Online PC Support Scams: Turning the Tables

You may recall a post I wrote back in April about fake Microsoft phone support calls. I had received a call from scammers whose job was to trick me into buying a bogus program for ‘only’ $299. When they saw I was not willing to pay, they got mad and deleted documents and pictures off my (virtual) machine before cutting me off in a very rude way. Well, this time we meet again, but on different terms: I am the one calling them and I make sure I’m collecting as much evidence as possible before waving good bye.

Update: GoDaddy has taken action to remove ownership of that domain name.

It all started with a pop up, warning me that my computer was infected. I decided to call to find out more about this scam. Unfortunately, I got a voice mail and was a little disappointed. I still left a few messages so perhaps they would call me back. Anyway, the next morning I tried again and got through that time. The man on the phone was quite nice (all things considered) and did not even bother with the sales pitch: just what I like, straight to the point. Our first step was to launch a legitimate program (TeamViewer) so that he could remotely take control of my PC and run a program to scan for viruses. I’m really excited to see what it’s going to find!

fp

To say these are false positives is an understatement. These entries are made up since I am running a clean system (Virtual Machine). Also, this was the fastest scan(m) ever only taking 2 seconds: clearly not a good sign. The guy had me where he wanted as he’s about to get me to pay. I know this is a critical step and he’s probably going to destroy evidence of the bogus program he just installed and ran. Before he does that, I take control and terminate the TeamViewer session in a hard way:

killtv

Surprisingly, he’s not too upset but it is time for me to reveal what is really going on. He tries to claim his innocence (you called us) but was open to talking for a few minutes. After some words of advice we part ways. So, let’s take a deeper look at this scam. the original pop up can be encountered simply while browsing a site. It is meant to be alarming and to trick the user to call the 1-800 number for assistance. How do they get away with that? Well, for starters using the word ‘may’ shows that there is a possibly they could be wrong and thus limiting their liability:

may

Secondly, by having Terms and Conditions that basically say this is indeed not real. Mind you, they are quite hard to read (tiny black font on blue background):

tos

So here they are in full:

“Terms and Conditions: We are not affiliated in any way with Microsoft, all registered trademarks of their respective owners. All trademarks on this web site whether registered or not, are the property of their respective owners. The authors of this web site are not sponsored by or affiliated with any of the third-party trade mark or third-party registered trade mark owners, and make no representations about them, their owners, their products or services. It is important to note that this site and the image depicted above are to be used as an illustrative example. This website and any page on the website, is based loosely off a true story, but has been modified in multiple ways. Thus, this page, and any page on this website, is not to be taken literally or as a non-fiction story.Allonlinemedia.com distributes advertisements from third party software, toolbars, browser add-ons, game applications, pop-up and other types of applications.”

What about the technician’s analysis? The program he was using to scan my computer is not terribly sophisticated to say the least:

program

The program was compiled from: c:UsersLiorDocumentsVisual Studio 2010ProjectsodeskRegistryScannersource codeGuardScannerobjx86DebugGuard Scanner.pdb

One thing is for sure, it is very lightweight and will not use much CPU. However, its database is stuffed with false positives which aren’t just accidents, but clearly used to add some drama. At the end of the road there goes the same PC support plan with a cost of $179.99 in this case:

pcguard

All of their websites are using private registration to mask their identify and location:

proxy

This isn’t the only scam this company is pulling. One of their (poorly configured) website shows multiple landing pages.

root

Besides the fake virus ones, you will find those “work from home” quick money schemes:

mom

These guys know how to play the game just right so they don’t get into too much trouble. I really despise unethical and misleading marketing practices and it’s really too bad they are able to get away with it. I’ve been scammed once before, when I was much younger, so I know just how it feels and my wish is to spread the word so that innocent people don’t have to go through it.

 

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher