Zero-day opens the way to hack back against fake Microsoft tech support scammers

Scamming scammers may be funny, but using this zero-day to exact gray-hat justice is likely illegal.

Tech support phone call scammers
David Clark

While most stories about trolling scammers are amusing, it’s considerably less so when a creep scams your grandparents and you are their 24/7 free tech support who mops up the mess on their PC. That is exactly what happened to Matt Weeks, aka scriptjunkie, who then developed a zero-day exploit to counter-exploit the scammers.

People get scammed every day in a plethora of ways, such as through lowdown software scareware scams or fake tech support people making unsolicited phone calls with intentions of exploiting technically-challenged victims. Microsoft has long warned consumers about scams involving phony Microsoft tech support; it generally involves some jerk who claims to be from Microsoft, claims Microsoft detected a problem on their Windows PC, and then offers to remote into the sick PC to supposedly fix problems for a “small” fee.

Cybercrooks may claim to be calling on behalf of Windows Helpdesk, Windows Service Center, Microsoft Tech Support, Microsoft Support, Windows Technical Department Support Group or Microsoft Research and Development Team. Microsoft warned that these scammers will try to “convince you to visit legitimate websites (like to download software that will allow them to take control of your computer remotely and adjust settings to leave your computer vulnerable.”

It is so common of a problem, that the remote desktop software makers Ammyy Admin also warned, “If you receive a phone call claiming to be from 'Microsoft' or someone claiming to work on their behalf, telling you that you have a virus on your computer or some errors which they will help you to fix via Ammyy Admin, it is definitely a scam.” Included in the “if you got scammed” directions, Ammyy Admin recommends killing your Internet connection and freezing “all your bank accounts,” before trying to remove the software…or leaving the PC off until a “computer specialist” can remove the software.

Regarding such a specialist, information security researcher Matt Weeks “put together a Metasploit module that will generate a plaintext transcript to send to the remote end via the injected DLL into a running Ammyy instance that will exploit the remote end trying to take over your computer.”

This is not something a person who would fall for a fake tech support call could pull off because the victims don’t have the technical know-how; otherwise they wouldn’t have fallen for the scam. But for the tech savvy, who might set up and await a scenario to exact revenge on the scammers, it would surely be illegal. Some folks might call hacking the scammers an ethically “gray” area. Legally, much like taking an “active defense” approach, better known as hacking back, a person who uses this could be prosecuted for breaking computer crime laws. That’s probably why Weeks makes you accept the terms and conditions before downloading the zero-day.

Revenge of the scammers 0day to exploit Ammyy Admin Matt Weeks

The zero-day exploit in Ammyy Admin “works from the ‘controlled’ end; when someone tries to connect to you, asking to control your computer, you send back the exploit and take over the controller. It has been written for and tested against the latest version of Ammyy Admin” (3.5)."

The following how-to is also from the ReadMe instructions:

  1. Download Ammyy from the Ammyy website.
  2. Set up two Windows VM's in an isolated network.
  3. Use the Metasploit module to generate your exploit.dat file.
  4. Copy the exploit.dat file and aaexploit.exe to the first VM (good guy VM) and run aaexploit.exe. After a few seconds, you will get a popup saying Ammyy isn't connected to the internet. Click to ignore it. Wait for 15 seconds to complete loading the exploit.
  5. Start the Ammyy executable on the second VM (bad guy VM). After a few seconds, you will get a popup saying Ammyy isn't connected to the internet. Click to ignore it.
  6. From the bad guy VM, type in the IP of the good guy VM in the “Client ID/IP” field and click Connect.
  7. You will get a popup on the good guy VM asking if you want to allow the connection. Hit “allow” to send the exploit.
  8. The bad guy VM should display a blank “Loading” window that will sit there as long as your shellcode is running. In this exploit, I deliberately did NOT return execution flow to the original thread, since I assumed you would not want to provide the bad guy with control over your VM.

Weeks explained that this started due to some jerk fleecing his grandparents. He wrote:

No scammer group has ever called me, and I have never used this except to test it and in demonstrations. I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims. The primary users at risk of compromise are the scammer groups. Hopefully, it will be a deterrent to those who would attempt to compromise and take advantage of innocent victims.

Unless you want to test the legality theory and see if Johnny Law Officer comes knocking on your door with questions about hacking, if you try this, then it would be unwise to brag about scamming the scammers.

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!