As Naked Security readers will be aware, tech support fraudsters have recently taken a real shine to customers of TalkTalk, a British internet service provider.
Some of TalkTalk’s UK home broadband ISP customers have suddenly found themselves unable to access lots of different websites (e.g. Social media sites, the National Lottery and many more) after the internet provider’s network-level HomeSafe filter for “blocking inappropriate content” suddenly enabled itself, and wouldn’t disable. At present the provider gives customers the option to. AnyDesk allows you to establish remote desktop connections in Windows 10 and opens up unprecedented possibilities of collaborating online and administrating your IT network. With AnyDesk, you can work remotely from everywhere! Dynamic Performance for Smooth Windows Remote Access.
As many attest, they just won’t leave TalkTalk customers alone, cold-calling them on a scale the BBC recently described as “industrial”. Needless to say, this is not good.
The phone spiel always unfolds in the same way. The caller claims to be a TalkTalk engineer and to have detected a router or malware issue on the user’s computer that requires immediate intervention.
The customer is persuaded to turn on their computer and run the Windows Event Viewer to perform bogus diagnostics before being asked to install one of a range of remote desktop support tools.
This type of application gives the scammers complete remote control over the victim’s PC, at which point they are free to steal data, install malware and, in some cases, engineer the user into logging into online banking or transferring money.
A popular choice with the fraudsters since at least 2015 has been TeamViewer, so much so that on March 8, TalkTalk abruptly started blocking the application from functioning on its network in a desperate effort to stem a tide of abuse customers had started complaining about.
TeamViewer’s block was removed on Thursday after complaints by the company, but that didn’t stop TalkTalk from quietly blocking equivalents such as AnyDesk, whose users started noticing unexpected connection issues around the same time.
Tech support fraud, or “vishing”, has been around for years, so is there much new to be worried about here?
Talktalk Anydesk Apk
The unsettling aspect of the TalkTalk attacks is that the fraudsters allegedly accessed stolen data, which means they immediately sounded more convincing to their victims. If confirmed, this means that fraudsters have been able to synthesise old-fashioned tech support social engineering with data breach cybercrime to create something novel and perhaps unstoppable.
Talktalk Anydesk Download
It also seems to be easy to abuse remote support applications, which have flourished on the back of untraceable freemium accounts. It’s not clear how these companies detect misuse but clearly more needs to be done. In other cases, genuine accounts have also been hijacked to execute remote fraud.
Clearly, nobody should hand over a full password, bank details or agree to transfer money on the basis of a cold call but the fact that people are still doing this suggests the message is not being heard.
The traditional advice for dealing with cold calls runs as follows:
Talktalk Anydesk Free
- Hang up and dial that company’s advertised number to check its authenticity.
- Never respond to a web pop-up asking you to call a number or visit a website
- Never install a remote support application on the basis of a cold call
- Report all tech support cold calls to Action Fraud, where it stands a chance of becoming useful intelligence.
- TalkTalk offers a way for customers to report fraud direct
Talktalk Anydesk App
Rejecting all cold calls would be a simpler option but that might be hard to keep to as occasionally companies do need to call their customers out of the blue often, ironically, because they’ve detected fraud.
This is a bit of a mess. Cold calling, once a useful marketing tool for industries keen to make use of their databases, has been turned against them. Companies could introduce better authentication but this wouldn’t easily defend against fraudsters armed with personal data from a breach.
We urgently need to know more about what has happened at TalkTalk because this could be the tech support scam on steroids, a poisoning of the well that has done long-term damage to the whole concept of helping people down a phone line. It would be a shame if this marks the moment a once-useful facility started to wither for good.
AnyDesk is a Remote Desktop solution which has become very popular in the last two years. It is overtaking TeamViewer in popularity because AnyDesk is currently a lot more generous with how much activity they allow on the free version. However, it is not always desirable to have remote access software such as AnyDesk running on your network. This article explains a number of measures to block AnyDesk from connecting out to the big wide world.
Ports used by AnyDesk
Like most hosted remote-access applications these days, AnyDesk connects out on ports TCP 80, TCP 443, and also one unique port – TCP 6568.
Internally, it uses UDP ports 50001-50003 for multicasting to allow discovery on your local network.
No special outbound rules or port forwarding are required to make AnyDesk work – so long as your network administrator hasn’t followed the below instructions to make life difficult for AnyDesk.
How to Block AnyDesk On Your Network
Talktalk Unblock Anydesk
If you want to block AnyDesk on your network, there are a few measures you can put in place:
- Create local firewall rules using Windows Firewall to block outgoing connections from AnyDesk.exe
- Block the resolution of DNS records on the anydesk.com domain. If you run your own DNS server (such as an Active Directory server) then this is easy:
- Open your DNS Management Console
- Create a top-level record for ‘anydesk.com‘
- Do nothing else. By pointing this record nowhere you will stop connections to this domain and all of it’s subdomains
- Block anydesk.com in PiHole – this is another way to use DNS blocking to stop AnyDesk from connecting out via your network
- Ensure the only DNS connections allowed on your network are to your own internal DNS servers (which contain the above dummy-record). This removes the possibility of the AnyDesk client checking DNS records against their own servers, instead of yours. To do so, add a new outgoing firewall rule to disallow TCP & UDP port 53 from all source IP addresses, EXCEPT the addresses of your own DNS servers.
- You can utilise Group Policy to deny AnyDesk.exe from running. To do this, create a new Software Restriction Policy with a Hash Rule for AnyDesk.exe.
- If you have a firewall with Deep Packet Exception, you can enable the in-built rules to block AnyDesk. These firewalls often release new definition updates as the situation changes, so a lot of the hard work is handled for you.
- Block outgoing TCP Port 6568. You can create a DENY rule in your firewall to do this.
AnyDesk does not have any fixed IP addresses – they simply use IPs from cloud providers, and do not publish a list, so blocking IPs will be a game of whack-a-mole. However, these above seven steps should allow you to be successful in blocking AnyDesk from connecting out to the internet.