MSP Tools Used by Bad Actors

Edit: Official Blog post here

The MSP industry has seen a dramatic increase in the use of MSP tools by bad actors. These bad actors usually sign up for free trials and even paid accounts of RMM platforms, and then employ social engineering in order to convince an end-user to install the RMM agent on their computers. The attackers then use the built-in functionality just like any MSP would: Running scripts, remoting into computers, sending emails - the only difference is they have nefarious intentions. While we have monitored for this in the past and quickly shut down any accounts we’ve found, we have seen an uptick in attempts recently, and therefore have implemented new security measures in response that should curtail this behavior. We are committed to proactively preventing this from happening, as well as monitoring for common indicators and swiftly responding if it does. Feel free to email if you have any questions.

From our investigations, a common denominator is the end-user falling for social engineering techniques. We highly encourage our Partners to educate their clients through Security Awareness Training and are offering it at a discounted rate effective immediately. For more information email

I just had a client let a fake company log in using connectwise

Are you saying you are seeing malicious Syncro Accounts being created or legit Syncro accounts getting hacked, or both? Just curious since you mentioned how important it was for Partners to have SAT. Appreciate the warning. Any chance we can get some statistics?

Given this is the case, we should be extra vigilent of links people post in this forum.
It would be easy for a bad actor to sign up to a Syncro trial account, then begin posting in this forum, perhaps including a link in the hope one of us will click and provide the bad actor a back door into our networks or PCs/devices or browsers with access to our own SyncroMSP accounts and Syncro forum accounts.

1 Like

People still use facebook?

1 Like

@ian.alexander another concern here is that bad actors will be signing up for trials of RMM platforms with the sole purpose of looking for security vulnerabilities in the platform that the bad actors can exploit.
Obviously, this would be a risk for all RMM brands.

Is Syncro actively trying to figure out if those applying for a trial are a legitimately running an MSP business?

Yea same - its not really the bad actors we normally have to deal with (so long as the end user knows whats up) - its more on the MSP side of the RMM tool allowing them access in the first place. If anything - as the community - I would strongly encourage you as a company to monitor this on all MSP accounts for actively that is reported into any scam official service. They sign up for RMM tools like screen connect or even Syncro and that just makes a bad name for the tools we use in a legit way.

Our Facebook group has 3,000 MSPs in it…

Is the facebook group vetted in any way?
Or can anyone join the group, no questions asked?

1 Like

Yep, all the more reason why we need more of the security related feature requests implemented yesterday.

The Syncro Facebook group is for Syncro users. So yes.

Hey Andrew,

I am not going to get into detailed mechanics of how we handle trial accounts for security reasons, other than to point you to Ian’s original post.

Good question. For clarification, these are Syncro accounts being created - there is no compromise or hacking of legit accounts. What statistics are you looking for?

They have to request to join the Facebook group and we manually approve them - so no.

fair enough, what happens when a trial expires, or a paying client leaves Syncro. Are they removed from the facebook group?..and removed from this forum?

Good news is, you can’t have more than 1 Syncro agent on it and Syncro doesn’t have SOS built in, so it would be hard to affect existing customers. I’m taking this notice as a general info about how RMM platforms can be used by bad actors and not a security statement saying the platform is in crisis.

Yes, like I mentioned we have measures in place for these new trials, both proactive and reactive. We have security researchers who are also constantly looking for exploits and security issues, and we do regular penetration tests, so there are plenty of good guys doing this as well and if they find anything we resolve it.

1 Like

It is intentional that the Announcements section in particular is publicly available, yes. We often post information if there’s an incident/outage here, and if the site is down SSO to the forums won’t work - so you wouldn’t be able to read the announcement.

How many fake accounts have been found and close. If you found any info on where the users were country wise perhaps. What can I say, I’m a data geek. I love seeing statics. :laughing: