer boots up.

If all goes well, viewing an affected website will display the warning screen and hopefully be enough to get the person to hang up.

If anyone knows of any other remote access services or knows someone who was a victim of such a scam that used another remote access service, please mention them below and I’ll update the above list. While I know there are various VNC services (e.g. Tight VNC, RealVNC, etc.), they are not as user friendly to set up and I doubt a rogue caller would use such a service as their first choice.


#2

Thanks Sean

Marty


#3

I thought I would add one important step in modifying the host file.
To make the modifications you need to right click the host file select Properties.
Then uncheck the “Read only” box . Apply & then OK.
When you are finished do the same except check the “Read only” box .

Myself I always use Wordpad for opening the host file & modifying it.

@ Seán , I’ve never had one of these calls so I have to ask.
Do they actually call you on you telephone ?
Or do they request you call them?

I’m adding the list you posted to my host file but for now I’m not adding the “Warning” .


#4

They actually call the phone just like any other cold caller.

I haven’t received any of those calls either, but my brother has received several of them. Basically they start the call claiming they are calling from Microsoft and are either investigating a serious virus infection from the person’s computer or that the computer has been reporting major problems to Microsoft and they need to fix it urgently before the computer seizes up. They then ask the user to go to a URL (e.g. LogMeIn Rescue) to download an run an executable file so that they can get remote access to the PC to fix the problem.

Based on what I saw what happened on my neighbour’s PC, once they have access, they set up the remote desktop software so that they have continuous access once the computer logs on and basically take the computer hostage until they receive payment. So they call back multiple times asking if she has managed to get a lend of a credit card to make payment. I think the reason she receives so many calls is that she already fell for the scam twice before, even if she wasn’t able to make payment.


#5

I get those calls every day from India trying to sell me Viagra and Cialis for big discounts, I tell them I do not use those drugs and they keep on and on, now when I see the number I don’t answer.


#6

[QUOTE=alan1476;2735769]I get those calls every day from India trying to sell me Viagra and Cialis for big discounts, I tell them I do not use those drugs and they keep on and on.[/QUOTE]

Maybe they saw you @ a drugstore once and know that you’re lying to them…:bigsmile::bigsmile:

j/k Alan…sorry,I couldn’t resist!!:disagree::bigsmile::wink:


#7

@ alan , I bet you have already done this but my phone numbers are on the national “Do Not Call” list.
Texas has an additional list.
I don’t know if your state has this or not .
It has worked pretty well for me not getting many unwanted calls like the ones you are getting .
I’m not sure how much the federal or state government does if a report is made.


#8

[QUOTE=cholla;2735774]@ alan , I bet you have already done this but my phone numbers are on the national “Do Not Call” list.
Texas has an additional list.
I don’t know if your state has this or not .
It has worked pretty well for me not getting many unwanted calls like the ones you are getting .
I’m not sure how much the federal or state government does if a report is made.[/QUOTE]
I have 3 numbers including cells and they are all on the National Do Not Call List, I have complained to Verizon but all to no avail.


#9

[QUOTE=roadworker;2735772]Maybe they saw you @ a drugstore once and know that you’re lying to them…:bigsmile::bigsmile:

j/k Alan…sorry,I couldn’t resist!!:disagree::bigsmile:;)[/QUOTE]
:bigsmile::bigsmile::bigsmile::bigsmile::bigsmile::bigsmile:


#10

[QUOTE=alan1476;2735775]I have 3 numbers including cells and they are all on the National Do Not Call List, I have complained to Verizon but all to no avail.[/QUOTE]
You need to file the complain here:https://complaints.donotcall.gov/complaint/complaintcheck.aspx

You might check the FAQ there . You don’t need to do much to establish a “business” relationship . Which lasts up to 18 months.

However if you request when you are called you be placed on a companies own “do not call list”. They are required to do so.
If you are in a state that allows "one party’ permission to record phon. calls . Just record the call if you can.
In a two party consent state you need permission from both parties to record.
You make the complaint for the company not placing you on their do not call list at the same place .


#11

[QUOTE=cholla;2735781]You need to file the complain here:https://complaints.donotcall.gov/complaint/complaintcheck.aspx

You might check the FAQ there . You don’t need to do much to establish a “business” relationship . Which lasts up to 18 months.

However if you request when you are called you be placed on a companies own “do not call list”. They are required to do so.
If you are in a state that allows "one party’ permission to record phon. calls . Just record the call if you can.
In a two party consent state you need permission from both parties to record.
You make the complaint for the company not placing you on their do not call list at the same place .[/QUOTE]
I even have the numbers they are using to call me, I have caller ID, they hang up on you if you ask to be removed. Sometimes I get calls and no one is on the other end, its just a call to make sure the line is in service then the same number calls you again with a voice.


#12

[QUOTE=alan1476;2735782]I even have the numbers they are using to call me, I have caller ID, they hang up on you if you ask to be removed. Sometimes I get calls and no one is on the other end, its just a call to make sure the line is in service then the same number calls you again with a voice.[/QUOTE]
It is still telemarketing.
I would file complaints stating than my request for being put on the do not call list always resulted in a hang up .
I don’t think you have to have this recorded but that wouldn’t hurt if requested by the FTC.
Your cell phone company keeps records of calls. If you have had several from the same number I think the FTC will believe you made the request.
I would give it a try anyway if it works you will not be bothered.


#13

[QUOTE=cholla;2735784]It is still telemarketing.
I would file complaints stating than my request for being put on the do not call list always resulted in a hang up .
I don’t think you have to have this recorded but that wouldn’t hurt if requested by the FTC.
Your cell phone company keeps records of calls. If you have had several from the same number I think the FTC will believe you made the request.
I would give it a try anyway if it works you will not be bothered.[/QUOTE]
Thanks.:slight_smile:


#14

I finally got to check her computer and got some interesting info.

As soon as the PC booted up, it showed a weird message about a Windows certificate failure and a system shutdown notice that counted down from 60. A quick run of “shutdown -a” aborted that.

From a quick look using Autoruns, I couldn’t find anything unusual added, so I checked the Start menu and noticed two suspicious items:

The item the tooltip covered in my screenshot is “Software License Registration Failed for XP”. The two Adobe entries were already there.

The fake Firefox shortcut had the following target:

%windir%\system32\shutdown.exe -s -t 600 -c "You have been hit by a stuxnet virus, you may lose all your files and folders"

The “Software License Registration Failed for XP” is a VBS file which contained the following:

X = msgbox ("Windows XP operating system certificate got failed . Please upgrade your windows operating system immediately",50, "WARNING")
do
X = MsgBox("The computer may crash at any point of time",50, "WARNING")
loop

So basically, as soon as Windows logs in, it shows a “The computer may crash at any point of time” message box in an endless loop until 60 seconds later, where the PC shuts down.

Going by the run history, it looks like they tried getting her to visit Ammyy.com, but there was a typo in each attempt, so that explains why they ended up using LogMeIn. I could not find any left-over of the remote access client, so I suspect they removed it or had another start-up script that would delete it after a certain period of time to hide their presence.

However, they did leave their “calling card”. The lady had 00442088199789 written on paper, ask for Andrea and pay €25 by credit card to fix the computer. A quick Google on that phone # reveals it has been abused for several years with fake Microsoft cold callers (example) and I’m surprised it hasn’t been blocked. :eek:



#15

My pseudo Skype number shows as one of the abused numbers when Googled.
I don’t know why . This is a pseudo number that Skype sends as caller ID if you set it to not send the real SkypeOut number. Meaning the one I pay for to call out & receive calls.
This is the pseudo number: 661-748-0240
You don’t need to bother to remove it if I call it all I get is dead air.
If you get anything different let me know.
I tried the number from my cell & I got a message about trying to reach a Skype user.
If it ever does actually ring my Skype phone I will be happy to talk to you.


#16

Ok Here’s old dummy again, I have heard on the computer that a company (person) can call your number and then hijack it and use it after you hang up. Don’t know if I am explaining it right. Is this true. I have had some of those calls where no one is there and gussed that it was a autodialer checking if a computer or human answered, but have also heard about the above thing also

Thanks
Marty


#17

@ Marty , I’m not going to say what a top level hacker might be able to do but that would require for above average level hacking.
The use would be evident on your next phone bill if long distance calls were made.
What would be the point of doing that to make local calls ?
I guess a hacker might do that to incriminate the person who’s number he stole.
I’m curious also to see what someone that has knowledge about this says.


#18

The automatic hanging up could also be them looking for fax numbers. If a fax tone is not detected, the connection is dropped to try another number. Spam faxes were fairly common around here up until about 5 years ago, mainly targeting office numbers.

The premium rate scam was a little different and happened here probably around 5 years ago also. When one answered the phone, a recorded message said that they have won a Caribbean cruise and to press ‘9’ to speak to an operator about it.

Basically, what that scam did was use a collect-call, but instead of playing a message asking if the user would like to accept a collect call, it falsely claimed that they won a Caribbean cruse and pressing ‘9’ (or whatever the digit was) accepted the collect call. Although the person would be put through to someone, I think all that representative did was just try keeping the person as long on the phone as possible, probably explaining all about the factitious cruise or collecting address details for an info pack that of course would never be sent out.

We received quite a number of calls about that factitious cruse, but as we knew it had to be a scam like those Nigerian scam e-mails, we just hung up the phone every time.


#19

Cholla, Sea’n, Thanks for the quick response, Sean, how do you do your “A” in your name, I do know it is a Language thing, so how would I do it

Thanks again
Marty


#20

Marty , I usually just copy & paste Seán.
From my US keyboard:
Hold down the “Alt” key & type “160” with the Number keypad .
The horizontal row of numbers won’t work for this.