OFFICIAL SECURITY BLOG

Online PC Support Scams: Turning the Tables

May 9, 2013 | BY

You may recall a post I wrote back in April about fake Microsoft phone support calls. I had received a call from scammers whose job was to trick me into buying a bogus program for ‘only’ $299. When they saw I was not willing to pay, they got mad and deleted documents and pictures off my (virtual) machine before cutting me off in a very rude way. Well, this time we meet again, but on different terms: I am the one calling them and I make sure I’m collecting as much evidence as possible before waving good bye.


Update: GoDaddy has taken action to remove ownership of that domain name.

It all started with a pop up, warning me that my computer was infected. I decided to call to find out more about this scam. Unfortunately, I got a voice mail and was a little disappointed. I still left a few messages so perhaps they would call me back. Anyway, the next morning I tried again and got through that time. The man on the phone was quite nice (all things considered) and did not even bother with the sales pitch: just what I like, straight to the point. Our first step was to launch a legitimate program (TeamViewer) so that he could remotely take control of my PC and run a program to scan for viruses. I’m really excited to see what it’s going to find!

fp

To say these are false positives is an understatement. These entries are made up since I am running a clean system (Virtual Machine). Also, this was the fastest scan(m) ever only taking 2 seconds: clearly not a good sign. The guy had me where he wanted as he’s about to get me to pay. I know this is a critical step and he’s probably going to destroy evidence of the bogus program he just installed and ran. Before he does that, I take control and terminate the TeamViewer session in a hard way:

killtv

Surprisingly, he’s not too upset but it is time for me to reveal what is really going on. He tries to claim his innocence (you called us) but was open to talking for a few minutes. After some words of advice we part ways. So, let’s take a deeper look at this scam. the original pop up can be encountered simply while browsing a site. It is meant to be alarming and to trick the user to call the 1-800 number for assistance. How do they get away with that? Well, for starters using the word ‘may’ shows that there is a possibly they could be wrong and thus limiting their liability:

maySecondly, by having Terms and Conditions that basically say this is indeed not real. Mind you, they are quite hard to read (tiny black font on blue background):

tos

So here they are in full:

“Terms and Conditions: We are not affiliated in any way with Microsoft, all registered trademarks of their respective owners. All trademarks on this web site whether registered or not, are the property of their respective owners. The authors of this web site are not sponsored by or affiliated with any of the third-party trade mark or third-party registered trade mark owners, and make no representations about them, their owners, their products or services. It is important to note that this site and the image depicted above are to be used as an illustrative example. This website and any page on the website, is based loosely off a true story, but has been modified in multiple ways. Thus, this page, and any page on this website, is not to be taken literally or as a non-fiction story.Allonlinemedia.com distributes advertisements from third party software, toolbars, browser add-ons, game applications, pop-up and other types of applications.”

What about the technician’s analysis? The program he was using to scan my computer is not terribly sophisticated to say the least:

program

The program was compiled from: c:\Users\Lior\Documents\Visual Studio 2010\Projects\odesk\RegistryScanner\source code\GuardScanner\obj\x86\Debug\Guard Scanner.pdb

One thing is for sure, it is very lightweight and will not use much CPU. However, its database is stuffed with false positives which aren’t just accidents, but clearly used to add some drama. At the end of the road there goes the same PC support plan with a cost of $179.99 in this case:

pcguard

All of their websites are using private registration to mask their identify and location:

proxy

This isn’t the only scam this company is pulling. One of their (poorly configured) website shows multiple landing pages.

root

Besides the fake virus ones, you will find those “work from home” quick money schemes:

mom

These guys know how to play the game just right so they don’t get into too much trouble. I really despise unethical and misleading marketing practices and it’s really too bad they are able to get away with it. I’ve been scammed once before, when I was much younger, so I know just how it feels and my wish is to spread the word so that innocent people don’t have to go through it.

 


  • hifonix

    I have enjoyed both your articles on these scams. I have noticed these people are using teamviewer to remote in to your pc. Can teamviewer not go after these people using their program for fraudulent activity?

  • Jerome Segura

    Thanks hifonix :)
    It would be nice indeed if we could see who’s behind those TeamViewer sessions (to identify them by IP address), but I guess it would also breach the privacy for regular users.
    Also, scammers might just use any other remote programs available on the market, even though TeamViewer does make their job a lot easier…
    It is similar how they use Voice over IP to call victim’s phones… makes it hard to trace back to the caller.
    I think awareness is key here… but I’d be happy to see some actions as well from law enforcement agencies worldwide.

  • http://www.facebook.com/MLWALKER1337 Michael Walker

    Next time you do this you should have wireshark open and get there IP address and see were there from/based and who the ISP is.

  • Bas Bieling

    I love how he keeps pretending he works for MS even though he has been busted.

  • Pingback: Patching the End User: Recognizing Social Engineering In Scams | Malwarebytes Unpacked

  • Pingback: How to Recognize the Social Engineering In Scams | Grinnell Computers – Computer Networks, Cabling, Computer Repair, Phone Systems

  • Pingback: How to Recognize the Social Engineering In Scams | James M. Meadows Jr.

  • https://www.facebook.com/solsticelight Robin Craig

    These guys are something else! They called me this morning and I could tell right away that they weren’t from Microsoft, as they claimed to be. The first guy talked to me for a minute about how they had noticed malware on my computer, and that I needed to go to it right away and look at something. He had me open the event viewer and tell him if there were any errors. There were, which happens when there are minor infections, and he reacted like a true showman. “Oh God… oh my God!” He was more dramatic with everything I read, which was funny because I know that those errors are easily corrected with normal anti-virus scans. He then instructed to me to type – http://www.ammyy.com into the run command. Instead, I typed it into google and went quiet as I read what this site was for. It was to give them access to my computer! I have been a Microsoft Certified Systems Engineer, and have spent HOURS on the phone with Microsoft. This is not their procedure; they use the messaging system embedded in the OS. They connect to your computer without the addition of a program. I told the guy that I knew what he was up to and hung up. I couldn’t believe it when, within 30 minutes, another guy called and started the same spiel as the first. I let him know right away that I had already been contacted and was on to their game. This guy feigned shock and tried to tell me that HE had never called me before, so I must have the wrong people.

    Problem with that is, I have studies world culture, dialects, and am very attune to detail. I told him right away that I could tell he was in the same call center. I could also tell that they were using VIOP due to the drop-silence when they are not speaking. When they spoke, they had a very distinct accent – I detected hints of Russian and Near-Eastern, so they are from the area between Turkey and the Ukraine – the accents are distinctive.

    This second guy instructed me to look up the company that he was calling from (I though he was from Microsoft a few minutes ago???) and had me look up – onlinepcsupport.com and tried to immediately have me click on their forums, but I wanted to know more. So, I looked at the links following theirs and was delighted to find this article! As I began reading the article to the guy on the phone, he started clearing his throat a lot and saying over and over, “What is this you are reading, I don’t know this…” He was so BUSTED! I guess the best defense against these jerks is the spread of helpful and truthful articles like this one. Thank you for writing it, and keep up the good fight!

  • Jerome Segura

    Thanks so much for sharing your experience Robin!

    Yes, those guys are relentless and shameless. It was also brought to my attention that some companies in the US are pulling the same scams.

    Spreading the word and exposing such fraud is the best way to make their business more difficult and slow them down.

    Thanks again.

  • https://www.facebook.com/solsticelight Robin Craig

    *sigh* I should really learn how to proofread before I post. In the second paragraph, I transposed the “O” and the “I” in VOIP – referring to Voice Over IP telephony services.

  • Andrew Bassett

    Hi Jerome,

    Good article, thank you. I believe my in-laws have just got scammed by a company called PC Mask (www.pcmask.com), have you heard of them?

    They pray on people who don’t know what they are doing and take their money, very sad. Who can I report them to?

    Thanks,

    Andy

  • Jerome Segura

    Hi Andrew,

    Thanks for reporting them. If you are in the US, you can file a complaint with the FTC.
    Here’s more information: http://blog.malwarebytes.org/tech-support-scams/#fight

    I will follow up and investigate them as well to garner more information.

    Jerome

  • Jerome Segura

    Hi Andrew,

    PC Mask is definitely a scam see them use the EventViewer on a clean computer and saying my PC has worms: http://blog.malwarebytes.org/wp-content/uploads/2013/10/pcmask.png

  • https://www.facebook.com/peter.forest.5623 Peter Forest

    Thanks for the information share with us. And I think people will more cautious reading your blog. For protection visit http://www.REMOVED!!!! << trying to spread tech support scams right here!!!

  • exitdude

    Very easy way to prevent this.

    Microsoft will never call you personally for a PC problem.
    If someone calls you telling you have a virus, hang up (or play with them a bit.)

    Funnier when the “technician” has no idea what they’re doing. They usually all just learn the same simple “tricks.” Most common ones are the event viewer, the really fast “scan,” and typing random things into command prompt.

  • alizacarvor

    When ever pick up phone please listen carefully because i had call some remote company they told me that they are microsoft certified and partnership like.

    Please maintain your computer 6 or 12 months later.
    Thank You

  • ericakundu22

    Hi Jerome, Can you Please look into this software http://pctoolkitpro.com Please..

    Its some kind of Cleaner my aunt Purchased from somewhere..

    Thanks
    Erica

  • Jerome Segura

    Hi ericakundu22,

    The software is blatantly deceptive and poorly written. The technician calls everything he sees “infections”: http://www.youtube.com/watch?v=NCx-SvO5q6U

    Thanks for sharing.

  • ericakundu22

    Hi Jerome Segura,

    Thanks for your help.

    Regards,
    Erica

  • Pingback: Avoiding Scams

  • carol Jones

    how can I get the money back?