Categories

Tech Support Scams – Help & Resource Page

open quoteHello, we are calling from Windows and your computer looks like it is infected. Our Microsoft Certified Technician can fix it for you.

Orange Man Telemarketing or Phone SupportSound familiar? Whether you have just been scammed or simply want to find out more on the topic, you have come to the right place.

Tech support scams are a million-dollar industry and have been around since 2008. Every single day, innocent people are tricked into spending hundreds of dollars on non-existent computer problems.

There is no sign of these scams slowing down despite several actions taken by the Federal Trade Commission.

Perhaps even worse, companies right here in North America are now pulling the same tricks and taking advantage of existing and prospect customers replying to online ads.

Since we wrote our very first blog post on the subject and subsequent articles (A look behind the curtain, Turning the tables), we’ve received much feedback and many people have shared their own experiences. We believe tech support scams are despicable and need to be exposed for the greater good.

The purpose of this page is to gather all the information we have collected over time into one place which you can use as a goto resource when you need it.

  • How it all begins

    • Unsolicited calls (cold calls)
    • Rogue/deceptive premium tech support companies
  • Remote access

  • Tricks of the trade

    • The Event Viewer (eventvwr)
    • The System Configuration Utility (msconfig)
    • The Task Manager (CPU ‘spikes’)
    • The erratic CPU
    • The System Information (msinfo32)
    • The Prefetch files
    • The Temporary files (%temp%)
    • The restore from trash trick
    • The fake scanners
    • The dir and tree commands
    • The custom Virus message
    • The red Command-Line Terminal
    • The ‘ping’ (on Mac OS X)
    • The netstat command
    • The online glossary or wikipedia trick
    • The Network Access Protection (NAP)
    • The notepad trick
    • The Power Efficiency report (powercfg energy)
    • The (value not set) registry trick
    • The Process Explorer error
    • The digital certificates
  • Getting help (damage control)

    • If you already let them in
    • If you already paid
  • Fighting back

    • Report the scam
    • Report misleading ads
    • Shut down their remote software account
    • Spread the word
    • Investigate
  • Tech Support Blacklist

    • Criteria
    • List
  • Related articles

How it all begins

Unsolicited calls (cold calls)

phoneUsually from India and operating out of boiler rooms, these scammers call people in the U.S, Canada, the UK, and Australia whom they find in the phone directory.

The scam is straightforward: pretend to be calling from Microsoft, gain remote control of the machine, trick the victim with fake error reports and collect the money.

If you ever get a call from a Microsoft or Windows tech support agent out of the blue, the best thing to do is simply hang up. Scammers like to use VoIP technology so their actual number and location are hidden. Their calls are almost free which is why they can do this 24/7.

As per Microsoft: “There are some cases where Microsoft will work with your Internet service provider and call you to fix a malware-infected computer—such as during the recent cleanup effort begun in our botnet takedown actions. These calls will be made by someone with whom you can verify you already are a customer. You will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes.

Rogue/deceptive premium tech support companies

Located in India but also in the US, these companies heavily advertise on popular search engines as well as websites with high traffic. People call them for assistance and get fooled with similar techniques employed by Indian cold callers.

Another source for these companies comes from some of their existing customers or customers of parent companies sent to them. The remote technician upsells the customer who only came to activate their software but ends up forking hundreds of dollars on “Windows support”.

If you decide to call in for remote computer assistance, you need to be very careful about which company you are going to deal with. Simply picking the top ad on a search results page could end very badly.

Unfortunately, the company or technician being from the US is not a guarantee for honest service. Many businesses in the US are using  dirty tricks to take advantage of people, with the unsavvy and elderly as their prime targets.

If you don’t feel comfortable doing this online, brick and mortar computer repair shops are a good alternative.

bing2

Fake pop ups claiming your computer is infected (reminding of FakeAV) are a good way for scammers to reel in innocent victims:

fakewarning

 A new trend shows that crooks are using phishing scams as a ruse to get people to phone in, not only stealing their credentials but also claiming their account was suspended:

suspended


Remote access

The ‘technician’ requests to have remote access to your computer (taking control of it) and may use one of the following programs. Note that these applications are perfectly legitimate and used daily for good reasons. However, it is important to remember that if you run remote login software you are effectively giving a complete stranger total control of your computer.

This slideshow requires JavaScript.

>> Report fraudulent use of remote login software.

There are too many other applications that are used for remote support to list them all here. They pretty much do the same thing which is to provide direct access to your computer from anywhere in the world.

Tricks of the trade

Once logged into your computer, the remote technician will attempt to trick you by fabricating errors or even viruses on your computer. They like to use the default Windows tools and turn them against you, hoping you’ll get scared and follow up their directions.

The Event Viewer (eventvwr)

even on Windows 8:

eventwin8

falseThese errors are viruses or serious damage to the backend of your PC. If not taken care of immediately, you will lose your computer.

trueThe Event Viewer is an application that aggregates all of the log files from your computer. It is traditionally used by system administrators to diagnose certain errors. However, most events are harmless notifications.


The System Configuration Utility (msconfig)

falseThere are many programs that are stopped, indicating some serious damage to the backend of your computer and poor performance.

trueIt is perfectly normal to have services that are stopped. In fact, you can actually speed up the boot time of your PC by disabling unneeded start up programs.


The Task Manager (CPU ‘spikes’)

cpu

falseThese spikes are dangerous for your PC’s health. Just like your heart rate, they should not go up. Your PC could suffer some irreparable damage.

trueWhen your PC is active, you will see the CPU usage go up and down constantly. What would not be good is if the CPU was pegged at 100% utilization all of the time. This is not the case here.


The erratic CPU

erraticCPU

falseYour CPU usage is running very erratic.” This is similar as the one above, except the technician is running something to do this.

trueActually this type of behavior is not good (if it was really your computer doing this, rather than someone artificially triggering it).


The System Information (msinfo32)

msinfo32

falseThese are critical “Windows Errors”. You need to buy the software warranty to fix them.

trueAgain, error logs (which all computers have) should not be translated into poor performance or malware without actually reviewing them one by one.


The Prefetch files

falseThese are damaged programs that cannot be deleted or even worse, viruses! You need to clean up your PC now!

trueThese are files that correspond to applications you often use. Windows saves them in there so that next time you launch those applications they start faster.


The restore from trash trick

false“Look: I am going to delete all these files. [waits a few seconds...]. And see they all came back!”

trueThere is a keyboard shortcut to undo the last action (in this case delete). It is Ctrl+Z. Of course the victim sees nothing because it’s a shortcut.


The Temporary files (%temp%)

access_denied

falseThese are infected files with worms, trojans and viruses. The disk is full of them.

trueSimply because a temporary file cannot be deleted does not mean it’s a virus. It could be in use by any currently running application.


The Fake scanners

falseThis scan shows several viruses that were found by our security scanner. They have infected your registry.

trueThis program is essentially a fake antivirus, stuffed with made up detections meant to alarm you.


The dir and tree commands

dir

tree

falseThese two commands perform a full virus scan on your computer and will report any infected file.

trueThese are DOS commands that list directory contents and paths. They have absolutely nothing to do with scanning for malware.


The custom Virus message

zeus

falseFollowing the scan, we found 42% of your files are infected, including a Zeus Trojan. Windows is at high risk.

trueThis message was typed by the scammers and then pasted on the command prompt. It is totally fake.


The red Command-Line Terminal

falseLook at all these malware infections in red. All of your files have been compromised and will be destroyed.

trueThe Windows Terminal can be customized to have different font colors as well as background colors. Red looks scary…


The ‘ping’ (on Mac OS X)

ping_mac

falseWe tested the protection on your Mac and found that there isn’t any. You need to buy our antivirus right now because you are going to get infected.

trueThis is an abuse of the ‘ping’ command, something meant to check if you are properly connected to the Internet or see if a website is responding. It has nothing to do with protection on your Mac.


The netstat command

hackers

falseHackers have infiltrated your computer, they are stealing your files doing cybercrime!!

trueThis is a command to display network connections (incoming, outgoing) but you can’t necessarily deduce these are “hackers”.


The online glossary or Wikipedia trick

liutilities

wiki

falseIt’s not just me saying that there are viruses and trojans on your computer. Check these online resources as well.

trueLeveraging glossaries or reference sites is a clever trick to borrow legitimacy to certain claims. If such or such site says it’s true then it must be… or not.


The Network Access Protection (NAP)

NAP

falseYour network protection is disabled. All the hackers are already inside your computer.

trueThe Network Access Protection is a feature that mostly applies to PCs that connect to a domain. It ensures they adhere to safety standards. If this is your one and only computer, NAP should be left Off.


The notepad trick

alienwords

falseCan you read this? Does this make sense to you? No. The computer cannot understand this file. It is like alien words.

trueCertain files are not meant to be read with notepad. In particular, executable files need special tools to read their ‘sections’. Therefore, it is perfectly normal that this files cannot be read as ‘text’.


The Power Efficiency report (powercfg energy)

energy

falseYour computer’s battery is going to fail very soon. It might even catch on fire if you don’t do something about it right now! 

trueThis command can generate a report to help users optimize their battery (useful on a laptop) and detect non optimal settings to save power, etc..


The (value not set) registry trick

value

falseYour network is not working properly as you can see it says: value not set and default. 

trueThe network is working just fine. Scammers will use the registry editor to show empty keys and conclude your security is at risk.


The Process Explorer error

procexp

falseWe need to manually remove the infected entries and delete all the error files from your computer

trueThis [Error opening process] label happens because the user ran Process Explorer with limited privileges. It has nothing to do with errors on the computer.


The digital certificates

certificates

false “Do you see the untrusted publishers? These are trying to compromise each and everything.

true These are normal and although the ‘friendly name’ is deceiving, those revoked certificates are used by your browser to protect you from untrusted sites.


Getting help (damage control)

Getting scammed is one of the worst feelings to experience. In many ways you feel like you have been violated and are really angry to have let your guard down. Perhaps you are even shocked and scared and don’t really know what to do now. The following tips will hopefully provide you with some guidance.


If you already let them in

  • Revoke remote access (if unsure, restart your computer). That should cut the remote session and kick them out of your PC.
  • Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes Anti-Malware to quickly identify and remove threats.
  • Change all your passwords (Windows password, email, banking, etc).

In some cases (you did not pay or called them names), scammers will seek revenge on your machine. Here are some things they might try and what to do to recover from them:

  • Master password lock out

There are various ‘hacks’ to reset that password. One method is to use a Linux boot CD to mount Windows and then use the chntpw utilty. It is described here.

  • Missing software drivers

First, try to do a System Restore. If it fails, you should be able to reinstall them by going to the manufacturer’s website and download the appropriate driver.

  • Missing files

First, try to do a System Restore. If it is not available, check for backups you may have made and stored somewhere else. As a last resort, there are programs that can scrape your hard drive and attempt to recover the missing files.


If you already paid

  • Contact your financial institution/credit card company to reverse the charges and keep an eye for future unwanted charges.
  • If you gave them personal information such as date of birth, Social Security Number, full address, name and maiden name you may want to consult the FTC’s website and report identity theft.


Fighting back


Report the scam


Report misleading ads

TrustInAds.org comprises a group of Internet industry leaders that have come together to work toward a common goal: Protect people from malicious online advertisements and deceptive practices.” Report misleading ads here.


Shut down their remote software account

  • Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support (they can later on block people/companies with that information)
  • LogMeIn: Report abuse

Spread the word

You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although this may be an embarrassing experience if you fell victim to these scams, educating the public will help someone caught in a similar situation and deter further scam attempts.


Investigate

While hanging up is the safest thing to do when you get a cold call, some people have gone on a mission to expose those scammers. While we don’t endorse this behaviour, if you do have information to share, please let us know and we will update this page with any new relevant details.


Tech Support Blacklist

This list is being updated on a regular basis from our own investigations as well as from tips we receive from our readers. There are two main objectives with that list:

  1. To protect people who are about to call for tech support assistance and want to make sure the company has not already been listed.
  2. To provide assistance to victims that have already been conned and are googling the phone number they called or company they interacted with.

If a company is listed below, it meets at least one of the following criteria:

Criteria:

  • Pretends to be Microsoft or Windows
  • Uses one of the tricks mentioned above
  • Finds viruses/malware on a perfectly clean system
  • Validates a fraudulent scare page as legitimate/real

List:

  • 24/7 PC Guard | 247pcguard.com | 1-888-855-7953
  • 365 Tech Help | 365techhelp.co/bng/slow-pc, fastsupport.com | 1-866-539-8804
  • Speak Support | speaksupport.com, 121usa.com | 1-800-806-0768
  • PC Smart Care | pcsmartcare.com, pcsmartcare.us | 1-855-569-5945
  • PC Mask | pcmask.com | 1-877-385-1667
  • My Tech Gurus | mytechgurus.com | 1-866-587-1775
  • MegaITSupport | megaitsupport.com | 1-888-939-3618
  • Click4Support  | clickforsupport.net, webtechmasterhelp.com, techsupportcenter.org, techsupportive.com | 1-855-668-8555 | LogMeIn: 292242
  • PC Toolkit Pro | pctoolkitpro.com | 1-855-803-1370
  • Compute My PC | computemypc.com | 1-800-356-7697
  • iGennie | igennie.net | 1-888-239-4339
  • TechFix Pro | techfixpro.com | 1-888-768-0082
  • iMax Support | imaxsupport.com,fix247.org | 1-800-247-0830
  • Internet Security Protect | internetsecurityprotect.com | (020)-3289-1596
  • All In One Tech Support | allinonetech.net, allinonetech.us | 1-800-487-9456
  • 1844desktop | 1844desktop.com |  1-884-337-5867
  • Comlogic | comlogicinc.com |  1-888-930-1033
  • PC Tech Clinic | pctechclinic.com | 1-855-486-4411 | LogMeIn: 152903
  • Condis Services | condiservices.com |  1-888-221-6490 | ISL: 19834912
  • aolrisk.com | 1-855-666-8849 | LogMeIn: 770772
  • Affiliated Help | affiliatedhelp.com, 123help.co | 1-800-565-7782 | Ammyy: 29761986
  • 247 Support Experts | 247supportexperts.com, 3wayhelp.com | 1-888-221-1582 | LogMein: 146794
  • SysCare247 | syscare247.com | 213-260-2279
  • OMG Tech Help | omgtechhelp.com | 855-316-8324 | LogMeIn: 642695
  • OnVoiceSupport | onvoicesupport.com | 415-799-9786
  • Ecomputer Support | ecomputersupport.net | 1-877-360-0594, 1-855-820-8680 | LogMeIn: 432039


Related articles


Resource Page created by @jeromesegura


  • Pingback: Tech Support Scams: Coming to a Mac near you | Malwarebytes Unpacked

  • Pingback: Phone tech support scam goes wrong | Malwarebytes Unpacked

  • Pingback: Getting tricked to thinking your computer is infected | Wilkins IT Solutions

  • Pingback: ste williams – Mac fans: You don’t need Windows to get ripped off in tech support scams

  • Pingback: Mac Users Getting Ripped Off In Tech Support Scams - Internet4k : : Internet For Knowledge | Internet4k : : Internet For Knowledge

  • Pingback: Don’t Fall for Mac Tech Support Scams | The Chip Merchant

  • Pingback: Tech Support Scams (Now includes Mac Computers)...

  • Pingback: Phone Scammers Take A Move From The Ransomer's Playbook | Malwarebytes Unpacked

  • Pingback: Scammers Pose as Anti-Virus, Go Figure | Malwarebytes Unpacked

  • Pingback: Malwarebytes 2013 Threat Report | Malwarebytes Unpacked

  • Pingback: Tech support scammers spam YouTube with robot-like warnings | Malwarebytes Unpacked

  • Operatingsystem OS

    reported scam: mitechmate.com

  • Operatingsystem OS

    they seem like a scam to me, please, malwarebytes, investigate asap

  • Jerome Segura

    Thanks for reporting this.
    Their live chat is currently not available and nobody is answering the phone. Will try again later.

  • Stan naz

    Just allowed a ‘techinician’ from maxpccare.com into a Virtual Machine, told him it was running slow. He did the old Event Viewer trick, then did the tree command and typed “network not secure- infections found on pc”. I can 100% confirm this site and organisation is a scam.

    Domains: maxpccare.com
    Phone number: +1-855-763-0457

  • Stan naz

    Found suspicious website http://megaitsupport.com/ – Will probably call them later and see if they are legitimate or not. Please investigate.

    Domains: megaitsupport.com

  • Stan naz

    Found suspicious website http://www.techicode.co.uk/ – Will call these guys too, see if they’re legitimate. Another thing I noticed was they have a UK domain but they have an american number on their website?

    Feel free to investigate.

    Domains: techicode.co.uk
    Phone number: +1-888-4074554

  • Stan naz

    To “Operatingsystem OS” – I agree, the website does seem suspicious, I agree, however I let them into a Windows 8.1 Pro 64bit machine, and they said it was clean, no virus. They appear to be legitimate, but don’t bet on it, may be worth further investigation with a more cluttered machine.

  • Jerome Segura

    Thanks for all the info Stan. Will check back on these guys and update the page accordingly.

  • Stan naz

    Thanks a lot to you to for helping investigate and making more people aware of these scams. I’m here to help anytime, equipped with unlimited landline calls worldwide on Skype, Windows 1, Windows 98, Windows XP, Windows 7, Windows 8.1 Pro Virtual Machines, and a VPN so my IP can’t be targeted for any reason or for advertising.

  • Jerome Segura

    Hi Stan,

    This: megaitsupport.com is a scam, called them and pulled tricks before wanting $399. Will update the list with this at a later point.

  • Stan naz

    Hi, thanks for investigating. Rang PC Mask again just for fun, after finding out me and a friend were messing with them, they proceeded to delete the WHOLE of the C:\ drive. Screenshot can be found

  • Stan naz

    Here: http://ss.stn.so/pcmaskdestroyingpc.png the <a href didn't work.

  • Jerome Segura

    Hi Stan,

    What they did doesn’t really surprise me… Some scammers are particularly vicious when they don’t get what they want.
    Personally, I never taunt them or anything like that (and I don’t condone these types of actions ;-)) although that thought has crossed my mind a few times. I just like to let them do their thing and then politely leave. But even if you are nice, it doesn’t mean they will let you go easily. On one occasion, the scammer stole several personal (albeit fake) documents from my computer before saying “thank you and good bye”.
    I have a few upcoming blog posts and one in particular about what kind of work they really do if you do pay (I did not give them a dime or anything, just managed to get them to start the work while I searched for my missing credit card). You will be surprised to see what their definition of ‘fixing’ a computer for $399 is….

    Stay tuned :)

  • Pingback: Tech support scammers target smart phone and tablet users | Malwarebytes Unpacked

  • https://www.facebook.com/debbie.perret.9 Debbie Perret

    Hi…

    I was just an ‘almost victim’ of this scam. I feel very silly and gullible. They didn’t get very far before I hung up. I asked for a call-back number, was given two. I was told to ask for Logan. The numbers are 818-813-6174 and 800-516-0854. I am just sending in case it is helpful for someone else.

    Thank you for what you do.

  • Jerome Segura

    Hi Debbie Perret,

    Thanks for sharing your experience and providing these numbers.

    I think most people who aren’t prepared and receive such a call may actually fall for this scam. Although we know how to be careful in certain situations, most of us tend to trust others within our daily social interactions.
    Unless you’ve been through it before or know enough about computers to realize this is nonsense, the well rehearsed scam script tends to be quite effective.

    I see you mentioned the name ‘Logan’.. I had someone who pretended to be ‘Max’. All these little details immediately raise red flags for me. When that same person is speaking with a very thick foreign accent, it just doesn’t really add up.

  • Stan naz

    Hello Jerome, looking forward to that next post with their “fixing” – it’s the only thing I’ve not been able to find out so far. I will continue to report organisations I find to be scams or very suspicious here as I’m still surprised at how the same, 10 year old technique is still being successful. It makes me angry. Again, thanks for what you do, and I’m here to help push these scamming companies further downhill.

    Good to hear Debbie that you realised they were a scam. Makes me happy everytime someone beats them, even if it means they chargeback a credit card payment.

  • krumike

    It is shameless that some people do this. From cold calls to targeted Google ads… from Windows PCs to Macs and smartphones. They will take advantage of everyone and anyone without fear or favour. Of course, the more vulberable the target person is, the easier for the shameless scammer.
    I’ve had a number of these calls over the years. No matter if I hang up straight away or follow through (but never give control of my machine) there is always a feeling of helplessness as they can simply hang up the phone themselves and move on to the next victim without blinking.
    That is… until I realised there was something that I could say that MIGHT make a difference to the scammer/caller. They often sound like they’re in or come from a spiritual country so now I string them along for a while then when I’m convinced they are indeed aware of their actions I simply say, “God will punish you” and then no matter what they say next (and they usually get defensive) I repeat it with emphasise on different words. “God WILL punish you.” “God will PUNISH you.” “God will punish YOU” and somethimes they still stay on the phonne so I start to include their family too. “God will punish you and your family.” Etc. Etc. Eventually they give up but hopefully it gives them something to think about.
    I used to think that maybe they too are a victim; an innocent call-centre worker with a script and without an understanding of the lies they are saying. But I don’t any more.

  • Operatingsystem OS

    Hello again
    http://Www.securebitin.com
    There is a video

  • Operatingsystem OS

    http://www.myphonesupport.com
    Never contacted any, but keep up the great videos!

  • Stan naz

    I found SecureBitin too.. tried calling them, and they said they didn’t work in the area of computers anymore? Is that what they do when one of the employees can’t be bothered to do their job? When I went to question it or talk at all, they simply hung up. Looks like they’re a scam, and a bad one at that.

  • https://www.facebook.com/jackie.sparrow.509 Jackie Sparrow
  • Pingback: Localized malvertising affects some OpenDNS users | Malwarebytes Unpacked

  • Operatingsystem OS
  • Pingback: Tech support scams: Show me the money | Malwarebytes Unpacked

  • Imanol Avila

    There’s another company called Comantra (indian based) that has been found thanks to Youtube user Troy Hunt (uses Max Zorin to trick them)
    Video:

  • Imanol Avila

  • Andrew Wijenathan

    I was almost scammed. I let them have remote access. An when they asked me to make a paypal account I knew something was wrong. Without really knowing what to do I quickly shut down my computer. Now when I try to turn on my computer it won’t take let me. I can’t restore it either. What should I do? Should I take it in for repair?

  • Jerome Segura

    Hi Andrew Wijenathan,

    It sounds like they may have put an admin password to prevent you from logging in. It’s not uncommon that scammers retaliate when people don’t pay up.

    There are methods to recover such passwords using advanced techniques (if that is what the problem is). Before attempting a reinstall of the system, you may want to attempt to recover your data or have a professional do that for you.

  • Operatingsystem OS

    1-866-612-4220
    I went on one of their websites and let them in to an infected VM via live chat, they used a registry cleaner and said that the scan results are “malware”. they have many websites if you google that number. Thanks

  • Pingback: Netflix Phishing Scam leads to Fake Microsoft Tech Support | Malwarebytes Unpacked

  • Benjamin Stambaugh

    A slight twist on the “Cold Call” method:

    My wife’s uncle fell victim to this scam a few months back. He got the usual call from “MS Tech Support” saying his computer was the source of hacks against some popular web site. I cannot recall which sites were mentioned. The rest of the story is the same.

    However, instead of the normal cold call this was a bit more targeted I believe. I don’t have much prof and it could but a total coincidence but earlier that day he was asked by a complete stranger to use his cell phone. He gave them the phone and they went around the corner for “privacy.” I think they were either calling a number to have his phone number recorded in caller ID or they were scrolling through his address book to get his and other’s numbers. After his wife called me about what happened I had to break the news they were victims of a scam. I told them to go the police and report what happened.

  • https://www.facebook.com/donna.raagas Donna Raagas

    The people I called when I thought I was getting YouTube support had me open TeamViewer8; other icons on my desktop are “Cleaner” (That picture of a large and small gear), “IPC System Optimizer”, and a “Warranty services” screen shot for support@instantpccare.com. 1-800-565-7782 and 1-800-848-1897.

    The voice of the man who talked with me sounded just like the man who talked to you in your video, and my “tech” was especially polite too, calling me ma’am.

  • Pingback: Phishing Scam On Netflix May Trick You WATCH this Video | jerrylore.com

  • Operatingsystem OS

    http://www.youtube.com/watch?v=flLcGNS5mVs&feature=youtu.be
    I made a video, i let them into a VM and they found out soon

  • arlene

    My 83-year-old mother is getting scammed as I write this. I told her about this scam just days ago but she got warnings about her computer being infected. Because AOL no longer has tech support you are left on your own and she googled up tech support. She was CERTAIN they were part of the AOL because “AOL is in their name.” (Yeah…after a backslash.) We aren’t sure what to do. Cut them off and risk problems, or let them finish and then spend MORE money trying to fix the computer. By that time we might as well buy a new computer! Worse…this company isn’t on the list above…so how do you know the good support companies from the bad ones? This one is http://www.gotoassistance.com Phone 800-664-7520. Can anyone tell me if they might be legit????

  • Jérôme Segura

    Hi arlene,

    I haven’t had a chance to check this company out but if you feel uncomfortable about it, you have a full right to ask for a complete refund or reverse the charges from your credit card.

    The list of known scammers above only represents a fraction of all companies and websites involved in this kind of fraud, making it hard to keep up with.

    Looking for a support company online is tricky… scammers know that and buy ads quite aggressively.

    If the technician used any of the tricks mentioned in this article, it is not a good sign and you should stay away from that company. It’s something you can use as a reference anyway.

  • arlene

    Thanks Jerome…but I wasn’t there when it happened. My mom just happened to mention when I called her that someone was working on her computer. She knows so very, very little about computers that she couldn’t explain to me what they were doing. Like she’ll say “my computer” instead of “my email”…she said the tech showed her that people in Florida and Texas were using her “computer.” And she kept insisting that because she somehow stumbled on this web address– https://www.gotoassistance.com/email-support/aol-email-support/ –with the AOL in the URL they were part of the AOL company. The only way I could get her to understand was by telling her that it has to be right after the www’s. So we let them finish. I phoned the number and heard a big call center in the background and they insisted they were in partnership with AOL. I suspect it is all a lie…so what I would like is if anyone here finds out that they are indeed scammers to please post that…I doubt it but maybe she happened across a company that didn’t do more than overcharge her. Also, how do we find the kind of tech that will be capable of finding whatever keystroke recorders, hidden malware, trojans, or alternate passwords they added so they could shut down the computer if we do reverse the charges. I’d want to clean out the computer before we reverse the charge. Does an everyday tech at a big box computer store have the knowledge to do that? I’m just so freaking angry…she paid $300! For a bit more (or equal to that “repair” and the cost of the additional repair plus getting her signed up for an identity monitoring service) we could have bought a new computer. This is a woman who saves for months just for that $300 and we, her kids, aren’t in worse financial situation than she is. They had her send them an email when they were done, confirming that they fixed her computer…so I suspect they are willing to battle any reversal of charges.

  • Jérôme Segura

    Hi arlene,

    “I would like is if anyone here finds out that they are indeed scammers to please post that”
    >> I tried to call them today but it did not answer. I will keep them on my checklist though. If you have an alternate number (different from the one of their website) please post it here.

    “she said the tech showed her that people in Florida and Texas were using her “computer.”
    >> That sounds very much like “hackers have infiltrated your computer” scare tactics…

    “Also, how do we find the kind of tech that will be capable of finding whatever keystroke recorders, hidden malware, trojans, ”
    >> You can download our own Malwarebytes anti-malware free of charge and run a full system scan. If anything is found the program will let you clean up the computer without asking you to register or pay the product. http://www.malwarebytes.org/free/

    “Does an everyday tech at a big box computer store have the knowledge to do that?”
    >> Yes, most likely and by going with a well known name at least you reduce your chances of being scammed. However, their services can be costly, so you should ask about fees before.

    ” I’m just so freaking angry…she paid $300!”
    >> I’m really sorry to hear that. All is not lost though and time is of the essence if you want to reverse charges.

  • Jérôme Segura

    Thanks for the tip Operatingsystem OS, I’m also primarily using Virtual Box but I’ve made some changes to my set up so it doesn’t show it anymore.

  • arlene

    Thanks Jerome. I have no other number. I called them around 8pm eastern time last night and someone picked up. Really weird. Thanks for trying!

  • Operatingsystem OS

    Hi Jerome,
    Please contact 247computersupport.net sometime soon. They seem very suspicious, please do not let them find out you are on a VM, but trouble will arise when they open msinfo32 and see it says virtual box, I don’t know what they would do afterwards. BTW they don’t have a phone number on their site and identify themselves based in India

  • Operatingsystem OS

    There is also an ‘assoc’ command trick, they instruct you to type that BEFORE they gain remote access and lOok at the bottom string and say it’s your unique Windows license ID or something when it’s not unique at all

  • alizacarvor

    Information you shared which is get secure alarm in advance for all users. I uses some them to fix myself slow performance of PC
    The System Configuration Utility (msconfig)
    The Temporary files (%temp%)

    Thank You
    Fix My Computer Dude

  • Operatingsystem OS
  • Jérôme Segura
  • operatingsystemos
  • operatingsystemos

    http://techfixpro.com/microsoft-support.html
    I went on that website and called them, they connected me to a MyTechGurus “technician” in my VM with Logmein and I think they might be related

  • Eduard Serra Ros

    Dear Jérôme, thanks for this blog on this particular type of scams.

    I’m sure you are already aware, but in case you are not, we are receiving these scams in France as well.

    I live in the Haute-Savoie, in France (next to Geneva), and somehow they “know” that we speak English at home (I’m Spanish and my wife French/British). They keep calling every now and again… it didn’t bother me until today, when they called at 7.00 am (!!!).

    Some other English-speaking friends living in France have also received this type of calls…

    Do you know who we could contact in France to report this scam?

    (on commence a n’avoir marre!)

    Thanks again for your good job (and of course for malwarebytes software!)

    ps. One day I was playing their game… to get rid of them, nothing simpler than telling them I use Linux, which I don’t… then they asked about a million times if I had a Windows or a Mac computer… another solution is speaking to them in French or Spanish… :P

  • Jérôme Segura

    Salut Eduard Serra Ros,

    Thanks for your comment. I wonder if it’s a mistake or not (I had never heard of someone from France being targeted), but evidently the language barrier has been keeping scammers from venturing too much out of non English speaking countries.

    I’m not sure who to contact in this case because the perpetrators are from outside of France. So if you were on a “do not call list”, it most likely would not fix this issue.
    If you were defrauded, you could file a complaint with the usual orgs, but again there’s the extra territory issue…

    What you could do (if you have the time) is find out a little more about who’s calling: what is their website, company name, etc? That information can be helpful for those of us that go on an investigative mission. Not only can we gather info on scammers but in some cases we can also have their sites shutdown.

    By the way, beautiful region you live in :) I was born in the region nearby and still have family there.

  • Jérôme Segura

    Thanks operatingsystemos for reporting these two sites :)

  • operatingsystemos

    Jerome, I have shared many site with you, and why haven’t you contacted them or added them to the list of reported scammer ;-)
    Heres another suspicious one
    https://www.imaxsupport.com/

  • Jérôme Segura

    Hi operatingsystemos,

    I appreciate your sharing all these sites here and I am looking into them. As you may imagine I have many things going on at the same time (I do other security research too) and mostly I want to make sure that everything is well validated before I publish it. As it happens I am currently working on another scam company at the moment that has been taking me a week to track and that I plan on exposing perhaps next week once I’ve made full disclosure with a big name company involved.

    Anyway, your info is valuable and does not go unnoticed. :)

  • operatingsystemos
  • operatingsystemos

    Where are the links to the videos gone. And are there any new videos?

  • Jérôme Segura

    operatingsystemos, the links were removed but the videos that were used in blog posts are still available on our YouTube channel.
    Other videos where the only purpose is to identify new companies involved in scams are not public. The idea is that there is no need to give scammers a full view of the tools and techniques we use. An awful lot of information can be learned from watching the videos (oh he’s running this setup, with these icons, this Windows license key, etc…) and yes, some scammers have been watching and learning from that.
    Since you last posted about the VirtualBox detection, I’ve had 3 different companies check that first thing when they remotely connect to make sure this was a real computer and not a virtual machine. They check the tray icons, and then do a msinfo32 to see the information from the BIOS.
    In other words, they are being a lot more cautious. While documenting with videos is great and is proof of unethical activities, it also gives the bad guys too much insight into how they can be tricked.
    All the recordings are archived though, in case a company wanted to contest being listed on the “reported scammers”, it’d be easy to show them footage of an interaction with a technician.

  • operatingsystemos
  • operatingsystemos

    I made a comment befor and it didn’t show up, so once again, please email me links to the scammer videos at operating{NOSPAM}system121@yahoo dot com, I will only store them for personal use and nothing else

  • alissa
  • Dawn Harrison

    I just got a new Dell Inspiron 15 7357 laptop a few days ago. 2 days after receiving it my browser started looking like a yahoo browser. I was unable to get into any Web page after clicking a link from Google search result (my domain advisor was blocking it). It would also drop wireless (a fault in the design I believe). Anyway a few hours later I receive a phone call from my ‘tech team’ saying they were monitoring my equipment as part of my broadband package. I asked if they were from Virgin & they said yes. They instructed me to get Teamviewer but my laptop wasn’t allowing that either. So they said to go to my pc & do it from there. I did as instructed & they searched for a file & said the files on screen were infected & I was passed on to a specialist. The specialist was discussing my problem & mentioned a 9year protection package. It was at this point that I realised it was a scam. I demanded to know the name of their company & they hung up on me. Turned off my pc & ended their link with it.
    My worry is that they knew I was having an issue & were able to get my phone number to call me within hours of the issue starting. I absolutely do not think it is a mere coincidence.
    I installed spybot & malwarebytes which sorted the issue. My domain advisor is off & I believe the issue is directly tied to that programme which came pre installed with my laptop.
    The experience has been reported to the police & internet crime squad as well as my bank in case they got sensitive information. I suggest people share this experience because of the way in which is developed.

  • Jérôme Segura

    Hi Dawn Harrison,

    That’s not the first time I hear about these ‘coincidences’.
    It’d be interesting to find a relationship (if any) between people buying new devices or experiencing issues and these calls.
    Thanks for sharing your experience.

  • Pingback: Avoiding Scams

  • https://www.facebook.com/john.harpold.3 John Harpold

    I recently received a cold call from a group know as “Smart Tech Guru”. I didn’t engage with them but took down a phone number and said I’d get back with them. Ever heard of them and if so what can you tell me?
    John

  • Jérôme Segura

    Hi John Harpold,

    I’ve never heard of this company before. A quick look up on the domain name shows they’re using some anonymizing services from registrar bigrock (which I’ve noticed was used in very similar fashions by other scam companies).

    http://whois.domaintools.com/smartechguru.com

    Thanks for passing it along, I’ll investigate.

  • Marx Xiong

    Hello

    I recently was called by a man with an indian accent, he said he was a microsoft tech and that i had my pc had been sending out tons of error messages to microsoft, that my pc had alot of virus. I really wish i had my guard at its best but i was stupid enough to listen and believe him, i downloaded the programs he told me about(tvi.name and showmypc etc.) and gave him remote access.i honestly wish i hadnt done any of this. But after he started telling me to type in my card info name email etc i knew it was a scam. I only wished i had realized that as soon as the phone rang. I had alot of my important personal information on my pc, such as; social security number, passwords and phone info. I am wondering if he can harm me in any way with that information. I have ran microsoft essential security 2 times both full runs and tried to my best delete all that he told me to download. Im not sure if anything is left but the pc will probably end up being smashed. Please respond!

  • Pingback: Tech Support Scams – Help & Resource Page | Useful Links

  • Derrel Allen

    I am curious as to why Google allows this type of advertising. I think they should be reported. I’m fairly sure their ads violate the TOS. Surely Google doesn’t need their $$ that much.

  • https://www.facebook.com/taela.dragonfox Theresa Retz

    Have you considered an article on scams that manage to put out TV and radio ads? The station I listen to at work is currently running an ad for “speed counts” which looks to me a lot like this kind of scam. Unfortunately, the fact that it’s gotten airtime tends to make it seem more legitimate to folks who might not know how to spot scams.

    The parent company of ‘Speed Counts’ is “USTechSupport”. I would test them myself but I don’t have a spare PC or virtual PC to use as bait and I don’t want to risk it.
    From what I can tell (they recently changed the site to remove any listing of what they actually do, when I looked them up last week before warning the radio station they were a scam, it listed things like “removing registry errors” and “defragmenting” as a way to speed up the PC) they don’t do anything that you can’t do yourself with default windows tools.

  • Jérôme Segura

    Hi Theresa Retz,

    Thanks for passing this on. Although most people assume these scams are run by Indian-based companies, it also happens in the US. TV and radio ads might cost significantly more than adwords but perhaps they reach out to a better audience. May I ask which radio station these were aired on?

  • Jérôme Segura

    Hi Derrel Allen,

    Yes, it is quite frustrating to see major search providers involved in this. I would be very interested to know how ad accounts work, especially whether or not it is easy to create countless new accounts. I imagine if Google or Bing shuts down a particular, say, adword account, the scammers are most likely going to open up a new one.

  • Jérôme Segura

    Hi Marx Xiong,

    Unfortunately you need to assume the worst. Certain scammers will steal data from you and quite possibly attempt identity fraud. You should contact your bank / credit card provider and let them know what happened.

  • Pingback: Social Engineering: Today's Snake Oil Salesmen | BIT Incorporated

  • operatingsystemos
  • operatingsystemos

    Also, please add the syskey trick that they use to lock you out, I learnt that from your video:

  • operatingsystemos
  • Ellen Gaynor

    A friend of mine called me to tell me these people had been calling for a long time, but she finally talked to them today. The woman told her she was with Axis PC Help (of course there’s an axispchelp.com website with glowing reviews). She got my friend to install Techinline so the “technician” could connect remotely. After a while of this woman pointing out problems, my friend asked if this was going to cost money. That is when the call ended.

    I told her to download malwarebytes and scan her PC. I need to call her back and tell her about the possibility that they stole her info while they were poking around.

    axispchelp.com was registered by someone who goes by the handle kddacraker. Very interesting google search results for this name.

  • Marx Xiong

    Hi jerome

    Thank you for responding. I just turned 18 not so long ago. I dont have any bank account at the moment and I am not associated with any credit card providers either. Ive changed all of my passwords already. Is there anything i should do now? Would the scammer be able to use my ssn to apply for a credit card or cause some sort of trouble?

  • operatingsystemos

    http://online-tech-support-review.toptenreviews.com/
    They all seem to be scams to me, no matter what that website says

  • operatingsystemos

    https://www.google.com.au/search?q=1-855-292-4094.
    These guys are OmniTech, I contacted them a while ago and they have registered many domain names. They might also be illegaly selling “Systweak Advanced System Optimizer” AFAIK, that is a legitimate registry cleaning software

  • Jérôme Segura

    Hi Marx Xiong,

    It depends how and where your personal information was stored on your computer, as well as how long they had access for. So, it’s pure speculation on what they could possibly do.
    You can still report the fraud to your local authorities etc with a formal complaint.

  • Jérôme Segura

    Hi Ellen Gaynor,

    Thanks for sharing this information, this is valuable to investigate further. Hopefully your friend recovers from this without too much damage done.

  • operatingsystemos
  • Marx Xiong

    Hello again jerome,

    Thank you again for responding, the programs they told me to run were running for about 10 – 15 minutes or less i believe. And well as for some of my information, i was dumb enough to have it sitting on the desktop screen. I just always thought that what are the chances of me becoming a victim of a scam like this. Is it possible for those programs to have transferred my files secretly and files of other accounts on my pc within 10 – 15minutes?

  • Jérôme Segura

    Hi Marx Xiong,

    If that was their intent to scrape everything, then yes it is possible. That happened to me not long ago:
    http://blog.malwarebytes.org/fraud-scam/2014/02/netflix-phishing-scam-leads-to-fake-microsoft-tech-support/
    http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/filetransfers.png

    You mentioned they used a program called shomypc? I’m not familiar with it but perhaps you could find log files for that program? Within these you may be able to find activity traces. I say ‘may’ because sometimes they make you install a “standalone” version of the remote software which does not leave logs.

  • Pingback: All about Tech Support Scams | The Travelin' LibrarianThe Travelin' Librarian

  • https://www.facebook.com/johnreddy217 John Reddy

    Thanks for a very interesting blog . I agree with your blog and i will be back to check it more in the future so please keep up your work, You have done a great job [edit from author: <--- thanks for spamming the link, will investigate! /end of edit]

  • Pingback: Netflix-themed tech support scam comes back with more copycats | Malwarebytes Unpacked

  • angeljg1091
  • angeljg1091
  • https://www.facebook.com/middleofthesky MiddleOf TheSky

    Today, I was trying to get help with my printer and googled canon help..etc. I got to this website..it’s under repair http://www.printer-techsupport.com/index.html. It’s called Printed Tech Support. The phone number on the website is 1-888-218-3886.”Ron” accessed my computer through Team Viewer and told me someone hacked into my computer and it will cost 350. i said i don’t get paid till Friday. He said okay one time help 150. I said I will check with canon to make sure they are legit and hung up. This is the number he told me to call 1-800-986-6389. Ext 313. I guess I should alert bank and change passwords.

  • https://www.facebook.com/profile.php?id=100006988717331 John Miller

    Jerome,

    Internet Security Connect Ltd

    Another one for your list, they called me yesterday, I did allow access but got suspicious because some of the things they pointed to that indicate PC issues made no logical sense. They deleted my desktop items as I attempted to cut the connection through the task manager (I should have just pulled the ethernet cable but in the heat of the moment didn’t think of it). The company is internetsecurityconnect.com (Internet Security Connect Limited). I was not rude in any way but they became threatening at the point I said I wanted time to check their credibility properly.

    I was not aware of this scam until yesterday and have read your article with interest, many of the elements you outline were identicle. They used the Tree, false infectoion message, “Stopped” files, CPU usage and also a new one. They pointed to the crss.exe file saying, as it did not have user against the entry that it was being used by some unknown crook.

  • Jérôme Segura

    Hi John Miller,

    Thanks for sharing your experience and the company name. We will investigate and report them.
    I hope you were able to recover from the damage they attempted to do on your machine.

  • Jérôme Segura

    Thanks angeljg1091!

  • Jérôme Segura

    Hi MiddleOf TheSky,

    It wouldn’t hurt to update your passwords and make sure no identity theft was committed. Thanks for sharing!

  • https://www.facebook.com/profile.php?id=100006988717331 John Miller

    Jerome,

    Thanks for your reply, I tried to correct the name of the company and failed dismally. To be clear it is Internet Security Protect Ltd the web address is internetsecurityprotect.com.

    Through simple research on the net I found the owner of the site . Also corroborated this with another website and got his address (in India!) and believe it or not, then got a Facebook page with a photo of the individual. The site I was pointed at the start of the call has been running since January, the UK mail address is a mail drop where 17,000+ other companies supposedly reside. I did call them when I got my PC back, out of curiosity, they did answer and when I gave my first name they knew my second name. They hung up!

    Was able to recover my desktop through a local technician. The whole thing was a pain but I suppose a learning experience.

  • https://www.facebook.com/profile.php?id=100006988717331 John Miller

    Jerome,

    Follow Up

    Have just checked, the website has now been suspended. I had reported to the UK authorities (Action Fraud and Trading Standards) and also contacted Team Viewer with the 9 digit code (having read your blog). It would be arrogant to think that this resulted in the suspension but it’s good to see that one avenue appears to have been blocked. The other site with the same owner is still up and running but I don’t think it would be right to name it here (it’s IT related but nothing to do with technical support or security).

  • Jérôme Segura

    Hi John Miller,

    That is great detective work! Your efforts probably lead to the site getting suspended which is great news for potential other victims. :-)

    I’ll add them to the list regardless as they may pop up again under a different disguise.

  • operatingsystemos

    Hi everybody
    Thank you very much for your reporting. I have created a wiki of all of the possible scam companies, among other things related to the topic of Tech Support Scams, you are welcome to visit and contribute here:
    http://tech-support-scam.wikia.com/

  • peace

    My problem has been with Microsoft pulling surprising punches. This only happened twice and have several good experiences with them, but 2 clearly blatant and one possibly criminal. I purchased a 365 Office license that includes Assure plan – normally an extra $149/yr.

    1st time – after an update search stopped working in Outlook. They sent me to someone who started download tons of junk on my computer and running diagnostics. All along claiming he was fixing it for free. I video recorded most of it with my phone and later went back and found he was downloading known malware and infecting my computer. He got the computer to an unusable unbootable state, then said it would cost $99 and he would fix it.

    I disconnected, reinstalled the OS from disc and restored my backups.

    2nd time – tonight a more subtle agent. about a week ago Outlook started throwing Visual Basic errors when opening .docx files from within Outlook. Note, if the files are saved, separately, they open fine. A simple test file created in the Office system demonstrates the problem.
    Microsoft Visual Basic Run-time error ’4248′: This command is not available because no document is open. The document is not open because there’s an alert emblem PROTECTED VIEW – Be careful – email attachments can contain viruses. Unless you need to edit, it’s safter to stat in Protected View. [Enable Editing]

    so, the latest download update of Outlook does this for all MS file attachments – no other files.

    The first agent tells me it’s a Pro paid call, sends me on loops around the world of transfers for 95 minutes. The earlier agents thought the problem was a VB script error that needed to be resolved.

    Connect again and this agent does a lot of the scare tactics shown on this blog including the Event Viewer. Tells me the problem is corrupted system files and a corrupted registry. How would they know this? Nothing they did indicated this type of problem.

    I don’t know if I have a problem or not, but only have one symptom – as noted, which appears to be a warning from MS that simply needs to be turned off.

    What surprises me is that MS would support, probably give bonuses to agents who can sucker people into paying extra for support they already own and get away with it.

    The first case seemed criminal – he intentionally did damage to my computer.

    Lastly – after disconnecting and rebooting the last agent was still there… I though the support bot required authorization, but i guess not. Her typed response “wanna try that again?” Was this a dare to see if i’d try to get rid of her again?

    The audacity. And, how can i be sure this spyware app is fully removed from my system now?

    I have no answers. Just run ESET every day and Malware Pro Every day and do daily backups and hope the bear doesn’t decide to have me for dinner.

    Any suggestions appreciated.

    Cheers All

  • peace

    Follow up – since leaving the post a few minutes ago, searching shows this is a common problem typically resolved by changing options in the Trust Center.

    None of the agents at Microsoft even checked the Trust Center Settings.

    I still can’t get the settings to take hold and work properly – expect the latest automatic update must have introduced a bug. Will restore to a back up from last week if need be.

    Hope this info is helpful to someone else.

  • Pingback: How to avoid tech support phone scams - allpcstuff.com

  • https://www.facebook.com/profile.php?id=100006988717331 John Miller

    Jerome,

    Just so you are aware, the Internet Security Protect website is up and running again. Do you think it would be worth me contacting the registrar (Godaddy) or the host or would I be wasting my time? I am determined to ensure that others don’t get caught as I did. Details below:

    Domain Name: INTERNETSECURITYPROTECT.COM
    Registrar URL: http://www.godaddy.com
    Registrant Name: Registration Private
    Registrant Organization: Domains By Proxy, LLC
    Name Server: NS1.CP-13.WEBHOSTBOX.NET
    Name Server: NS2.CP-13.WEBHOSTBOX.NET
    DNSSEC: unsigned

  • Jérôme Segura

    Hi John Miller,

    Thanks for that information. I’ve already asked someone in our team to look into contacting GoDaddy regarding this matter. We’ll also investigate on our own.

  • William Lentz

    Hi there, just wanted to report a cold call scam in the USA
    Someone called me claiming to be “Windows tech support” the phone number I got from them is +1 239 300 6975 (Magic Jack app phone number) with caller ID reporting “Naples FL” He spoke in a really deep Indian accent like all the others. After granting him access to my virus infested VM that I have on my home server for this reason, he showed me the event log, cmd tricks, uploaded and installed Advanced Windows Care v2 (Maker of the product was I-orbit) and showed me issues there, and had me fix them, claimed to be able to give me avast paid for a full lifetime license ( Ya right…), he also showed me task managers performance and network utilization claiming “That is all you can use” when it is really what I am using at the given moment, he then showed me via notepad the final bill to get it all fixed and trying to sell me a 5 year subscription to there services, total for 5 years was $179, he wanted to send him money via western union or money gram. I stopped him there and then called him out on his layer of bullshittery, He then tried to claim that he was a Windows employee NOT a Microsoft employee (they are both the same company idiot) and that ended that. Reported to local law enforcement and will be calling LogMeIn to report it to them too. He also gave me these phone numbers in the notepad bill

    778-747-9829 – His Personal Number (Peter Slap was his name)

    281-643-0036 – His head department number (idk what this is for but call at your own risk)

    If you require any more information about this please let me know and I will see if I can find some.
    Thanks,
    William Lentz

  • seston pit

    Yahoo support @ 18009350357

  • Pingback: More tech support scam resources | The AVIEN Blog

  • Pingback: Misleading eBook Advertisements Install PUPs | Malwarebytes Unpacked

  • Jonathan Bell

    I have been doing some digging and I found this website http://techsupportheroes.com/ i called them and they tried to scam me.

  • Jérôme Segura

    Thanks for reporting it Jonathan Bell.

  • Jonathan Bell
  • https://www.facebook.com/pixiey.dust Pixiey Dust

    These guys just called me. I no longer am getting calls from Microsoft (they got smart) but Smartguru instead. they wanted to charge me 75-100 bucks after looking at my computer remotely (I did not do that).

    The site looks legit, but cold calls make me know not to trust them.
    Thank you guys for being awesome!!
    http://smartguru.us/

  • Jérôme Segura

    Thanks for letting us know Pixiey Dust!

  • Jonathan Bell

    I dogged some more and found this site. http://www.windowstechsupport247.com/.
    The website is hosted by godaddy.com

  • Jérôme Segura

    Hi Jonathan Bell,

    Thanks. As you can see there are more fraudulent tech support sites out there than one can handle ;-)
    Appreciate the help!

  • Lea

    Hello! Fell for one of these last night. The websites in question were http://mywifiextnet.com and http://netgearextendersetup.com/. I searched the phone number associated with these websites as well (1-888-918-2345) and got a whole crop of dubious-looking “tech support” websites.

    Thank you!

  • Saori M

    Hi Jarome,
    I was not familiar with the ongoing Tech Support scams and I had never come to find your blog until yesterday. I received a cold call claiming it was from Windows yesterday telling me that my PC was sending error messages and he was calling me to fix my PC. At first, I almost believed him, but when he mentioned about the remote access, I didn’t feel right and told him that I would call Window’s customer service myself and get help. He gave me my PC’s “serial #” and a phone number to call back- 310-734-8856, but I didn’t call that number.
    I googled “Windows Customer Service” and called the number that came up on the top. At this point, I was actually feeling pretty stressed as I was not a tech savvy. I should have checked the site carefully, but I didn’t. A guy named “Sean” answered the phone and I asked him if this was Windows customer service, and he said yes. I told him that I received a cold call from Windows, but felt uncomfortable giving the caller remote access, so I decided to check with Windows/Microsoft directly if that was something they would do. He said Windows/Microsoft would never call the customers like that and the call I received was indeed a scam. So, he said that he could take a look at my PC and see if everything was ok. Again, I felt uncomfortable giving him remote access, but I asked him again if he was in fact with Windows and he said yes. Also I was the one who called them, so I decided to proceed.
    He did the series of steps to check my PC and came up with “Rundll32″ viruses. Just remind you here that he had never done “Virus Scan”. He showed me “The Event Viewer”, “msconfig”, “prefetch”, “Rundll32 Glossary” and “Notepad”. I didn’t realize those could be used as tricks until I read your blog. After I made a payment of $110- to remove the “viruses”, I realized that the company was Mega IT Support which was on your list! So far I don’t see any of my software or files missing, but he did put over 600 items/files in the trash and deleted them without showing me what they were. My credit card charge was $110 as he promised and nothing more. But I am not sure at this point that if there were even the viruses and if I paid for nothing. My concern now is that he didn’t put anything in my PC when he had remote access.
    Do you think I should get virus removal from a trustworthy company/tech just in case he put anything in? I would appreciate if I could hear your opinion about the whole incident. Thank you.

  • Saori M

    Oh, by the way, they did uninstall my “Webroot Secure Anywhere” and install “Microsoft Security Essentials”. I ran the scan with Microsoft Security Essential and nothing came up. I re-installed “Webroot” and ran the scan, and also nothing detected.

  • Jérôme Segura

    Hi Saori M,

    I feel sorry to hear about your experience especially considering you dodged the first cold call.

    It might be more difficult to get your money back since you actively made that call (as opposed to receiving an unsolicited phone call), but it still might be worth a try to call your credit card company to reverse the charges. These people are not Microsoft employees and should not make such claims.

    You could also file a complaint with the FTC (although once again, you willingly entered into an agreement when you made the call) and describe what happened.

    Now regarding your computer and safety. I doubt there was anything wrong before and you may be able to restore it to an earlier state before these guys took over and made changes. Windows has a feature called “System Restore” which is like a rollback (you pick an earlier date to restore the PC too): http://windows.microsoft.com/en-CA/windows7/products/features/system-restore

    Also, do you remember which remote program they installed to control your PC? Was it logmein, teamviewer, ammyy? Remove any trace of it (control panel -> add/remove programs). Sometimes they turn on a feature that could enable them to take control of your computer again.

    Typically these scammers do the least they can after they got paid. They will install free software (such as Microsoft Security Essentials) (while telling you they installed a paid antivirus) and clean up temporary files and cookies. They really could care less about doing a decent job, they just want to give you the illusion they did something.

    You can also run a scan with our own software (Malwarebytes Anti-Malware) for free and check whether there are any active malicious components (http://www.malwarebytes.org/antimalware/). If you had stored any passwords or personal files on your machine, please make sure that this information is safe. In fact, it would not be a bad idea to change your passwords. Personally, I’d recommend using a password manager that makes remembering complex and unique passwords a breeze.

    Once again, I’m sorry to hear about this and wished you had found this blog earlier. There are hundreds and hundreds of different company names, phone numbers, etc.. out there but the top ones (those that will pay for ads or appear in the top results of search engines) are easier to spot and report on. Also, these fraudulent companies are not just overseas… we have found some in the US. This is a very large and lucrative business taking advantage of people who aren’t necessarily savvy or were taken off guard. Hopefully by raising awareness and going after miscreants directly we can make a difference.

  • Saori M

    Hi Jerome,

    Thank you so much for your advice and thoughtfulness.
    I did “System Restore” and wiped out any traces from the “Tech Support.” I also downloaded Malwarebytes Anti-Malware and scanned my PC after the system restore. It only found some unwanted registry keys and files (all from Coupon.com that I downloaded long time ago) that were not too threatening. I was able to quarantine and delete them afterwards. I guess there was no “Rundll32″ virus after all. I found some info about “rundll”. After checking my Task manager etc., I think I got fooled by the normal “rundll32″ with all the other tricks done by the “Tech Support.

    “rundll” is an important system executable and lots of malware likes to pretend to be it to avoid drawing attention. If you look in task manager the rundll32.exe should always have an image path (if image path is not turned on, select it in View -> Select Columns) of “C:\Windows\System32\rundll32.exe” or “C:\Windows\SysWow64\rundll32.exe” There’s usually always at least one running from that path. That’s normal. It’s the ones that aren’t running under that path that you need to worry about.

    By the way, I use HP SimplePass Fingerprint scanner to log in most of the online accounts I have. Do you think it’s safe? I have never used “Password Manager” and don’t even know how it works. Is it safer than a finger print scanning features? I am in the process of changing my passwords, but I would like some info about the best way to protect my passwords going forward.

    Thanks again for the information you provided and the having this blog!

  • Saori M

    FYI–
    The middle paragraph in the previous post was the info I found from researching “rundll32.”

  • Jérôme Segura

    Hi Saori M,

    I’m glad to hear that things are starting to return to normal :)

    Yes, rundll32 is a very common trick because it runs on every Windows PC. In fact, this very trick was used on me today! (see http://blog.malwarebytes.org/wp-content/uploads/2014/07/rundll32.png) by a company called techsupportive.com ( I added it to the list of scammers) which I called after a coworker gave me a tip on them.

    To be honest I had never heard of HP’s SimplePass fingerprint scanner so I can’t really vouch for it. However, I’m curious enough to tell a friend of mine to check it out to see if there are vulnerabilities in it.

    A password manager is an application that lets you store all your passwords in one vault that only a master password can open. The idea is that all you have to remember is that great and unique master password and all your other passwords can be long and complex but you don’t have to memorize them.
    Typically, a password manager is loaded in your browser (Internet Explorer, Chrome, Firefox, etc.) in such a way that once you have unlocked the vault, it will auto fill password fields whenever you connect to your sites. Now, these passwords are not stored on your local PC, but rather ‘in the cloud’ on whichever company’s server you picked. For that reason, there is a small risk, but to be fair 100% security does not exist.

    Personally I use a mix of two different password managers:
    - one that runs in my browser called LastPass (I am not affiliated with them, and there are plenty other ones!) for mildly important passwords.
    - one that is only stored on my local drive called keepass (it’s the same idea of the vault with a master password) except that it resides on my computer, not in the cloud. I use that for more important passwords.

    Finally, there are a few other passwords that I only memorize because they are very important.

    So it is kind of a layered approach, but even if you only used a password manager in your browser, you are miles ahead. With a password manager no need to reuse the same password on multiple sites anymore… no need to have to remember passwords that you change every month or so for good measure, etc…

    Now beyond passwords are personal files that may have value to a criminal (invoices, statements, etc…). Those should not be placed on your computer as is because they can easily be stolen (a scammer could do that see this example I captured (it was a bait set on purpose): http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/filetransfers.png or by malware looking for documents to extract.
    It is a good idea to encrypt these files (Bitlocker on Windows, Encrypted disk images on Mac) etc… Here’s how it works (typically): you create a container (also known as an encrypted volume). Think of it as a safebox. You create a strong password for it and then place all your important documents in it. Finally, you close that vault. These documents are no longer accessible directly. You must first open the vault by providing the correct password (or passphrase for that matter).

    Hope these few tips help!

  • Lea

    Sorry! Just a small add-on to my comment earlier: the first website listed, the http://mywifiextnet.com was found through a paid ad at the very top of Yahoo. My dad searched “my wifi ext” for the legit mywifiext.net website, and found that ad instead.

    We hung up on them after I realized what was happening (after both my dad and I allowed them to access our computers via Teamviewer, downloaded not through the official Teamviewer site; we, I guess luckily, didn’t pay them, however) and I came to find after that they had called back a number of times (4 or 5) and they left two messages on our answering machine: one just someone hanging up, and the other was the Indian gentleman we had talked to saying something along the lines of “Your extender is working fine? I’m going to make it — f**k off (or possibly “shut off”) man,” and I’ve been really nervous since.

    I know these guys get annoyed when their scams don’t work, but is that typical? I’ve already wiped my laptop twice and my dad just purchased a new one, but I’m terrified of them doing something else. I know they have our house phone number, and my dad’s name; and I’ve never dealt with anything like this before, so I have no idea how these scams typically turn out (outside of the “they got your credit card info and they’re going to use it” obvious).

    Any help would really be appreciated!

  • Jérôme Segura

    Hi Lea,

    Thanks for your comment. Yes, some individuals tend to get really mad when plans don’t go their way.
    In fact in my first ever call with them, the scammer got so frustrated (even though I had been nice all along) that he tried to wipe out all my documents (http://blog.malwarebytes.org/fraud-scam/2013/04/phone-scammers-call-the-wrong-guy-get-mad-and-trash-pc/) Thankfully this was just a virtual machine.

    Having said that, you are not the first one who’s angered them because you didn’t fall for the scam. They will most likely move on and forget about that. They could in theory keep calling your number to bother you, but they would really be wasting their time.

    As long as you have removed teamviewer from your machine, then they should not be able to access your computer again. Feel free to scan your PC for malware though (it is unlikely but they could have put some). Malwarebytes has a free Anti-Malware scanner you can download here: http://www.malwarebytes.org/antimalware/

    I hope this helps, if you have any other questions, please let me know.

  • Wolfgang Koch

    Hi Jérôme,

    Thank you for offering this site to allow publicity against scammer activity. I just received a call from “Windows Technical Service,” going just as has been typically recounted so many times: someone with an Indian accent told me my computer kept “sending error messages,” and they could fix it.

    I saw right through, right away; I’ll say I would have even if I hadn’t heard about this type of scam before. So when this guy (?) proceeded to ask me if I was at my computer right now, I said I wasn’t, and that in fact I would need to start it up, so I asked for a number I could call back, and that person’s name so I would know who to ask for.

    Without hesitation, he did give me a number to call back: 800-624-7545. He also gave me a name (purporting for it to be his own; I have the name on record, just in case). I googled the number, and the result came back with the name of a business completely unrelated to anything in the way of a “Windows Technical Service.” I even dialed the number (making sure to hit *67 first), and someone answered the phone in the name of the business I had googled. I said I had the wrong number, and hung up.

    Oh, the caller-ID information for that call I received showed as: (name) “Not Available,” (number) “19904.”

Subscribe to our YouTube Channel