Ammyy Admin scam and scammers

Ammyy Admin scamHey all, sometimes when I don’t have baby stuff to write about (I don’t today, Maggie’s cool and in school,) I write about IT/work. In this case it’s two separate incidents I had with people who had Ammyy Admin installed on their machines. Ammyy Adminis a remote-control software many computer technicians will use to avoid having to drive for two hours to fix a problem.

Ammyy Admin is not a scam

Ammyy Admin itself is not a scam as long as you’re getting it from ammyy.com, nor is the vast majority of its use scammy, but much like anything else on the internet people have found a way to cash in on people with it on their system.

But some people who use Ammyy Admin are scammers…

A couple of weeks back I had a user at my office I needed to show something and I was quite a distance away at that point (I’m a paid user, so step back with any snarky comments, obviously not on the computer that image came from though,) I had her download and install Ammyy Admin to figure out what was going on, realized that I needed to research something and told her I would call back a little later when I found the answer.

I got an email from her from her phone asking who this guy was who was working on her computer because he was getting really pushy. I said I had no idea and immediately called her.

Within twenty minutes of installing Ammyy Admin on her computer someone had found the computer’s address, popped in and asked for access and taken over her computer, popped open a notepad and asked for her name and number, called her and proceeded to mess her computer up while telling her it was full of spyware and errors and attempt to get a credit card for billing.

They (probably) did something to the machine which caused the unregistering of a library meaning no programs could be executed. They left open a syslog viewer with various errors such as DNS server issues, W32time, etc. For those not computer technicians: things that absolutely don’t matter.

The fix for the library corruption was a pretty simple “sfc /scannow”, I assume the person calling did it as I’ve never seen a library error that disables all programs pop up randomly, but I don’t know for certain.

The person supposedly called from (516)418-6649. I’m relaying what number appeared on her cell phone, which could easily be faked with the way the phone systems work. It was a number in NY somewhere, claiming to be a Microsoft partner. Should be noted that to become a Microsoft Partner you just have to fill out this simple form, so I don’t doubt that he was a MS partner.

We filed that away after threatening legal action and not hearing from the dude again. I logged a report with Ammyy Admin that the issue had occurred and thought I was done.

Yesterday a coworker of mine asked me to look at something on his home computer. We installed Ammyy Admin, and within 10 minutes of me being on his machine other people had already requested access to the machine. All it takes is saying yes and they’re in your computer with full control.

So there’s that. Beware. Don’t ever click yes unless you’ve got the person on the phone or know their Operator/Client ID.

Ammyy Admin knows about the problem. There are a total of 99,999,999 potential addresses they can use with the numbering scheme of which it seems they only hand out ones in the same general area at a time meaning scammers can pick up just by trawling along until they get a connection.

With a decent speed connection you’re looking at ten minutes before they find someone who just downloaded Ammyy Admin, at least based on the two people who found my coworkers.

So at the moment the ball’s in Ammyy Admin’s court – this could all be fixed pretty easily by randomizing the numbers given out. Changing the first two client ID number to letters or number would increase the time it takes to find a person by trawling to unfeasible levels.