Although the fake Microsoft support cold call scams have been going on for a few years, it’s surprising just how many still keep falling for them. My neighbour, an elderly lady has already fallen for the scam a third time. The last time I helped her out, I tried my best explaining to her that no matter who calls about your computer, hang up immediately. She was quite shaken that second time, so I was sure she was not going to fall for it again, that was until yesterday. Luckily she doesn’t have a credit card.
As there seems to be no way of blocking the calls, one idea I just thought of is to try to block the remote access services they use, where viewing an affected website will display a clear “Hang up now!!” message instead. With the elderly lady I helped out, they used TeamViewer previously and LogMeIn this time. From a quick search, Ammyy is another popular remote access tool they use.
Probably the simplest way to block websites is with the hosts file. You can edit it by running Notepad as an administrator (not necessary with Windows XP) and open up “%windir%\system32\drivers\etc\hosts”, then add the following lines to the end:
127.0.0.1 logmein.com 127.0.0.1 secure.logmeinrescue.com 127.0.0.1 www.support.me 127.0.0.1 www.logmein.com 127.0.0.1 logmein.com 127.0.0.1 secure.logmein.com 127.0.0.1 logmeinrescue-enterprise.com 127.0.0.1 logme.in 127.0.0.1 hamachi.cc 127.0.0.1 internapcdn.net 127.0.0.1 LogMeIn123.com 127.0.0.1 123rescue.com 127.0.0.1 support.me 127.0.0.1 join.me 127.0.0.1 cub.by 127.0.0.1 cubby.com 127.0.0.1 www.ammyy.com 127.0.0.1 ammyy.com 127.0.0.1 www.teamviewer.com 127.0.0.1 teamviewer.com 127.0.0.1 master1.teamviewer.com 127.0.0.1 master2.teamviewer.com 127.0.0.1 master3.teamviewer.com 127.0.0.1 master4.teamviewer.com 127.0.0.1 master5.teamviewer.com 127.0.0.1 master6.teamviewer.com 127.0.0.1 master7.teamviewer.com 127.0.0.1 master8.teamviewer.com 127.0.0.1 master9.teamviewer.com 127.0.0.1 master10.teamviewer.com 127.0.0.1 master11.teamviewer.com 127.0.0.1 master12.teamviewer.com 127.0.0.1 master13.teamviewer.com 127.0.0.1 master14.teamviewer.com 127.0.0.1 master15.teamviewer.com 127.0.0.1 master16.teamviewer.com
I got most of the hosts above from looking around online what hosts LogMeIn and TeamViewer uses. I couldn’t find a similar list for Ammyy, but blocking its main website should be enough to show the warning before the rogue caller suggests something else.
With all the above hosts redirected to the localhost (127.0.0.1), a simple HTTP server utility can be used to show a clear warning screen. In my case, I wrote a simple HTML file with large writing “Hang up NOW!!” and a line of text below saying “If the person is calling about your computer, you are being conned!”.
One such utility I came across is QuickPHP which is a small 3MB download and extracted it somewhere handy (e.g. C:\http). I then added a folder inside it (e.g. web) to place the following in a HTML file called “index.html” in that folder.
<!DOCTYPE html> <html> <head> <title>Website blocked</title> </head> <body style="text-align: center;"> <br><br><br><br><br><br><br><br> <h1 style="font: 100px arial, sans-serif; color: red">Hang up NOW!!</h1> <p style="font: 25px arial, sans-serif">If the person is calling about your computer, you are being conned!</p> </body> </html>
To run it, I created a shortcut in the Startup folder that runs the following (adjust the paths as necessary):
c:\http\QuickPHP\QuickPHP.exe /Root=“c:\http\web” /Minimized /Bind=“127.0.0.1” /Port=80 /Start /AllowDirList=false /NoConfirm=true
The first time it runs, it’ll ask whether to trust it and unblock it. Tick the boxes to not ask again, otherwise the user will get these messages each time the computer boots up.
If all goes well, viewing an affected website will display the warning screen and hopefully be enough to get the person to hang up.
If anyone knows of any other remote access services or knows someone who was a victim of such a scam that used another remote access service, please mention them below and I’ll update the above list. While I know there are various VNC services (e.g. Tight VNC, RealVNC, etc.), they are not as user friendly to set up and I doubt a rogue caller would use such a service as their first choice.