Categories

Fraud/Scam Alert

Netflix Phishing Scam leads to Fake Microsoft Tech Support

Tech Support scammers are really creative these days. As if the Microsoft ruse was no longer in fashion, they are impersonating other popular companies, such as Netflix.

I came across what I first thought was a typical phishing scam targeting Netflix: [Edit] Many people have asked how I got to this. I’ve been tracking tech support scams for about a year, documenting company names, websites, phone numbers. It happens the number used in this scam was the same as one I had spotted just a few days prior. But typically, people would receive this phishing scam through an email or a pop up [/Edit].

signin

Until I realized it wasn’t, or at least that there was something more to it. Of course it stole my credentials:

phish

But it also displayed a message saying my account had been suspended:

suspended

In order to fix this issue, you are urged to call “Netflix” at a 1-800 number. If you do a bit of a search you will find out this is not the official hotline, so this warranted a deeper investigation.

Once I called the number, the rogue support representative had me download a “NetFlix Support Software”:

software

This is nothing else but the popular remote login program TeamViewer:

downloads

After remotely connecting to my PC, the scammer told me that my Netflix account had been suspended because of illegal activity.

This was supposedly due to hackers who had infiltrated my computer as he went on to show me the scan results from their own ‘Foreign IP Tracer’, a fraudulent custom-made Windows batch script:

IPtracer

According to him, there was only one thing to do: To let a Microsoft Certified Technician fix my computer.

He drafted a quick invoice and was kind enough to give me a $50 Netflix coupon (fake of course) before transferring me to another technician:

invoice

During our conversation, the scammers were not idle. They were going through my personal files and uploading those that looked interesting to them, such as ‘banking 2013.doc‘:

filetransfers

Not quite your Netflix support is it? Not at all.

Another peculiar thing is when they asked me for a picture ID and a photo of my credit card since the Internet is not secure and they needed proof of my identity. I could not produce one, therefore they activated my webcam so that I could show said cards to them onto their screen.

camera

This is where it ended as my camera was disabled by default. The scammers were located in India, information gathered from the TeamViewer logfile:

logfile

geo

IP geolocation courtesy of IPligence.

This scam seems relatively fresh, at least the domain they used was registered and updated recently:

server

This was a clever plan which not only is about stealing money for bogus services but also about identity theft by gathering personal details from the victim (photo, name, email, address, password, etc.).

For more information on Tech Support Scams and how to protect yourself, please check out this resource page.

Disclaimer: You should never let anyone take remote control of your computer unless you absolutely trust them. This scam took place in a controlled environment that had been set up specifically for that purpose.

@jeromesegura


44 thoughts on “Netflix Phishing Scam leads to Fake Microsoft Tech Support

  1. Richard Peat-Hanna says on March 1, 2014 at 9:49 am :

    This is an innovative honeypot trap for the bad guys. You produced a lot of relevant information from this encounter and documented it well. I will use this information to warn my small business customers. Thanks

  2. Jerome Segura says on March 1, 2014 at 10:23 pm :

    Thanks Richard Peat-Hanna, I’m glad you found it informative.

  3. victorh2007 says on March 2, 2014 at 5:35 am :

    Jereme,
    Scammers are becoming increasingly daring on drafting meticulous plans to steal both money and identity credentials from ordinary people.
    Your article is an important warning to all of us!
    Congratulations and thank you so much!

  4. victorh2007 says on March 2, 2014 at 5:39 am :

    Jerome,
    Just to correct the spelling of your name Jerome and not “Jereme” on my previous comment.
    Sorry for my lack of attention!
    Best regards!

  5. Jerome Segura says on March 2, 2014 at 2:23 pm :

    No problem victorh2007, I’m used to it. In fact, it should be spelled Jérôme as I’m French ;-)

  6. Stephen Huxtable says on March 2, 2014 at 4:21 pm :

    Ok, but what link did you click on to get to that initial fake Netflix login page? Was it an email link or what? Most people have a Netflix page bookmark or link on the desktop.

  7. Stephen Huxtable says on March 2, 2014 at 4:25 pm :

    These people have a special place in **** waiting for them. I have only had one “Microsoft Support” call so far but it was fun leading them on a merry dance.

  8. Stephen Huxtable says on March 2, 2014 at 4:26 pm :

    H.E.L.L. was the word bleeped out.

  9. Jérôme Segura says on March 2, 2014 at 8:36 pm :

    Hi Stephen Huxtable,

    This link could very well have been sent as spam or through a rogue ad. That’s not how I discovered it though. The phone number used in this scam matched one that I had tracked previously. It’s only after (by going to the root of that domain which was not protected) that I discovered that there was also a phishing scam in there.

  10. rishu says on March 3, 2014 at 2:16 am :

    HI I am an Indian physician and reader of Ars Techncia. Read your article today. Very interesting

    Just yesterday my 58 year old dad became the victim of a telephone debit card fraud. Dad revealed his debit card number and pin and got ripped of over 800$ of hard earned money

    From your videos , even without the ip help, I can easily recognize the scammers as Indians specifically from NorthWest India( the region I live in) . Their English accent which is so typical of north Indians stands out.

    I wonder if the US Fed authorities have reported it to Indian cyber crime cell and whether any arrests have been made

    You are doing a wonderful job by enlightening others. May your tribe increases. Keep it up

  11. Carrie Courter says on March 3, 2014 at 10:14 am :

    This isn’t all that new actually. I had something similar happen with an HP Laptop a few years ago. Once I realized what was happening, I shut it down, and called HP headquarters, and got transferred that way, and they fixed it for me… but I had something similar happen back in 2009, 2010, though not quite on this level….think they were just, at that point, refining it perhaps?

  12. Jérôme Segura says on March 3, 2014 at 10:22 am :

    Hi Carrie Courter,

    Tech support scams aren’t new at all. Early documented instances date back from 2008.
    This is a “new twist” because it uses a real phishing scam with a ploy to call a support number.
    I’ve kept a tab on all tricks used and various companies involved which you can check here: http://blog.malwarebytes.org/tech-support-scams/

  13. Taylor Casti says on March 3, 2014 at 1:38 pm :

    So this is a popup site, not on Netflix.com, correct?

  14. Jérôme Segura says on March 3, 2014 at 1:41 pm :

    Hi Taylor Casti,

    This is not on netflix.com correct. It can be sent as a phishing email, through a pop up, advert, etc… hence the importance of checking the URL in the address bar before typing any credentials.

  15. busyba says on March 3, 2014 at 1:43 pm :

    I hope that the files that the scammers downloaded from your honeypot had more viruses than a {censored}. :)

  16. Donna Raagas says on March 3, 2014 at 4:37 pm :

    I’m pretty sure I was conned by this kind of scammer when I tried to get Support from YouTube. I like to think I’m pretty sophisticated when it comes to security scams such as the popups that come on and warn that you have 126 threats to your computer, etc. Because I went to the link for YouTube Support–because I initiated the contact–I didn’t think twice about whether the phone number I called was legitimate or not. Here’s how dumb I was–I was so impressed by the speed at which I was seeing data fly across my laptop’s screen that I mentioned I was frustrated with the performance of my desktop, and of course I was given a special 2-for rate if I “cleaned” that one up at the same time. So I did! When did I realize I was scammed? When my desktop’s performance wasn’t improved. They put icons on my screens and told me to run the scan once a month, but when my desktop still ran slowly, with continued problems in Windows, I ran “the scan” almost every day. The number of ”threats” changed each time, and were always “fixed” in record time, and that speed is really what made me suspicious–I’m sure it’s a fake scan screen with Scan, Fix, and Close buttons, that just runs some random numbers every time it’s activated. It was an expensive lesson to learn.

  17. Cammy Harbison says on March 3, 2014 at 5:32 pm :

    Hi Jerome,

    First I’d like to say fascinating research details there, and I agree, there are many users who would unknowingly follow all the directions given during the interaction just as you did. My question however is, how did you manage to end up on the webpage for this scam? Was is something that came up in Google search results, through an email or some other method? I guess that question proceeds this one: do you have any data or information on how many people have been affected by this scam? I’m just curious as to the magnanimity of the issue — if notable at all. Is it a real and pervasive threat for most users on the internet or did you have to dig a bit to even run across this scam? Thanks for your time and answers. ~ @cammywrites

  18. Jérôme Segura says on March 3, 2014 at 8:12 pm :

    Hi Donna Raagas,

    Thanks for sharing your experience. You make an excellent point “because I initiated the contact”, this is so true and in my mind much more sneaky.
    Most people are aware of cold calls, but when you are looking for assistance, you bring down your guard a little bit, something the scammers are exploiting.
    I could very well see the classic Microsoft cold scam being replaced by user initiated calls (which may come because of a deceptive ad, malware infection etc).
    Thanks again for your comment.

  19. Jérôme Segura says on March 3, 2014 at 8:23 pm :

    Hi Cammy Harbison,

    That’s a great question and that I’ve been asked a lot since I did not clearly provide the information in the first place!
    The phone number used in this scam was the same as another one I had spotted a few days prior on a fake pop up warning (“your computer is infected, call now!). I can’t tell for sure if the two companies are related although it certainly looks that way.

    As for how many people have been affected by this scam, I can say that in general there are more victims than you’d think. When I was on the phone with them, I could hear another technician (very noisy call centre by the way) doing the same spiel with another victim. Needless to say, the place sounded very busy.

    This Netflix scam is just a variation, or perhaps a “themed” scam, and there are countless others yet to be discovered. In fact a day after I had posted this article I noticed the server hosting the files had been updated with a Gmail phish (with exactly the same tactics). You can see a screenshot here: http://www.dailymail.co.uk/sciencetech/article-2572574/Major-online-security-warning-fake-tech-support-scam-Netflix-Gmail.html

    The server got shutdown a few hours later but I do believe someone was busy creating a bunch of templates for various online services.

    You really don’t have to search very far to find these scams. Many ads on search engines for computer support lead to them. I receive a lot of emails from people that have been conned and ask me to investigate. So much information and yet so little time!

  20. SAMUEL GERHARD says on March 4, 2014 at 7:52 am :

    Thanks for the tech support scam article. Visited your other scam page thru your link also and emailed it to friends to alert them. If they’re interested. Saved the webpage onto m computer for future reference. Had phone call more than a year ago from one of these scammers. And one time requested tech help from Verizon ISP and they connected (foreign support) using a remote program. At the time I was using my 32″ tv for a monitor and with my custom desktop and the monitor they were rather confused. ;>)

  21. Jérôme Segura says on March 4, 2014 at 8:02 am :

    Hi SAMUEL GERHARD,

    I’m very glad that this has helped you out. This is exactly why I keep doing these recordings because awareness can go a long way in recognizing a scam when it’s happening.
    And actually every time I write about it, people come forward with more details on scammers which in turn helps me out. :)

  22. SAMUEL GERHARD says on March 4, 2014 at 8:10 am :

    @ donna raagas; Do you run the programs Ccleaner (crap cleaner) or PrivaZer? Ccleaner is rather safe to run but PrivaZer is rather aggressive and it may remove too much it used improperly. So backup your OS first for safety. PrivaZer will remove lots of crap. Clean temp files. Etc. Read it’s onlinreviews if wary of using it. Also if having trouble navigating in Windows? Explorer or your browsers run Adwcleaner. It’s from a French website but look for its tutorial to find the download link. Your computer will need to restart after using it. These 3 programs have helped me tremendously on my 2 Windows computers. Just a helpful suggestion. No offense intended. No compensation received by any parties.

  23. Emily Schneider says on March 4, 2014 at 9:21 am :

    Hi Jérôme,

    Thank you so much for posting this. I think it is so great that someone is raising awareness on such a problematic issue. I must say I work in tech support (real tech support not a scam =P ) and everything they did with you on the call is against what we do. We never take control of other peoples computers. That is not allowed at all. Not to mention all my clients are technical people, so they would be weary. Also, everything they said made zero sense. It just shocks me how so many people fall for this kind of a scam. I just had to say thanks and I will continue following your posts/sharing them with friends and family!

  24. Jérôme Segura says on March 4, 2014 at 10:13 am :

    Hi Emily Schneider,

    Thanks for your comment and reminding me that not all tech support is bad ;-)

  25. Khang Nguyen says on March 4, 2014 at 2:07 pm :

    What is this? A 12 year old could’ve thought up of this method. LOL

  26. Kymberleigh Richards says on March 4, 2014 at 7:37 pm :

    Jérôme,

    This was a fantastic piece of detective work on your part. While I’ve so far never gotten caught up in a scam, and — knock wood — never will, it’s good to know that there are people like you who protect the many, many people who will fall for these.

    I often wonder what marvelous accomplishments could be made by the minds behind these scams if they channeled their energies toward more honest pursuits.

    (And yes, I cut-and-pasted your name above, to be sure I spelled it right with all the diacritic marks)

  27. pkmilly says on March 4, 2014 at 8:20 pm :

    I ran across something similar a week or so after I first got internet service (I was a newbie at age 50) just a couple months ago. I clicked a link saying my computer needed speeding up and cleaned up. Bought $20 software download and when tried to use told me to call 800 number to activate it. When I did I was naive enough then to let the guy run my computer and didn’t realize til later he showed me my event viewer to tell me all the stuff that was wrong with my computer. Tried to sell me an expensive fix-up and kept cutting price when I said didn’t have money to fix. Never went lower than $150 (started at nearly $600!). At the time thought it was just a very hard sell and he was very rude when I continued to say “no”. Needless to say after that I requested refund of my $20 and didn’t want anymore to do with clicking ad links! Did get my $20 back but now I wonder what info he got off my computer and how long before I get hammered by something I didn’t do or authorize! Thanks for the Netflix article as I am customer there too and now know to be alert when I go to that site. You did wonderful job of research / proof of all you are warning people about. I appreciate those warnings, now more than ever!

  28. Jérôme Segura says on March 4, 2014 at 8:23 pm :

    Ahah, thanks very much Kymberleigh Richards. For many years I did not put the accents on my name because I was living in an English-speaking world where keyboards are not really friendly for that and most people wouldn’t know what it means. But recently I realized this wasn’t right, and they were part of me ;-)

  29. Jérôme Segura says on March 4, 2014 at 8:31 pm :

    Hi pkmilly,

    I know exactly what you are talking about, and it is called “up-selling”. There are many dubious companies out there selling out registry cleaners or PC optimizers who use extremely deceptive methods to up-sell other products and services. As you mentioned, forcing users (or urging users) to call a 1-800 in order to register (get a license key) for the product is one such technique.
    Highly trained sales professionals will do their best to convert as many users as they can. You came for a $20 piece of software and leave with $400, $500 worth of computer stuff you’re not even sure what it was for.
    Sadly, many companies will use dirty tricks such as the event viewer, etc… to convince people there’s something wrong with their computer.
    Unlike the typical tech support scams, these companies are usually located in North America. It’s definitely a worrisome trend…

  30. Erik Contzius says on March 5, 2014 at 6:01 am :

    Brilliant reporting! I reported a similar kind of scam where I got cold called several times by a “security firm” claiming that my computer was hacked and they could solve the problem. I asked what kind of computer I had, to which they replied “windows.” (I’m a mac user) When I called their bluff, they called me a liar!

    Thanks for spreading the word. People need to be vigilant!

  31. Jérôme Segura says on March 5, 2014 at 7:27 am :

    Thanks for sharing that link Erik Contzius :)

  32. Brian Mahoney says on March 5, 2014 at 8:41 am :

    Maybe I’m thick but I don’t get this at all. You don’t explain how this started. Was it an email? A pop-up? Basic safe computing techniques would stop this in its tracks. Did you check the URL before you initiated anything? If I go to Netflix I see netflix.com, not afta3.com, don’t you? I must admit you got a lot of press out of this post but that pretty much shows that news types don’t know too much about phishing scams. Good on you for making everyone run around yelling, “the sky is falling, the sky is falling.” I really hope that my readers are a bit quicker and don’t fall for a simple URL switch.

  33. Jérôme Segura says on March 5, 2014 at 9:00 am :

    Hi Brian Mahoney,

    Thanks for your comment.

    Regarding how this started: I’ve been documenting tech support scams for about a year now, cataloging company names, phone numbers, websites, etc.. One phone number I had just found a few days ago turned up again, except this time it was on a site that looked slightly different. Upon going back to the root of the server, I found that there was more to it and came across that Netflix phish.
    Typically users would receive an email or a popup leading them to that phish.
    (Since this question has been asked many times, I am going to make an edit to the post to explain this part).

    “Basic safe computing techniques would stop this in its tracks”
    Absolutely. This URL is sneaky because it has the word netflix but this it not the root domain, rather it is a sub domain. Maybe this is obvious to you and I, but I bet many people wouldn’t know the difference.

    “Good on you for making everyone run around yelling, “the sky is falling, the sky is falling.”
    It’s unfortunate you see it that way. Obviously I can’t control how other media are going to interpret the story but I thought my post stuck to the facts and exposed a current ongoing scam that people should be aware of.
    It’s tough as a security researcher to try and pass on a message without being accused of many things. I received tons of comments on this story (many positive but, also some negative). There were some people calling me stupid for letting scammers into my computer, others saying I should have yelled at the scammers instead, etc…
    I’ve learned from doing many such calls that it is pointless to swear or confront the scammers. It’s just a waste of time and energy. My goal is to document everything and then report on it. The domains involved in this scam were obliterated shortly after the story came out. To me that is greater satisfaction than saying F* you to some stranger on the phone.

    You can read more about what I’ve done so far in a guide that I’ve kept up to date here: http://blog.malwarebytes.org/tech-support-scams/

    I’m not doing this for the fame. I receive a lot of emails from people that have been scammed and were already financially struggling or in difficult situations. It makes me angry that innocent people are being conned and I’m doing everything I can to bring awareness and hopefully spare a few victims.

  34. Stephanie Markowitz says on March 5, 2014 at 1:56 pm :

    I remember when “Microsoft” would call me to inform me that my computers’ security was out of date and they were calling to fix it. How nice of them! They logged in, and what did you know? They found some infections and some other hacker in my system! This didn’t fall within the normal tech service so it only cost $250 to have them “fix it”.
    Now i’m MUCH MORE computer literate and have been recommending to everyone to keep the security on their computer updated. This include antivirus (download it for free at avast.com) and two browsers plugins that I love, Safety Redirector & Ads Block Plus. Safety Redirector is awesome. As soon as they learn of a new malicious URL (in this case, the fake Netflix url) they immediatley block it. Anyone running this plugin WOULD NOT be affected!

    The price? How’s FREEEEEEEEEEEEEEEEEEEEEEEEEEEE. Can’t be beat.

  35. Ryan Smith says on March 7, 2014 at 11:42 am :

    Why was this video pulled from YouTube?

  36. Jérôme Segura says on March 7, 2014 at 11:54 am :

    Hi Ryan Smith,

    All we know is: “This video has been removed because its content violated YouTube’s Terms of Service.”

    There was no further information provided by YouTube about what exactly in the video violated the ToS.

  37. Donna Raagas says on March 9, 2014 at 4:32 am :

    Hi Jérôme Segura,

    Three things:

    1. Thank you for your respectful comment about my post. It took a lot, well, no…, a little courage to expose just how gullible I was. I was so grateful to see your YouTube video, and then to be able to read your comprehensive blog post about the variety of “support-service” scams when I followed your link. I’ve shared the blog post on Facebook; I think everybody needs to see it.

    2. Brian Mahoney: “Good on you for making everyone run around yelling, “the sky is falling, the sky is falling.”
    Jérôme Segura: “It’s unfortunate you see it that way. Obviously I can’t control how other media are going to interpret the story but I thought my post stuck to the facts and exposed a current ongoing scam that people should be aware of.”

    Jérôme, I literally stumbled upon your YouTube video–what a blessing! As I said over in your blog, the man that I spoke with sounded just like the man on your video. On this page, I said I finally became suspicious of the tech “fix” when my desktop performance wasn’t better, but I had no idea where I could report the possible fraud. So, Brian Mahoney and Khang Nguyen, you two may have no need to read or watch how these scams are perpetrated, but people like me need people like Jérôme to explain the processes that scammers use, so that we (well,I) can be enlightened. I immediately recognized my experience when I watched Jérôme’s video. These crooks are so prevalent because there are lots of people who solicit tech support, and haven’t yet replaced their “trusting hearts” with “scam-radar”. But now, Brian and Khang, thanks to Jérôme sharing his research, and God for leading me to it, I feel as smart as you two, and maybe I can put up a comment that will make some other “scam-virgin” feel stupid. Except, I would never do that, and I realize I’m only as smart as my own growing-but-still-limited vigilance allows me to be. I am GRATEFUL for Jérôme’s extended blog article, (which you two probably don’t need to read).

    3. Ryan Smith, I hope my post about reaching the scam through “YouTube
    Support” isn’t the reason the video was pulled from there. Thank God for alternate video sites. Personally, I get a little freaked out when any one company seems to dominate my access to media and technology.

  38. Donna Raagas says on March 9, 2014 at 4:43 am :

    Oh–one more thank you–to Samuel Gerhard. I appreciate all your suggestions and will look into them, as well as downloading Malwarebytes free cleanup software.

  39. Jérôme Segura says on March 10, 2014 at 2:17 pm :

    Hi Donna Raagas,

    Thanks for the comment and kind words. Much appreciated. :)

  40. corona says on March 11, 2014 at 8:19 pm :

    Hello,

    If possible (or if you still know it) could you email the Indian IP address to filter@derp.net78.net (temporary email) so I could block the subnet/IP block from my router/do more investigation on it?

    Thank you,

    - Corona

  41. Jérôme Segura says on March 14, 2014 at 1:54 pm :

    Hi corona,

    This is one of the many IP addresses/blocks scammers use. While you could block it, in many cases they are using proxies to do the remote connection, thus being little value in blacklisting their actual IP.

  42. Subhash Chandra says on March 18, 2014 at 11:08 am :

    I run a Digital Marketing Agency here in India (In basic terms the Ads you see on Google.com for various stuffs you search for) and have been contacted so many times by these so called tech support companies, Being an official Google Partner they often want me to run their ads to avoid banning by Google. Being aware of such scams from a long time I refused to offer services but did collected some information that might surprise you.

    1. The scam industry is very big, Way more than what most of you might assumed. .I am sharing some data insights (From Google Search) so you can see how many people get scammed EVERYDAY.. First check this picture to see how the victims initiates the first contact, Just like few people have stated above.
    http://i.imgur.com/WEVe0Hx.png

    When you are the communication initiaor, mostly you don’t suspect and beleive the guy on the line is legit. This example is of “AOL Support” , I am sharing the words they use for just AOL support and that goes for almost every tech company you can think of and the words around them. Say Dell support, Antiviru support, hotmail support and what not. here is the number of searches for stuffs around AOL monthly.

    http://i.imgur.com/3cJK4GX.png

    2. Each click on these ads costs little more than 2 USD and a prospect I got was spending 3 USD per day on avg on clicks. that’s around 1500 Clicks to their website per day and the convertion rate for inbound calls is 8-10% (That 8-10% is the number we usually gets for inbound lead gen small biz promotions), that means 180 calls to their support number per day. If even 1 out of 10 is sold on their pitch, 18-20 people are getting scammed (for 300$ at least) per day by just one such support center. And there are tons of them. Check bing.com and search for something like that to seee the good numbers.

    3. Typically the support guys are paid 30-35K INR A month plus the incentives for the sales they genrate. that’s 500 USD a month , way more than what a qualified IT Enginner gets in his first 2 years. See the job description I pulled from one of the facebook profile.

    http://imgur.com/IJ48EaR

    4. Google Recently started to crack up on these support centers and have banning their accounts at masses. See this link to see how many of them are effected.
    http://goo.gl/PL3Bxa

    Just my 2 cents.

  43. Jérôme Segura says on March 18, 2014 at 5:26 pm :

    Hi Subhash Chandra,

    Thanks for your comment and providing additional details from your own experience.
    I think I realized recently how big of a problem this is when I was on a call and could hear so many other conversations going on in the background, or again another time when I was told to call at a precise time (down to the second) to be right on queue with a specific technician.
    And you are right about ads, they are everywhere…

    Interesting to know more about the numbers and costs associated… Are you saying that support guys are making more than IT engineers in India? I would not have expected that!!

    I can only hope Google and Bing crack down on these because it will definitely affect how much traffic they get to their site. Not that they wouldn;t resort to other means (phishing, pop ups come to mind) but at least it’s a start.

  44. seston pit says on May 21, 2014 at 6:36 am :

    Yahoo support @ 18009350357

Leave a Reply

Subscribe to our YouTube Channel