OFFICIAL SECURITY BLOG

Tech Support Scams – Help & Resource Page

October 4, 2013 | BY

open quoteHello, we are calling from Windows and your computer looks like it is infected. Our Microsoft Certified Technician can fix it for you.

Orange Man Telemarketing or Phone SupportSound familiar? Whether you have just been scammed or simply want to find out more on the topic, you have come to the right place.

Tech support scams are a million-dollar industry and have been around since 2008. Every single day, innocent people are tricked into spending hundreds of dollars on non-existent computer problems.

There is no sign of these scams slowing down despite several actions taken by the Federal Trade Commission.

Perhaps even worse, companies right here in North America are now pulling the same tricks and taking advantage of existing and prospect customers replying to online ads.

Since we wrote our very first blog post on the subject and subsequent articles (A look behind the curtain, Turning the tables), we’ve received much feedback and many people have shared their own experiences. We believe tech support scams are despicable and need to be exposed for the greater good.

The purpose of this page is to gather all the information we have collected over time into one place which you can use as a goto resource when you need it.

 

TABLE OF CONTENTS

 

 

How it all begins

 

Cold calls from fake Microsoft (etc) agents

 

phoneUsually from India and operating out of boiler rooms, these scammers call people in the U.S, Canada, the UK, and Australia whom they find in the phone directory.

The scam is straightforward: pretend to be calling from Microsoft, gain remote control of the machine, trick the victim with fake error reports and collect the money.

If you ever get a call from a Microsoft or Windows tech support agent out of the blue, the best thing to do is simply hang up. Scammers like to use VoIP technology so their actual number and location are hidden. Their calls are almost free which is why they can do this 24/7.

As per Microsoft: “There are some cases where Microsoft will work with your Internet service provider and call you to fix a malware-infected computer—such as during the recent cleanup effort begun in our botnet takedown actions. These calls will be made by someone with whom you can verify you already are a customer. You will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes.

 

Toll-Free Numbers (TFN) for fraudulent tech support companies

 

Located in India but also in the US, these companies heavily advertise on popular search engines as well as websites with high traffic. People call them for assistance and get fooled with similar techniques employed by Indian cold callers.

Another source for these companies comes from some of their existing customers or customers of parent companies sent to them. The remote technician upsells the customer who only came to activate their software but ends up forking hundreds of dollars on “Windows support”.

If you decide to call in for remote computer assistance, you need to be very careful about which company you are going to deal with. Simply picking the top ad on a search results page could end very badly.

Unfortunately, the company or technician being from the US is not a guarantee for honest service. Many businesses in the US are using  dirty tricks to take advantage of people, with the unsavvy and elderly as their prime targets.

If you don’t feel comfortable doing this online, brick and mortar computer repair shops are a good alternative.

bing2

Fake pop ups claiming your computer is infected (reminding of FakeAV) are a good way for scammers to reel in innocent victims:

fakewarning

 A new trend shows that crooks are using phishing scams as a ruse to get people to phone in, not only stealing their credentials but also claiming their account was suspended:

suspended

Remote access

 

The ‘technician’ requests to have remote access to your computer (taking control of it) and may use one of the following programs. Note that these applications are perfectly legitimate and used daily for good reasons. However, it is important to remember that if you run remote login software you are effectively giving a complete stranger total control of your computer.

This slideshow requires JavaScript.

>> Report fraudulent use of remote login software.

There are too many other applications that are used for remote support to list them all here. They pretty much do the same thing which is to provide direct access to your computer from anywhere in the world.

 

Tricks of the trade

 

Once logged into your computer, the remote technician will attempt to trick you by fabricating errors or even viruses on your computer. They like to use the default Windows tools and turn them against you, hoping you’ll get scared and follow up their directions.

The Event Viewer (eventvwr)

even on Windows 8:

eventwin8

falseThese errors are viruses or serious damage to the backend of your PC. If not taken care of immediately, you will lose your computer.

 

trueThe Event Viewer is an application that aggregates all of the log files from your computer. It is traditionally used by system administrators to diagnose certain errors. However, most events are harmless notifications.

 

The System Configuration Utility (msconfig)

falseThere are many programs that are stopped, indicating some serious damage to the backend of your computer and poor performance.

 

trueIt is perfectly normal to have services that are stopped. In fact, you can actually speed up the boot time of your PC by disabling unneeded start up programs.

 

The Task Manager (CPU ‘spikes’)

cpu

falseThese spikes are dangerous for your PC’s health. Just like your heart rate, they should not go up. Your PC could suffer some irreparable damage.

 

trueWhen your PC is active, you will see the CPU usage go up and down constantly. What would not be good is if the CPU was pegged at 100% utilization all of the time. This is not the case here.

 

The erratic CPU

erraticCPU

falseYour CPU usage is running very erratic.” This is similar as the one above, except the technician is running something to do this.

 

trueActually this type of behavior is not good (if it was really your computer doing this, rather than someone artificially triggering it).

 

The System Information (msinfo32)

msinfo32

falseThese are critical “Windows Errors”. You need to buy the software warranty to fix them.

 

trueAgain, error logs (which all computers have) should not be translated into poor performance or malware without actually reviewing them one by one.

 

The Prefetch files

falseThese are damaged programs that cannot be deleted or even worse, viruses! You need to clean up your PC now!

 

trueThese are files that correspond to applications you often use. Windows saves them in there so that next time you launch those applications they start faster.

 

The restore from trash trick

false“Look: I am going to delete all these files. [waits a few seconds...]. And see they all came back!”

 

trueThere is a keyboard shortcut to undo the last action (in this case delete). It is Ctrl+Z. Of course the victim sees nothing because it’s a shortcut.

 

The Temporary files (%temp%)

access_denied

falseThese are infected files with worms, trojans and viruses. The disk is full of them.

 

trueSimply because a temporary file cannot be deleted does not mean it’s a virus. It could be in use by any currently running application.

 

The Fake scanners

falseThis scan shows several viruses that were found by our security scanner. They have infected your registry.

 

trueThis program is essentially a fake antivirus, stuffed with made up detections meant to alarm you.

 

The dir and tree commands

dir

tree

falseThese two commands perform a full virus scan on your computer and will report any infected file.

 

trueThese are DOS commands that list directory contents and paths. They have absolutely nothing to do with scanning for malware.

 

The custom Virus message

zeus

falseFollowing the scan, we found 42% of your files are infected, including a Zeus Trojan. Windows is at high risk.

 

trueThis message was typed by the scammers and then pasted on the command prompt. It is totally fake.

 

The red Command-Line Terminal

falseLook at all these malware infections in red. All of your files have been compromised and will be destroyed.

 

trueThe Windows Terminal can be customized to have different font colors as well as background colors. Red looks scary…

 

The ‘ping’ (on Mac OS X)

ping_mac

falseWe tested the protection on your Mac and found that there isn’t any. You need to buy our antivirus right now because you are going to get infected.

 

trueThis is an abuse of the ‘ping’ command, something meant to check if you are properly connected to the Internet or see if a website is responding. It has nothing to do with protection on your Mac.

 

The netstat command

hackers

falseHackers have infiltrated your computer, they are stealing your files doing cybercrime!!

 

trueThis is a command to display network connections (incoming, outgoing) but you can’t necessarily deduce these are “hackers”.

 

The online glossary or Wikipedia trick

liutilities

wiki

falseIt’s not just me saying that there are viruses and trojans on your computer. Check these online resources as well.

 

trueLeveraging glossaries or reference sites is a clever trick to borrow legitimacy to certain claims. If such or such site says it’s true then it must be… or not.

 

The Network Access Protection (NAP)

NAP

falseYour network protection is disabled. All the hackers are already inside your computer.

 

trueThe Network Access Protection is a feature that mostly applies to PCs that connect to a domain. It ensures they adhere to safety standards. If this is your one and only computer, NAP should be left Off.

 

The notepad trick

alienwords

falseCan you read this? Does this make sense to you? No. The computer cannot understand this file. It is like alien words.

 

trueCertain files are not meant to be read with notepad. In particular, executable files need special tools to read their ‘sections’. Therefore, it is perfectly normal that this files cannot be read as ‘text’.

 

The Power Efficiency report (powercfg energy)

energy

falseYour computer’s battery is going to fail very soon. It might even catch on fire if you don’t do something about it right now! 

 

trueThis command can generate a report to help users optimize their battery (useful on a laptop) and detect non optimal settings to save power, etc..

 

The (value not set) registry trick

value

falseYour network is not working properly as you can see it says: value not set and default. 

 

trueThe network is working just fine. Scammers will use the registry editor to show empty keys and conclude your security is at risk.

 

The Process Explorer error

procexp

falseWe need to manually remove the infected entries and delete all the error files from your computer

 

trueThis [Error opening process] label happens because the user ran Process Explorer with limited privileges. It has nothing to do with errors on the computer.

 

The digital certificates

certificates

false “Do you see the untrusted publishers? These are trying to compromise each and everything.

 

true These are normal and although the ‘friendly name’ is deceiving, those revoked certificates are used by your browser to protect you from untrusted sites.

 

Getting help (damage control)

 

Getting scammed is one of the worst feelings to experience. In many ways you feel like you have been violated and are really angry to have let your guard down. Perhaps you are even shocked and scared and don’t really know what to do now. The following tips will hopefully provide you with some guidance.

If you already let them in

  • Revoke remote access (if unsure, restart your computer). That should cut the remote session and kick them out of your PC.
  • Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes Anti-Malware to quickly identify and remove threats.
  • Change all your passwords (Windows password, email, banking, etc).

In some cases (you did not pay or called them names), scammers will seek revenge on your machine. Here are some things they might try and what to do to recover from them:

  • Master password lock out

There are various ‘hacks’ to reset that password. One method is to use a Linux boot CD to mount Windows and then use the chntpw utilty. It is described here.

  • Missing software drivers

First, try to do a System Restore. If it fails, you should be able to reinstall them by going to the manufacturer’s website and download the appropriate driver.

  • Missing files

First, try to do a System Restore. If it is not available, check for backups you may have made and stored somewhere else. As a last resort, there are programs that can scrape your hard drive and attempt to recover the missing files.

If you already paid

  • Contact your financial institution/credit card company to reverse the charges and keep an eye for future unwanted charges.
  • If you gave them personal information such as date of birth, Social Security Number, full address, name and maiden name you may want to consult the FTC’s website and report identity theft.

 

Fighting back

 

Report the scam

Report misleading ads

TrustInAds.org comprises a group of Internet industry leaders that have come together to work toward a common goal: Protect people from malicious online advertisements and deceptive practices.” Report misleading ads here.

Shut down their remote software account

  • Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support (they can later on block people/companies with that information)
  • LogMeIn: Report abuse

Spread the word

You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although this may be an embarrassing experience if you fell victim to these scams, educating the public will help someone caught in a similar situation and deter further scam attempts.

Investigate

While hanging up is the safest thing to do when you get a cold call, some people have gone on a mission to expose those scammers. While we don’t endorse this behaviour, if you do have information to share, please let us know and we will update this page with any new relevant details.

 

Tech Support Blacklist

 

This list is being updated on a regular basis from our own investigations as well as from tips we receive from our readers. There are two main objectives with that list:

  • To protect people who are about to call for tech support assistance and want to make sure the company has not already been listed.
  • To provide assistance to victims that have already been conned and are googling the phone number they called or company they interacted with.

If a company is listed below, it meets at least one of the following criteria:

Criteria:

  • #1 Pretends to be working for Microsoft or ‘Windows’.
  • #2 Uses misleading tactics to force a sale (see an example here).
  • #3 Finds viruses, malware or an infection on a perfectly clean system.
  • #4 Validates a fraudulent popup or page as legitimate (see an example here).

List:

Company name and aliases24/7 PC Guard 
Website(s): 247pcguard.com
Phone number(s): 1-888-855-7953
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000001
Company name and aliases365 Tech Help 
Website(s): 365techhelp.co/bng/slow-pc, fastsupport.com
Phone number(s): 1-866-539-8804
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 09/27/2013
Incident ID: 0000002
Company name and aliasesSpeak Support 
Website(s): speaksupport.com, 121usa.com
Phone number(s): 1-800-806-0768
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 10/04/2013
Incident ID: 0000003
Company name and aliasesPC Smart Care 
Website(s): pcsmartcare.com, pcsmartcare.us
Phone number(s): 1-855-569-5945
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 11/27/2013
Incident ID: 0000004
Company name and aliasesPC Mask 
Website(s): pcmask.com
Phone number(s): 1-877-385-1667
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 11/28/2013
Incident ID: 0000005
Company name and aliasesMy Tech Gurus 
Website(s): mytechgurus.com
Phone number(s): 1-866-587-1775
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 12/11/2013
Incident ID: 0000006
Company name and aliasesMegaITSupport 
Website(s): megaitsupport.com
Phone number(s): 1-888-939-3618
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 01/09/2013
Incident ID: 0000007
Company name and aliasesGBM Support
Website(s): gbmsupport.net
Phone number(s): 1-800-492-3960
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 01/23/2013
Incident ID: 0000008
Company name and aliasesClick4Support
Website(s): lickforsupport.net, webtechmasterhelp.com, techsupportcenter.org, techsupportive.com
Phone number(s): 1-855-668-8555
Affiliate(s): N/A
Remote control software: LogMeIn: 292242
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 01/23/2013
Incident ID: 0000009
Company name and aliasesPC Toolkit Pro
Website(s): pctoolkitpro.com
Phone number(s): 1-855-803-1370
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000010
Company name and aliasesiGennie
Website(s): igennie.net
Phone number(s): 1-888-239-4339
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 01/30/2013
Incident ID: 0000011
Company name and aliasesCompute My PC
Website(s): computemypc.com
Phone number(s): 1-800-356-7697
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 01/31/2013
Incident ID: 0000012
Company name and aliasesTechFix Pro
Website(s): techfixpro.com
Phone number(s): 1-888-768-0082
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000013
Company name and aliasesiMax Support
Website(s): imaxsupport.com, fix247.org
Phone number(s): 1-800-247-0830
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 03/25/2014
Incident ID: 0000014
Company name and aliasesInternet Security Protect
Website(s): internetsecurityprotect.com
Phone number(s): (020)-3289-1596
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000015
Company name and aliasesAll In One Tech Support
Website(s): allinonetech.net, allinonetech.us
Phone number(s): 1-800-487-9456
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000016
Company name and aliases1844desktop
Website(s): 1844desktop.com
Phone number(s): 1-884-337-5867
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000017
Company name and aliasesComlogic
Website(s): comlogicinc.com
Phone number(s): 1-888-930-1033
Affiliate(s): N/A
Remote control software: 
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000018
Company name and aliasesPC Tech Clinic
Website(s): pctechclinic.com
Phone number(s): 1-855-486-4411
Affiliate(s): N/A
Remote control software: LogMeIn: 152903
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 06/17/2014
Incident ID: 0000019
Company name and aliasesCondis Services
Website(s): condiservices.com
Phone number(s): 1-888-221-6490
Affiliate(s): N/A
Remote control software: ISL: 19834912
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 06/17/2014
Incident ID: 0000020
Company name and aliasesaolrisk
Website(s): aolrisk.com
Phone number(s): 1-855-666-8849
Affiliate(s): N/A
Remote control software: LogMeIn: 770772
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000021
Company name and aliasesAffiliated Help {no longer blacklisted)
Incident ID: 0000022
Note: Company is willing to clean up its act and has therefore been delisted.
Company name and aliases247 Support Experts
Website(s): 247supportexperts.com, 3wayhelp.com
Phone number(s): 1-888-221-1582
Affiliate(s): N/A
Remote control software: LogMein: 146794
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 07/14/2014
Incident ID: 0000023
Company name and aliasesSysCare247
Website(s): syscare247.com
Phone number(s): 213-260-2279
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: N/A
Incident ID: 0000024
Company name and aliasesOMG Tech Help
Website(s): omgtechhelp.com
Phone number(s): 855-316-8324
Affiliate(s): N/A
Remote control software: LogMeIn: 642695
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 07/21/2014
Incident ID: 0000025
Company name and aliasesOnVoiceSupport
Website(s): omgtechhelp.com
Phone number(s): 855-316-8324
Affiliate(s): N/A
Remote control software: LogMeIn: 642695
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 07/21/2014
Incident ID: 0000026
Company name and aliasesEcomputer Support
Website(s): ecomputersupport.net
Phone number(s): 1-877-360-0594, 1-855-820-8680
Affiliate(s): N/A
Remote control software: LogMeIn: 432039
Payment processor: N/A
Reason for blacklisting: #2, #3
Incident date: 07/23/2014
Incident ID: 0000027
Company name and aliasesE-Racer Tech (Clean IT PC)
Website(s): e-racertech.com, cleanitpc.com
Phone number(s): 1-855-486-1800, 1-877-648-7339
Affiliate(s): error711971669.com
Remote control software: LogMeIn: 432039
Payment processor: N/A
Reason for blacklisting: #2, #4
Incident date: 05/28/2014
Incident ID: 0000028
Company name and aliasesCump Tech Media Pvt Ltd
Website(s): xevoke.com,onlineinstanthelp.com
Phone number(s): 1-855-209-0559
Affiliate(s): onlineinstanthelp.com/malwarebytes-us/download.html
Remote control software: LogMeIn: 186024
Payment processor: CheckOut LTD
Reason for blacklisting: #2, #3
Incident date: 07/31/2014
Incident ID: 0000029
Company name and aliasesFast Fix 123
Website(s): fastfix123.com
Phone number(s): 1-800-832-3088
Affiliate(s): N/A
Remote control software: N/A
Payment processor: N/A
Reason for blacklisting: #3
Incident date: 08/22/2014
Incident ID: 0000030
Company name and aliasesProcomSupport247
Website(s): procomsupport247.com
Phone number(s): 1-866-456-2763
Affiliate(s): techsupportnumber.us/online
Remote control software: LogMeIn: 162225
Payment processor: FreshBooks
Reason for blacklisting: #1,#2,#3,#4
Incident date: 09/04/2014
Incident ID: 0000031

 

 

Related articles

 

 

 


  • Pingback: Tech Support Scams: Coming to a Mac near you | Malwarebytes Unpacked

  • Pingback: Phone tech support scam goes wrong | Malwarebytes Unpacked

  • Pingback: Getting tricked to thinking your computer is infected | Wilkins IT Solutions

  • Pingback: ste williams – Mac fans: You don’t need Windows to get ripped off in tech support scams

  • Pingback: Mac Users Getting Ripped Off In Tech Support Scams - Internet4k : : Internet For Knowledge | Internet4k : : Internet For Knowledge

  • Pingback: Don’t Fall for Mac Tech Support Scams | The Chip Merchant

  • Pingback: Tech Support Scams (Now includes Mac Computers)...

  • Pingback: Phone Scammers Take A Move From The Ransomer's Playbook | Malwarebytes Unpacked

  • Pingback: Scammers Pose as Anti-Virus, Go Figure | Malwarebytes Unpacked

  • Pingback: Malwarebytes 2013 Threat Report | Malwarebytes Unpacked

  • Pingback: Tech support scammers spam YouTube with robot-like warnings | Malwarebytes Unpacked

  • Operatingsystem OS

    reported scam: mitechmate.com

  • Operatingsystem OS

    they seem like a scam to me, please, malwarebytes, investigate asap

  • Jerome Segura

    Thanks for reporting this.
    Their live chat is currently not available and nobody is answering the phone. Will try again later.

  • Stan naz

    Just allowed a ‘techinician’ from maxpccare.com into a Virtual Machine, told him it was running slow. He did the old Event Viewer trick, then did the tree command and typed “network not secure- infections found on pc”. I can 100% confirm this site and organisation is a scam.

    Domains: maxpccare.com
    Phone number: +1-855-763-0457

  • Stan naz

    Found suspicious website http://megaitsupport.com/ – Will probably call them later and see if they are legitimate or not. Please investigate.

    Domains: megaitsupport.com

  • Stan naz

    Found suspicious website http://www.techicode.co.uk/ – Will call these guys too, see if they’re legitimate. Another thing I noticed was they have a UK domain but they have an american number on their website?

    Feel free to investigate.

    Domains: techicode.co.uk
    Phone number: +1-888-4074554

  • Stan naz

    To “Operatingsystem OS” – I agree, the website does seem suspicious, I agree, however I let them into a Windows 8.1 Pro 64bit machine, and they said it was clean, no virus. They appear to be legitimate, but don’t bet on it, may be worth further investigation with a more cluttered machine.

  • Jerome Segura

    Thanks for all the info Stan. Will check back on these guys and update the page accordingly.

  • Stan naz

    Thanks a lot to you to for helping investigate and making more people aware of these scams. I’m here to help anytime, equipped with unlimited landline calls worldwide on Skype, Windows 1, Windows 98, Windows XP, Windows 7, Windows 8.1 Pro Virtual Machines, and a VPN so my IP can’t be targeted for any reason or for advertising.

  • Jerome Segura

    Hi Stan,

    This: megaitsupport.com is a scam, called them and pulled tricks before wanting $399. Will update the list with this at a later point.

  • Stan naz

    Hi, thanks for investigating. Rang PC Mask again just for fun, after finding out me and a friend were messing with them, they proceeded to delete the WHOLE of the C:\ drive. Screenshot can be found

  • Stan naz

    Here: http://ss.stn.so/pcmaskdestroyingpc.png the <a href didn't work.

  • Jerome Segura

    Hi Stan,

    What they did doesn’t really surprise me… Some scammers are particularly vicious when they don’t get what they want.
    Personally, I never taunt them or anything like that (and I don’t condone these types of actions ;-)) although that thought has crossed my mind a few times. I just like to let them do their thing and then politely leave. But even if you are nice, it doesn’t mean they will let you go easily. On one occasion, the scammer stole several personal (albeit fake) documents from my computer before saying “thank you and good bye”.
    I have a few upcoming blog posts and one in particular about what kind of work they really do if you do pay (I did not give them a dime or anything, just managed to get them to start the work while I searched for my missing credit card). You will be surprised to see what their definition of ‘fixing’ a computer for $399 is….

    Stay tuned :)

  • Pingback: Tech support scammers target smart phone and tablet users | Malwarebytes Unpacked

  • https://www.facebook.com/debbie.perret.9 Debbie Perret

    Hi…

    I was just an ‘almost victim’ of this scam. I feel very silly and gullible. They didn’t get very far before I hung up. I asked for a call-back number, was given two. I was told to ask for Logan. The numbers are 818-813-6174 and 800-516-0854. I am just sending in case it is helpful for someone else.

    Thank you for what you do.

  • Jerome Segura

    Hi Debbie Perret,

    Thanks for sharing your experience and providing these numbers.

    I think most people who aren’t prepared and receive such a call may actually fall for this scam. Although we know how to be careful in certain situations, most of us tend to trust others within our daily social interactions.
    Unless you’ve been through it before or know enough about computers to realize this is nonsense, the well rehearsed scam script tends to be quite effective.

    I see you mentioned the name ‘Logan’.. I had someone who pretended to be ‘Max’. All these little details immediately raise red flags for me. When that same person is speaking with a very thick foreign accent, it just doesn’t really add up.

  • Stan naz

    Hello Jerome, looking forward to that next post with their “fixing” – it’s the only thing I’ve not been able to find out so far. I will continue to report organisations I find to be scams or very suspicious here as I’m still surprised at how the same, 10 year old technique is still being successful. It makes me angry. Again, thanks for what you do, and I’m here to help push these scamming companies further downhill.

    Good to hear Debbie that you realised they were a scam. Makes me happy everytime someone beats them, even if it means they chargeback a credit card payment.

  • krumike

    It is shameless that some people do this. From cold calls to targeted Google ads… from Windows PCs to Macs and smartphones. They will take advantage of everyone and anyone without fear or favour. Of course, the more vulberable the target person is, the easier for the shameless scammer.
    I’ve had a number of these calls over the years. No matter if I hang up straight away or follow through (but never give control of my machine) there is always a feeling of helplessness as they can simply hang up the phone themselves and move on to the next victim without blinking.
    That is… until I realised there was something that I could say that MIGHT make a difference to the scammer/caller. They often sound like they’re in or come from a spiritual country so now I string them along for a while then when I’m convinced they are indeed aware of their actions I simply say, “God will punish you” and then no matter what they say next (and they usually get defensive) I repeat it with emphasise on different words. “God WILL punish you.” “God will PUNISH you.” “God will punish YOU” and somethimes they still stay on the phonne so I start to include their family too. “God will punish you and your family.” Etc. Etc. Eventually they give up but hopefully it gives them something to think about.
    I used to think that maybe they too are a victim; an innocent call-centre worker with a script and without an understanding of the lies they are saying. But I don’t any more.

  • Operatingsystem OS

    Hello again
    http://Www.securebitin.com
    There is a video

  • Operatingsystem OS

    http://www.myphonesupport.com
    Never contacted any, but keep up the great videos!

  • Stan naz

    I found SecureBitin too.. tried calling them, and they said they didn’t work in the area of computers anymore? Is that what they do when one of the employees can’t be bothered to do their job? When I went to question it or talk at all, they simply hung up. Looks like they’re a scam, and a bad one at that.

  • https://www.facebook.com/jackie.sparrow.509 Jackie Sparrow
  • Pingback: Localized malvertising affects some OpenDNS users | Malwarebytes Unpacked

  • Operatingsystem OS
  • Pingback: Tech support scams: Show me the money | Malwarebytes Unpacked

  • Imanol Avila

    There’s another company called Comantra (indian based) that has been found thanks to Youtube user Troy Hunt (uses Max Zorin to trick them)
    Video:

  • Imanol Avila

  • Andrew Wijenathan

    I was almost scammed. I let them have remote access. An when they asked me to make a paypal account I knew something was wrong. Without really knowing what to do I quickly shut down my computer. Now when I try to turn on my computer it won’t take let me. I can’t restore it either. What should I do? Should I take it in for repair?

  • Jerome Segura

    Hi Andrew Wijenathan,

    It sounds like they may have put an admin password to prevent you from logging in. It’s not uncommon that scammers retaliate when people don’t pay up.

    There are methods to recover such passwords using advanced techniques (if that is what the problem is). Before attempting a reinstall of the system, you may want to attempt to recover your data or have a professional do that for you.

  • Operatingsystem OS

    1-866-612-4220
    I went on one of their websites and let them in to an infected VM via live chat, they used a registry cleaner and said that the scan results are “malware”. they have many websites if you google that number. Thanks

  • Pingback: Netflix Phishing Scam leads to Fake Microsoft Tech Support | Malwarebytes Unpacked

  • Benjamin Stambaugh

    A slight twist on the “Cold Call” method:

    My wife’s uncle fell victim to this scam a few months back. He got the usual call from “MS Tech Support” saying his computer was the source of hacks against some popular web site. I cannot recall which sites were mentioned. The rest of the story is the same.

    However, instead of the normal cold call this was a bit more targeted I believe. I don’t have much prof and it could but a total coincidence but earlier that day he was asked by a complete stranger to use his cell phone. He gave them the phone and they went around the corner for “privacy.” I think they were either calling a number to have his phone number recorded in caller ID or they were scrolling through his address book to get his and other’s numbers. After his wife called me about what happened I had to break the news they were victims of a scam. I told them to go the police and report what happened.

  • https://www.facebook.com/donna.raagas Donna Raagas

    The people I called when I thought I was getting YouTube support had me open TeamViewer8; other icons on my desktop are “Cleaner” (That picture of a large and small gear), “IPC System Optimizer”, and a “Warranty services” screen shot for support@instantpccare.com. 1-800-565-7782 and 1-800-848-1897.

    The voice of the man who talked with me sounded just like the man who talked to you in your video, and my “tech” was especially polite too, calling me ma’am.

  • Pingback: Phishing Scam On Netflix May Trick You WATCH this Video | jerrylore.com

  • Operatingsystem OS

    http://www.youtube.com/watch?v=flLcGNS5mVs&feature=youtu.be
    I made a video, i let them into a VM and they found out soon

  • arlene

    My 83-year-old mother is getting scammed as I write this. I told her about this scam just days ago but she got warnings about her computer being infected. Because AOL no longer has tech support you are left on your own and she googled up tech support. She was CERTAIN they were part of the AOL because “AOL is in their name.” (Yeah…after a backslash.) We aren’t sure what to do. Cut them off and risk problems, or let them finish and then spend MORE money trying to fix the computer. By that time we might as well buy a new computer! Worse…this company isn’t on the list above…so how do you know the good support companies from the bad ones? This one is http://www.gotoassistance.com Phone 800-664-7520. Can anyone tell me if they might be legit????

  • Jérôme Segura

    Hi arlene,

    I haven’t had a chance to check this company out but if you feel uncomfortable about it, you have a full right to ask for a complete refund or reverse the charges from your credit card.

    The list of known scammers above only represents a fraction of all companies and websites involved in this kind of fraud, making it hard to keep up with.

    Looking for a support company online is tricky… scammers know that and buy ads quite aggressively.

    If the technician used any of the tricks mentioned in this article, it is not a good sign and you should stay away from that company. It’s something you can use as a reference anyway.

  • arlene

    Thanks Jerome…but I wasn’t there when it happened. My mom just happened to mention when I called her that someone was working on her computer. She knows so very, very little about computers that she couldn’t explain to me what they were doing. Like she’ll say “my computer” instead of “my email”…she said the tech showed her that people in Florida and Texas were using her “computer.” And she kept insisting that because she somehow stumbled on this web address– https://www.gotoassistance.com/email-support/aol-email-support/ –with the AOL in the URL they were part of the AOL company. The only way I could get her to understand was by telling her that it has to be right after the www’s. So we let them finish. I phoned the number and heard a big call center in the background and they insisted they were in partnership with AOL. I suspect it is all a lie…so what I would like is if anyone here finds out that they are indeed scammers to please post that…I doubt it but maybe she happened across a company that didn’t do more than overcharge her. Also, how do we find the kind of tech that will be capable of finding whatever keystroke recorders, hidden malware, trojans, or alternate passwords they added so they could shut down the computer if we do reverse the charges. I’d want to clean out the computer before we reverse the charge. Does an everyday tech at a big box computer store have the knowledge to do that? I’m just so freaking angry…she paid $300! For a bit more (or equal to that “repair” and the cost of the additional repair plus getting her signed up for an identity monitoring service) we could have bought a new computer. This is a woman who saves for months just for that $300 and we, her kids, aren’t in worse financial situation than she is. They had her send them an email when they were done, confirming that they fixed her computer…so I suspect they are willing to battle any reversal of charges.

  • Jérôme Segura

    Hi arlene,

    “I would like is if anyone here finds out that they are indeed scammers to please post that”
    >> I tried to call them today but it did not answer. I will keep them on my checklist though. If you have an alternate number (different from the one of their website) please post it here.

    “she said the tech showed her that people in Florida and Texas were using her “computer.”
    >> That sounds very much like “hackers have infiltrated your computer” scare tactics…

    “Also, how do we find the kind of tech that will be capable of finding whatever keystroke recorders, hidden malware, trojans, ”
    >> You can download our own Malwarebytes anti-malware free of charge and run a full system scan. If anything is found the program will let you clean up the computer without asking you to register or pay the product. http://www.malwarebytes.org/free/

    “Does an everyday tech at a big box computer store have the knowledge to do that?”
    >> Yes, most likely and by going with a well known name at least you reduce your chances of being scammed. However, their services can be costly, so you should ask about fees before.

    ” I’m just so freaking angry…she paid $300!”
    >> I’m really sorry to hear that. All is not lost though and time is of the essence if you want to reverse charges.

  • Jérôme Segura

    Thanks for the tip Operatingsystem OS, I’m also primarily using Virtual Box but I’ve made some changes to my set up so it doesn’t show it anymore.

  • arlene

    Thanks Jerome. I have no other number. I called them around 8pm eastern time last night and someone picked up. Really weird. Thanks for trying!

  • Operatingsystem OS

    Hi Jerome,
    Please contact 247computersupport.net sometime soon. They seem very suspicious, please do not let them find out you are on a VM, but trouble will arise when they open msinfo32 and see it says virtual box, I don’t know what they would do afterwards. BTW they don’t have a phone number on their site and identify themselves based in India

  • Operatingsystem OS

    There is also an ‘assoc’ command trick, they instruct you to type that BEFORE they gain remote access and lOok at the bottom string and say it’s your unique Windows license ID or something when it’s not unique at all

  • alizacarvor

    Information you shared which is get secure alarm in advance for all users. I uses some them to fix myself slow performance of PC
    The System Configuration Utility (msconfig)
    The Temporary files (%temp%)

    Thank You
    Fix My Computer Dude

  • Operatingsystem OS
  • Jérôme Segura
  • operatingsystemos
  • operatingsystemos

    http://techfixpro.com/microsoft-support.html
    I went on that website and called them, they connected me to a MyTechGurus “technician” in my VM with Logmein and I think they might be related

  • Eduard Serra Ros

    Dear Jérôme, thanks for this blog on this particular type of scams.

    I’m sure you are already aware, but in case you are not, we are receiving these scams in France as well.

    I live in the Haute-Savoie, in France (next to Geneva), and somehow they “know” that we speak English at home (I’m Spanish and my wife French/British). They keep calling every now and again… it didn’t bother me until today, when they called at 7.00 am (!!!).

    Some other English-speaking friends living in France have also received this type of calls…

    Do you know who we could contact in France to report this scam?

    (on commence a n’avoir marre!)

    Thanks again for your good job (and of course for malwarebytes software!)

    ps. One day I was playing their game… to get rid of them, nothing simpler than telling them I use Linux, which I don’t… then they asked about a million times if I had a Windows or a Mac computer… another solution is speaking to them in French or Spanish… :P

  • Jérôme Segura

    Salut Eduard Serra Ros,

    Thanks for your comment. I wonder if it’s a mistake or not (I had never heard of someone from France being targeted), but evidently the language barrier has been keeping scammers from venturing too much out of non English speaking countries.

    I’m not sure who to contact in this case because the perpetrators are from outside of France. So if you were on a “do not call list”, it most likely would not fix this issue.
    If you were defrauded, you could file a complaint with the usual orgs, but again there’s the extra territory issue…

    What you could do (if you have the time) is find out a little more about who’s calling: what is their website, company name, etc? That information can be helpful for those of us that go on an investigative mission. Not only can we gather info on scammers but in some cases we can also have their sites shutdown.

    By the way, beautiful region you live in :) I was born in the region nearby and still have family there.

  • Jérôme Segura

    Thanks operatingsystemos for reporting these two sites :)

  • operatingsystemos

    Jerome, I have shared many site with you, and why haven’t you contacted them or added them to the list of reported scammer ;-)
    Heres another suspicious one
    https://www.imaxsupport.com/

  • Jérôme Segura

    Hi operatingsystemos,

    I appreciate your sharing all these sites here and I am looking into them. As you may imagine I have many things going on at the same time (I do other security research too) and mostly I want to make sure that everything is well validated before I publish it. As it happens I am currently working on another scam company at the moment that has been taking me a week to track and that I plan on exposing perhaps next week once I’ve made full disclosure with a big name company involved.

    Anyway, your info is valuable and does not go unnoticed. :)

  • operatingsystemos
  • operatingsystemos

    Where are the links to the videos gone. And are there any new videos?

  • Jérôme Segura

    operatingsystemos, the links were removed but the videos that were used in blog posts are still available on our YouTube channel.
    Other videos where the only purpose is to identify new companies involved in scams are not public. The idea is that there is no need to give scammers a full view of the tools and techniques we use. An awful lot of information can be learned from watching the videos (oh he’s running this setup, with these icons, this Windows license key, etc…) and yes, some scammers have been watching and learning from that.
    Since you last posted about the VirtualBox detection, I’ve had 3 different companies check that first thing when they remotely connect to make sure this was a real computer and not a virtual machine. They check the tray icons, and then do a msinfo32 to see the information from the BIOS.
    In other words, they are being a lot more cautious. While documenting with videos is great and is proof of unethical activities, it also gives the bad guys too much insight into how they can be tricked.
    All the recordings are archived though, in case a company wanted to contest being listed on the “reported scammers”, it’d be easy to show them footage of an interaction with a technician.

  • operatingsystemos
  • operatingsystemos

    I made a comment befor and it didn’t show up, so once again, please email me links to the scammer videos at operating{NOSPAM}system121@yahoo dot com, I will only store them for personal use and nothing else

  • alissa
  • Dawn Harrison

    I just got a new Dell Inspiron 15 7357 laptop a few days ago. 2 days after receiving it my browser started looking like a yahoo browser. I was unable to get into any Web page after clicking a link from Google search result (my domain advisor was blocking it). It would also drop wireless (a fault in the design I believe). Anyway a few hours later I receive a phone call from my ‘tech team’ saying they were monitoring my equipment as part of my broadband package. I asked if they were from Virgin & they said yes. They instructed me to get Teamviewer but my laptop wasn’t allowing that either. So they said to go to my pc & do it from there. I did as instructed & they searched for a file & said the files on screen were infected & I was passed on to a specialist. The specialist was discussing my problem & mentioned a 9year protection package. It was at this point that I realised it was a scam. I demanded to know the name of their company & they hung up on me. Turned off my pc & ended their link with it.
    My worry is that they knew I was having an issue & were able to get my phone number to call me within hours of the issue starting. I absolutely do not think it is a mere coincidence.
    I installed spybot & malwarebytes which sorted the issue. My domain advisor is off & I believe the issue is directly tied to that programme which came pre installed with my laptop.
    The experience has been reported to the police & internet crime squad as well as my bank in case they got sensitive information. I suggest people share this experience because of the way in which is developed.

  • Jérôme Segura

    Hi Dawn Harrison,

    That’s not the first time I hear about these ‘coincidences’.
    It’d be interesting to find a relationship (if any) between people buying new devices or experiencing issues and these calls.
    Thanks for sharing your experience.

  • Pingback: Avoiding Scams

  • https://www.facebook.com/john.harpold.3 John Harpold

    I recently received a cold call from a group know as “Smart Tech Guru”. I didn’t engage with them but took down a phone number and said I’d get back with them. Ever heard of them and if so what can you tell me?
    John

  • Jérôme Segura

    Hi John Harpold,

    I’ve never heard of this company before. A quick look up on the domain name shows they’re using some anonymizing services from registrar bigrock (which I’ve noticed was used in very similar fashions by other scam companies).

    http://whois.domaintools.com/smartechguru.com

    Thanks for passing it along, I’ll investigate.

  • Marx Xiong

    Hello

    I recently was called by a man with an indian accent, he said he was a microsoft tech and that i had my pc had been sending out tons of error messages to microsoft, that my pc had alot of virus. I really wish i had my guard at its best but i was stupid enough to listen and believe him, i downloaded the programs he told me about(tvi.name and showmypc etc.) and gave him remote access.i honestly wish i hadnt done any of this. But after he started telling me to type in my card info name email etc i knew it was a scam. I only wished i had realized that as soon as the phone rang. I had alot of my important personal information on my pc, such as; social security number, passwords and phone info. I am wondering if he can harm me in any way with that information. I have ran microsoft essential security 2 times both full runs and tried to my best delete all that he told me to download. Im not sure if anything is left but the pc will probably end up being smashed. Please respond!

  • Pingback: Tech Support Scams – Help & Resource Page | Useful Links

  • Derrel Allen

    I am curious as to why Google allows this type of advertising. I think they should be reported. I’m fairly sure their ads violate the TOS. Surely Google doesn’t need their $$ that much.

  • https://www.facebook.com/taela.dragonfox Theresa Retz

    Have you considered an article on scams that manage to put out TV and radio ads? The station I listen to at work is currently running an ad for “speed counts” which looks to me a lot like this kind of scam. Unfortunately, the fact that it’s gotten airtime tends to make it seem more legitimate to folks who might not know how to spot scams.

    The parent company of ‘Speed Counts’ is “USTechSupport”. I would test them myself but I don’t have a spare PC or virtual PC to use as bait and I don’t want to risk it.
    From what I can tell (they recently changed the site to remove any listing of what they actually do, when I looked them up last week before warning the radio station they were a scam, it listed things like “removing registry errors” and “defragmenting” as a way to speed up the PC) they don’t do anything that you can’t do yourself with default windows tools.

  • Jérôme Segura

    Hi Theresa Retz,

    Thanks for passing this on. Although most people assume these scams are run by Indian-based companies, it also happens in the US. TV and radio ads might cost significantly more than adwords but perhaps they reach out to a better audience. May I ask which radio station these were aired on?

  • Jérôme Segura

    Hi Derrel Allen,

    Yes, it is quite frustrating to see major search providers involved in this. I would be very interested to know how ad accounts work, especially whether or not it is easy to create countless new accounts. I imagine if Google or Bing shuts down a particular, say, adword account, the scammers are most likely going to open up a new one.

  • Jérôme Segura

    Hi Marx Xiong,

    Unfortunately you need to assume the worst. Certain scammers will steal data from you and quite possibly attempt identity fraud. You should contact your bank / credit card provider and let them know what happened.

  • Pingback: Social Engineering: Today's Snake Oil Salesmen | BIT Incorporated

  • operatingsystemos
  • operatingsystemos

    Also, please add the syskey trick that they use to lock you out, I learnt that from your video:

  • operatingsystemos
  • Ellen Gaynor

    A friend of mine called me to tell me these people had been calling for a long time, but she finally talked to them today. The woman told her she was with Axis PC Help (of course there’s an axispchelp.com website with glowing reviews). She got my friend to install Techinline so the “technician” could connect remotely. After a while of this woman pointing out problems, my friend asked if this was going to cost money. That is when the call ended.

    I told her to download malwarebytes and scan her PC. I need to call her back and tell her about the possibility that they stole her info while they were poking around.

    axispchelp.com was registered by someone who goes by the handle kddacraker. Very interesting google search results for this name.

  • Marx Xiong

    Hi jerome

    Thank you for responding. I just turned 18 not so long ago. I dont have any bank account at the moment and I am not associated with any credit card providers either. Ive changed all of my passwords already. Is there anything i should do now? Would the scammer be able to use my ssn to apply for a credit card or cause some sort of trouble?

  • operatingsystemos

    http://online-tech-support-review.toptenreviews.com/
    They all seem to be scams to me, no matter what that website says

  • operatingsystemos

    https://www.google.com.au/search?q=1-855-292-4094.
    These guys are OmniTech, I contacted them a while ago and they have registered many domain names. They might also be illegaly selling “Systweak Advanced System Optimizer” AFAIK, that is a legitimate registry cleaning software

  • Jérôme Segura

    Hi Marx Xiong,

    It depends how and where your personal information was stored on your computer, as well as how long they had access for. So, it’s pure speculation on what they could possibly do.
    You can still report the fraud to your local authorities etc with a formal complaint.

  • Jérôme Segura

    Hi Ellen Gaynor,

    Thanks for sharing this information, this is valuable to investigate further. Hopefully your friend recovers from this without too much damage done.

  • operatingsystemos
  • Marx Xiong

    Hello again jerome,

    Thank you again for responding, the programs they told me to run were running for about 10 – 15 minutes or less i believe. And well as for some of my information, i was dumb enough to have it sitting on the desktop screen. I just always thought that what are the chances of me becoming a victim of a scam like this. Is it possible for those programs to have transferred my files secretly and files of other accounts on my pc within 10 – 15minutes?

  • Jérôme Segura

    Hi Marx Xiong,

    If that was their intent to scrape everything, then yes it is possible. That happened to me not long ago:
    http://blog.malwarebytes.org/fraud-scam/2014/02/netflix-phishing-scam-leads-to-fake-microsoft-tech-support/
    http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/filetransfers.png

    You mentioned they used a program called shomypc? I’m not familiar with it but perhaps you could find log files for that program? Within these you may be able to find activity traces. I say ‘may’ because sometimes they make you install a “standalone” version of the remote software which does not leave logs.

  • Pingback: All about Tech Support Scams | The Travelin' LibrarianThe Travelin' Librarian

  • https://www.facebook.com/johnreddy217 John Reddy

    Thanks for a very interesting blog . I agree with your blog and i will be back to check it more in the future so please keep up your work, You have done a great job [edit from author: <--- thanks for spamming the link, will investigate! /end of edit]

  • Pingback: Netflix-themed tech support scam comes back with more copycats | Malwarebytes Unpacked

  • angeljg1091
  • angeljg1091
  • https://www.facebook.com/middleofthesky MiddleOf TheSky

    Today, I was trying to get help with my printer and googled canon help..etc. I got to this website..it’s under repair http://www.printer-techsupport.com/index.html. It’s called Printed Tech Support. The phone number on the website is 1-888-218-3886.”Ron” accessed my computer through Team Viewer and told me someone hacked into my computer and it will cost 350. i said i don’t get paid till Friday. He said okay one time help 150. I said I will check with canon to make sure they are legit and hung up. This is the number he told me to call 1-800-986-6389. Ext 313. I guess I should alert bank and change passwords.

  • https://www.facebook.com/profile.php?id=100006988717331 John Miller

    Jerome,

    Internet Security Connect Ltd

    Another one for your list, they called me yesterday, I did allow access but got suspicious because some of the things they pointed to that indicate PC issues made no logical sense. They deleted my desktop items as I attempted to cut the connection through the task manager (I should have just pulled the ethernet cable but in the heat of the moment didn’t think of it). The company is internetsecurityconnect.com (Internet Security Connect Limited). I was not rude in any way but they became threatening at the point I said I wanted time to check their credibility properly.

    I was not aware of this scam until yesterday and have read your article with interest, many of the elements you outline were identicle. They used the Tree, false infectoion message, “Stopped” files, CPU usage and also a new one. They pointed to the crss.exe file saying, as it did not have user against the entry that it was being used by some unknown crook.

  • Jérôme Segura

    Hi John Miller,

    Thanks for sharing your experience and the company name. We will investigate and report them.
    I hope you were able to recover from the damage they attempted to do on your machine.

  • Jérôme Segura

    Thanks angeljg1091!

  • Jérôme Segura

    Hi MiddleOf TheSky,

    It wouldn’t hurt to update your passwords and make sure no identity theft was committed. Thanks for sharing!

  • https://www.facebook.com/profile.php?id=100006988717331 John Miller

    Jerome,

    Thanks for your reply, I tried to correct the name of the company and failed dismally. To be clear it is Internet Security Protect Ltd the web address is internetsecurityprotect.com.

    Through simple research on the net I found the owner of the site . Also corroborated this with another website and got his address (in India!) and believe it or not, then got a Facebook page with a photo of the individual. The site I was pointed at the start of the call has been running since January, the UK mail address is a mail drop where 17,000+ other companies supposedly reside. I did call them when I got my PC back, out of curiosity, they did answer and when I gave my first name they knew my second name. They hung up!

    Was able to recover my desktop through a local technician. The whole thing was a pain but I suppose a learning experience.

  • https://www.facebook.com/profile.php?id=100006988717331 John Miller

    Jerome,

    Follow Up

    Have just checked, the website has now been suspended. I had reported to the UK authorities (Action Fraud and Trading Standards) and also contacted Team Viewer with the 9 digit code (having read your blog). It would be arrogant to think that this resulted in the suspension but it’s good to see that one avenue appears to have been blocked. The other site with the same owner is still up and running but I don’t think it would be right to name it here (it’s IT related but nothing to do with technical support or security).

  • Jérôme Segura

    Hi John Miller,

    That is great detective work! Your efforts probably lead to the site getting suspended which is great news for potential other victims. :-)

    I’ll add them to the list regardless as they may pop up again under a different disguise.

  • operatingsystemos

    Hi everybody
    Thank you very much for your reporting. I have created a wiki of all of the possible scam companies, among other things related to the topic of Tech Support Scams, you are welcome to visit and contribute here:
    http://tech-support-scam.wikia.com/

  • peace

    My problem has been with Microsoft pulling surprising punches. This only happened twice and have several good experiences with them, but 2 clearly blatant and one possibly criminal. I purchased a 365 Office license that includes Assure plan – normally an extra $149/yr.

    1st time – after an update search stopped working in Outlook. They sent me to someone who started download tons of junk on my computer and running diagnostics. All along claiming he was fixing it for free. I video recorded most of it with my phone and later went back and found he was downloading known malware and infecting my computer. He got the computer to an unusable unbootable state, then said it would cost $99 and he would fix it.

    I disconnected, reinstalled the OS from disc and restored my backups.

    2nd time – tonight a more subtle agent. about a week ago Outlook started throwing Visual Basic errors when opening .docx files from within Outlook. Note, if the files are saved, separately, they open fine. A simple test file created in the Office system demonstrates the problem.
    Microsoft Visual Basic Run-time error ‘4248’: This command is not available because no document is open. The document is not open because there’s an alert emblem PROTECTED VIEW – Be careful – email attachments can contain viruses. Unless you need to edit, it’s safter to stat in Protected View. [Enable Editing]

    so, the latest download update of Outlook does this for all MS file attachments – no other files.

    The first agent tells me it’s a Pro paid call, sends me on loops around the world of transfers for 95 minutes. The earlier agents thought the problem was a VB script error that needed to be resolved.

    Connect again and this agent does a lot of the scare tactics shown on this blog including the Event Viewer. Tells me the problem is corrupted system files and a corrupted registry. How would they know this? Nothing they did indicated this type of problem.

    I don’t know if I have a problem or not, but only have one symptom – as noted, which appears to be a warning from MS that simply needs to be turned off.

    What surprises me is that MS would support, probably give bonuses to agents who can sucker people into paying extra for support they already own and get away with it.

    The first case seemed criminal – he intentionally did damage to my computer.

    Lastly – after disconnecting and rebooting the last agent was still there… I though the support bot required authorization, but i guess not. Her typed response “wanna try that again?” Was this a dare to see if i’d try to get rid of her again?

    The audacity. And, how can i be sure this spyware app is fully removed from my system now?

    I have no answers. Just run ESET every day and Malware Pro Every day and do daily backups and hope the bear doesn’t decide to have me for dinner.

    Any suggestions appreciated.

    Cheers All

  • peace

    Follow up – since leaving the post a few minutes ago, searching shows this is a common problem typically resolved by changing options in the Trust Center.

    None of the agents at Microsoft even checked the Trust Center Settings.

    I still can’t get the settings to take hold and work properly – expect the latest automatic update must have introduced a bug. Will restore to a back up from last week if need be.

    Hope this info is helpful to someone else.

  • Pingback: How to avoid tech support phone scams - allpcstuff.com

  • https://www.facebook.com/profile.php?id=100006988717331 John Miller

    Jerome,

    Just so you are aware, the Internet Security Protect website is up and running again. Do you think it would be worth me contacting the registrar (Godaddy) or the host or would I be wasting my time? I am determined to ensure that others don’t get caught as I did. Details below:

    Domain Name: INTERNETSECURITYPROTECT.COM
    Registrar URL: http://www.godaddy.com
    Registrant Name: Registration Private
    Registrant Organization: Domains By Proxy, LLC
    Name Server: NS1.CP-13.WEBHOSTBOX.NET
    Name Server: NS2.CP-13.WEBHOSTBOX.NET
    DNSSEC: unsigned

  • Jérôme Segura

    Hi John Miller,

    Thanks for that information. I’ve already asked someone in our team to look into contacting GoDaddy regarding this matter. We’ll also investigate on our own.

  • William Lentz

    Hi there, just wanted to report a cold call scam in the USA
    Someone called me claiming to be “Windows tech support” the phone number I got from them is +1 239 300 6975 (Magic Jack app phone number) with caller ID reporting “Naples FL” He spoke in a really deep Indian accent like all the others. After granting him access to my virus infested VM that I have on my home server for this reason, he showed me the event log, cmd tricks, uploaded and installed Advanced Windows Care v2 (Maker of the product was I-orbit) and showed me issues there, and had me fix them, claimed to be able to give me avast paid for a full lifetime license ( Ya right…), he also showed me task managers performance and network utilization claiming “That is all you can use” when it is really what I am using at the given moment, he then showed me via notepad the final bill to get it all fixed and trying to sell me a 5 year subscription to there services, total for 5 years was $179, he wanted to send him money via western union or money gram. I stopped him there and then called him out on his layer of bullshittery, He then tried to claim that he was a Windows employee NOT a Microsoft employee (they are both the same company idiot) and that ended that. Reported to local law enforcement and will be calling LogMeIn to report it to them too. He also gave me these phone numbers in the notepad bill

    778-747-9829 – His Personal Number (Peter Slap was his name)

    281-643-0036 – His head department number (idk what this is for but call at your own risk)

    If you require any more information about this please let me know and I will see if I can find some.
    Thanks,
    William Lentz

  • seston pit

    Yahoo support @ 18009350357

  • Pingback: More tech support scam resources | The AVIEN Blog

  • Pingback: Misleading eBook Advertisements Install PUPs | Malwarebytes Unpacked

  • Jonathan Bell

    I have been doing some digging and I found this website http://techsupportheroes.com/ i called them and they tried to scam me.

  • Jérôme Segura

    Thanks for reporting it Jonathan Bell.

  • Jonathan Bell
  • https://www.facebook.com/pixiey.dust Pixiey Dust

    These guys just called me. I no longer am getting calls from Microsoft (they got smart) but Smartguru instead. they wanted to charge me 75-100 bucks after looking at my computer remotely (I did not do that).

    The site looks legit, but cold calls make me know not to trust them.
    Thank you guys for being awesome!!
    http://smartguru.us/

  • Jérôme Segura

    Thanks for letting us know Pixiey Dust!

  • Jonathan Bell

    I dogged some more and found this site. http://www.windowstechsupport247.com/.
    The website is hosted by godaddy.com

  • Jérôme Segura

    Hi Jonathan Bell,

    Thanks. As you can see there are more fraudulent tech support sites out there than one can handle ;-)
    Appreciate the help!

  • Lea

    Hello! Fell for one of these last night. The websites in question were http://mywifiextnet.com and http://netgearextendersetup.com/. I searched the phone number associated with these websites as well (1-888-918-2345) and got a whole crop of dubious-looking “tech support” websites.

    Thank you!

  • Saori M

    Hi Jarome,
    I was not familiar with the ongoing Tech Support scams and I had never come to find your blog until yesterday. I received a cold call claiming it was from Windows yesterday telling me that my PC was sending error messages and he was calling me to fix my PC. At first, I almost believed him, but when he mentioned about the remote access, I didn’t feel right and told him that I would call Window’s customer service myself and get help. He gave me my PC’s “serial #” and a phone number to call back- 310-734-8856, but I didn’t call that number.
    I googled “Windows Customer Service” and called the number that came up on the top. At this point, I was actually feeling pretty stressed as I was not a tech savvy. I should have checked the site carefully, but I didn’t. A guy named “Sean” answered the phone and I asked him if this was Windows customer service, and he said yes. I told him that I received a cold call from Windows, but felt uncomfortable giving the caller remote access, so I decided to check with Windows/Microsoft directly if that was something they would do. He said Windows/Microsoft would never call the customers like that and the call I received was indeed a scam. So, he said that he could take a look at my PC and see if everything was ok. Again, I felt uncomfortable giving him remote access, but I asked him again if he was in fact with Windows and he said yes. Also I was the one who called them, so I decided to proceed.
    He did the series of steps to check my PC and came up with “Rundll32″ viruses. Just remind you here that he had never done “Virus Scan”. He showed me “The Event Viewer”, “msconfig”, “prefetch”, “Rundll32 Glossary” and “Notepad”. I didn’t realize those could be used as tricks until I read your blog. After I made a payment of $110- to remove the “viruses”, I realized that the company was Mega IT Support which was on your list! So far I don’t see any of my software or files missing, but he did put over 600 items/files in the trash and deleted them without showing me what they were. My credit card charge was $110 as he promised and nothing more. But I am not sure at this point that if there were even the viruses and if I paid for nothing. My concern now is that he didn’t put anything in my PC when he had remote access.
    Do you think I should get virus removal from a trustworthy company/tech just in case he put anything in? I would appreciate if I could hear your opinion about the whole incident. Thank you.

  • Saori M

    Oh, by the way, they did uninstall my “Webroot Secure Anywhere” and install “Microsoft Security Essentials”. I ran the scan with Microsoft Security Essential and nothing came up. I re-installed “Webroot” and ran the scan, and also nothing detected.

  • Jérôme Segura

    Hi Saori M,

    I feel sorry to hear about your experience especially considering you dodged the first cold call.

    It might be more difficult to get your money back since you actively made that call (as opposed to receiving an unsolicited phone call), but it still might be worth a try to call your credit card company to reverse the charges. These people are not Microsoft employees and should not make such claims.

    You could also file a complaint with the FTC (although once again, you willingly entered into an agreement when you made the call) and describe what happened.

    Now regarding your computer and safety. I doubt there was anything wrong before and you may be able to restore it to an earlier state before these guys took over and made changes. Windows has a feature called “System Restore” which is like a rollback (you pick an earlier date to restore the PC too): http://windows.microsoft.com/en-CA/windows7/products/features/system-restore

    Also, do you remember which remote program they installed to control your PC? Was it logmein, teamviewer, ammyy? Remove any trace of it (control panel -> add/remove programs). Sometimes they turn on a feature that could enable them to take control of your computer again.

    Typically these scammers do the least they can after they got paid. They will install free software (such as Microsoft Security Essentials) (while telling you they installed a paid antivirus) and clean up temporary files and cookies. They really could care less about doing a decent job, they just want to give you the illusion they did something.

    You can also run a scan with our own software (Malwarebytes Anti-Malware) for free and check whether there are any active malicious components (http://www.malwarebytes.org/antimalware/). If you had stored any passwords or personal files on your machine, please make sure that this information is safe. In fact, it would not be a bad idea to change your passwords. Personally, I’d recommend using a password manager that makes remembering complex and unique passwords a breeze.

    Once again, I’m sorry to hear about this and wished you had found this blog earlier. There are hundreds and hundreds of different company names, phone numbers, etc.. out there but the top ones (those that will pay for ads or appear in the top results of search engines) are easier to spot and report on. Also, these fraudulent companies are not just overseas… we have found some in the US. This is a very large and lucrative business taking advantage of people who aren’t necessarily savvy or were taken off guard. Hopefully by raising awareness and going after miscreants directly we can make a difference.

  • Saori M

    Hi Jerome,

    Thank you so much for your advice and thoughtfulness.
    I did “System Restore” and wiped out any traces from the “Tech Support.” I also downloaded Malwarebytes Anti-Malware and scanned my PC after the system restore. It only found some unwanted registry keys and files (all from Coupon.com that I downloaded long time ago) that were not too threatening. I was able to quarantine and delete them afterwards. I guess there was no “Rundll32″ virus after all. I found some info about “rundll”. After checking my Task manager etc., I think I got fooled by the normal “rundll32″ with all the other tricks done by the “Tech Support.

    “rundll” is an important system executable and lots of malware likes to pretend to be it to avoid drawing attention. If you look in task manager the rundll32.exe should always have an image path (if image path is not turned on, select it in View -> Select Columns) of “C:\Windows\System32\rundll32.exe” or “C:\Windows\SysWow64\rundll32.exe” There’s usually always at least one running from that path. That’s normal. It’s the ones that aren’t running under that path that you need to worry about.

    By the way, I use HP SimplePass Fingerprint scanner to log in most of the online accounts I have. Do you think it’s safe? I have never used “Password Manager” and don’t even know how it works. Is it safer than a finger print scanning features? I am in the process of changing my passwords, but I would like some info about the best way to protect my passwords going forward.

    Thanks again for the information you provided and the having this blog!

  • Saori M

    FYI–
    The middle paragraph in the previous post was the info I found from researching “rundll32.”

  • Jérôme Segura

    Hi Saori M,

    I’m glad to hear that things are starting to return to normal :)

    Yes, rundll32 is a very common trick because it runs on every Windows PC. In fact, this very trick was used on me today! (see http://blog.malwarebytes.org/wp-content/uploads/2014/07/rundll32.png) by a company called techsupportive.com ( I added it to the list of scammers) which I called after a coworker gave me a tip on them.

    To be honest I had never heard of HP’s SimplePass fingerprint scanner so I can’t really vouch for it. However, I’m curious enough to tell a friend of mine to check it out to see if there are vulnerabilities in it.

    A password manager is an application that lets you store all your passwords in one vault that only a master password can open. The idea is that all you have to remember is that great and unique master password and all your other passwords can be long and complex but you don’t have to memorize them.
    Typically, a password manager is loaded in your browser (Internet Explorer, Chrome, Firefox, etc.) in such a way that once you have unlocked the vault, it will auto fill password fields whenever you connect to your sites. Now, these passwords are not stored on your local PC, but rather ‘in the cloud’ on whichever company’s server you picked. For that reason, there is a small risk, but to be fair 100% security does not exist.

    Personally I use a mix of two different password managers:
    – one that runs in my browser called LastPass (I am not affiliated with them, and there are plenty other ones!) for mildly important passwords.
    – one that is only stored on my local drive called keepass (it’s the same idea of the vault with a master password) except that it resides on my computer, not in the cloud. I use that for more important passwords.

    Finally, there are a few other passwords that I only memorize because they are very important.

    So it is kind of a layered approach, but even if you only used a password manager in your browser, you are miles ahead. With a password manager no need to reuse the same password on multiple sites anymore… no need to have to remember passwords that you change every month or so for good measure, etc…

    Now beyond passwords are personal files that may have value to a criminal (invoices, statements, etc…). Those should not be placed on your computer as is because they can easily be stolen (a scammer could do that see this example I captured (it was a bait set on purpose): http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/02/filetransfers.png or by malware looking for documents to extract.
    It is a good idea to encrypt these files (Bitlocker on Windows, Encrypted disk images on Mac) etc… Here’s how it works (typically): you create a container (also known as an encrypted volume). Think of it as a safebox. You create a strong password for it and then place all your important documents in it. Finally, you close that vault. These documents are no longer accessible directly. You must first open the vault by providing the correct password (or passphrase for that matter).

    Hope these few tips help!

  • Lea

    Sorry! Just a small add-on to my comment earlier: the first website listed, the http://mywifiextnet.com was found through a paid ad at the very top of Yahoo. My dad searched “my wifi ext” for the legit mywifiext.net website, and found that ad instead.

    We hung up on them after I realized what was happening (after both my dad and I allowed them to access our computers via Teamviewer, downloaded not through the official Teamviewer site; we, I guess luckily, didn’t pay them, however) and I came to find after that they had called back a number of times (4 or 5) and they left two messages on our answering machine: one just someone hanging up, and the other was the Indian gentleman we had talked to saying something along the lines of “Your extender is working fine? I’m going to make it — f**k off (or possibly “shut off”) man,” and I’ve been really nervous since.

    I know these guys get annoyed when their scams don’t work, but is that typical? I’ve already wiped my laptop twice and my dad just purchased a new one, but I’m terrified of them doing something else. I know they have our house phone number, and my dad’s name; and I’ve never dealt with anything like this before, so I have no idea how these scams typically turn out (outside of the “they got your credit card info and they’re going to use it” obvious).

    Any help would really be appreciated!

  • Jérôme Segura

    Hi Lea,

    Thanks for your comment. Yes, some individuals tend to get really mad when plans don’t go their way.
    In fact in my first ever call with them, the scammer got so frustrated (even though I had been nice all along) that he tried to wipe out all my documents (http://blog.malwarebytes.org/fraud-scam/2013/04/phone-scammers-call-the-wrong-guy-get-mad-and-trash-pc/) Thankfully this was just a virtual machine.

    Having said that, you are not the first one who’s angered them because you didn’t fall for the scam. They will most likely move on and forget about that. They could in theory keep calling your number to bother you, but they would really be wasting their time.

    As long as you have removed teamviewer from your machine, then they should not be able to access your computer again. Feel free to scan your PC for malware though (it is unlikely but they could have put some). Malwarebytes has a free Anti-Malware scanner you can download here: http://www.malwarebytes.org/antimalware/

    I hope this helps, if you have any other questions, please let me know.

  • Wolfgang Koch

    Hi Jérôme,

    Thank you for offering this site to allow publicity against scammer activity. I just received a call from “Windows Technical Service,” going just as has been typically recounted so many times: someone with an Indian accent told me my computer kept “sending error messages,” and they could fix it.

    I saw right through, right away; I’ll say I would have even if I hadn’t heard about this type of scam before. So when this guy (?) proceeded to ask me if I was at my computer right now, I said I wasn’t, and that in fact I would need to start it up, so I asked for a number I could call back, and that person’s name so I would know who to ask for.

    Without hesitation, he did give me a number to call back: 800-624-7545. He also gave me a name (purporting for it to be his own; I have the name on record, just in case). I googled the number, and the result came back with the name of a business completely unrelated to anything in the way of a “Windows Technical Service.” I even dialed the number (making sure to hit *67 first), and someone answered the phone in the name of the business I had googled. I said I had the wrong number, and hung up.

    Oh, the caller-ID information for that call I received showed as: (name) “Not Available,” (number) “19904.”

  • Arnaud

    You can add http://www.infosis.net phoning from: 0016307529984
    I cut them off 2 seconds before they put a password live :) Anyway I have NO data on my PC everything is backed up ;-) So I would have reinstalled.
    Pathetic world we are leaving in …

  • Pingback: The Fake Microsoft Tech Support Call Saying Your Computer is Infected and is Going To Crash | ShockNet Computer Repair & Tech Support

  • Jérôme Segura

    Yes indeed!

  • Jérôme Segura

    Thanks Arnaud, will check and add.

  • Jérôme Segura

    Thank you Angel!

  • Pingback: Os caçadores de fraude: como é ganhar a vida caçando os vilões da internet | RemoveWAT SP1

  • Pingback: Os caçadores de fraude: como é ganhar a vida caçando os vilões da internet - TabeladeCarros.net

  • Pingback: Os caçadores de fraude: como é ganhar a vida caçando os vilões da internet

  • EpicKing

    There is a lot of scammers out there, BUT lets not forget that there are Tech Support Companies that are actually doing a decent job and helping people.

    So lets not make it sounds like they are all scammers.

  • Pingback: Beware of US-based Tech Support Scams | Malwarebytes Unpacked

  • sylvia

    I think I was hacked on my windows 7 computer I tried to uninstall several pc fix program ads but they always come back The pop up concerning calling this number now showed up and would not go away. I caved and called 1-800-832-3088 and allowed this tech control of my computer . I also typed in a number (206188). this person told me to take my computer to office max or staples ( where there was a microsoft certified tech) to have a 1 time removal and a full system tuneup and to obtain a realtime malware blocker. This cost would run about $300.00. The person then offered to do it online for $300.00 and save me a trip. I declined due to lack of funds and was then offered a discount of $100.00 for being over 50 yrs old. I still declined due to lack of funds. I have a wifi system and 2 other computers on my home network. I have started leaving everything off including the windows vista computer I use alot. I have malwarebytes premium on the windows vista computer.
    My question: Is Malwarebytes a real time malware blocker and removal system ?
    Mine will expire in about a year I think and I am looking for something reliable to install on my windows 7 computer.

  • http://plus.google.com/118244308051267217352?rel=author Jason Swafford

    @jeromesegura:disqus – Has Malwarebytes considered working with a service like OpenDNS to provide lists of known scammers? It could be a win-win.
    Randomly checking many of the URLs mentioned here against OpenDNS domains, most are currently not categorized at all.
    I have an open request to OpenDNS to create a ‘Scam’ category for these known scammers. https://support.opendns.com/requests/105188

  • Nis Donatzsky

    One more for the list:
    Said he called from Windows Technical Desk.

    Live Windows Support
    http://www.livewindowssupport.us/
    Ammyy: 33329758

    Called from 1-607-271-9258

  • narg

    The HP Finger print scanner is nothing more than a fancy password manager. It adds another layer to the security, but leaves the passwords still on the computer in a hashed file, but someone could still steal it and try to crack the hash code for your passwords.

  • Pingback: Beware of US-based Tech Support Scams | Malwarebytes Unpacked

  • Jérôme Segura

    That would be a good idea. Do you have a contact or such to get something going?

  • Pingback: Phone tech support scam goes wrong | Malwarebytes Unpacked

  • Jérôme Segura

    Yes, of course. While this focuses on the negative, there are indeed good support services out there. The problem though is how to find them without getting conned on the way.

  • Jérôme Segura

    Hi there,

    Yes, Malwarebytes Premium edition has real time protection for both malicious sites and malware.

  • Jérôme Segura

    Thanks Nis, will investigate.

  • sylvia

    Thank you, Jerome.

  • InvestigationsInc

    Hello. I am a journalist looking to to these tech scams. If you have been affected, please e-mail investigationsinc@cnbc.com Thank you.

  • InvestigationsInc

    Hi Saori, I am a journalist covering these tech support scams and would like to learn more about your experience. Please e-mail investigationsinc@cnbc.com Thank you.

  • InvestigationsInc

    Hi Arlene, I am a journalist and would like to hear more about your mom’s experience. Please e-mail investigationsinc@cnbc.com Thank you.

  • InvestigationsInc

    Hi Andrew, I am a journalist and would like to learn more about your experience. Please e-mail investigationsinc@cnbc.com. Thank you.

  • SaassyT

    A little over a year ago I got one of these calls, now being in Sales, living in Silicon Valley, California, AND working most of my career for tech companies you would think that I’d be a teeny bit smarter but no. You would also think that my gut instincts telling me that somethings not right would have made the light bulb in my head go off, but once again no.

    HOW HE DID IT: His strategy was basically running me in circles to the point that I just gave in against better judgement. He had me open all these different screens and do /run of things I don’t have deep knowledge of. Then he had me go to a site that would allow him remote access (yes I know I should have stopped then) I cannot recall which site it was that allowed him remote access and he proceeded to “explain” all these issues and with my computer that he would fix blah blah blah.

    WHERE HE WENT WRONG: He probably thought (as they must do with all their victims) that I was as smart as a doorknob, and rightfully so considering I gave him access to my computer and as he’s yammering at me with all this tech jargon, and heavy accent he begins to type on the black screen that there were xx # of attempts to hack into my computer. Right then I closed my computer and I hung up. That son of a nutcracker called me back I don’t know ….. at least 20 times.

    SINCE THEN they still call ….. in fact their calls always come through on the numbers on caller ID and what’s a little scary is they know my first AND last name …. I do not recall giving them that information …. Some call saying they’re from Cyber Security …. others call saying they’re a Microsoft Technician and ironically my company is a partner of Microsoft’s. So as of now we no longer answer our phone. It rings multiple times a day from the same numbers and what I don’t get is if they already tried once and didn’t succeed and the countless times they’ve called and been denied, then why still call?

    Anyway good luck to everyone, don’t be fooled, trust your gut and may the force be with you!!

    ~ T

    PS UPDATE as of today 3 calls

  • spyder43

    My other question about a master password protecting a password vault – if “they” can break passwords, would not it make it easier for them – all they need to do is break one password – then they have all the passwords. Just asking because I do not know – I have always been leary of using password vaults.

  • Pingback: Tech Support scammers rip big brand security software with fake warnings | Malwarebytes Unpacked

  • David Soulblade

    I actually had a call like this a month ago. I did the *69 thing and searched the phone number and saw a bunch of other people that had been called by the same number. I told the guy off anyway but still, phone calls like that can be scary.

    I hope people watch out for these calls.

  • k delong

    You could add SPH Infotech Inc to your list. The number is 855-733-9911

  • Pixiey

    Just a follow up. These people are calling me at least three times a month now. I can’t find anyone else posting about this company. I wish more would. They say they are not with Microsoft, but they run you through the whole Ctrl windows r thing….and have you see the errors and warnings. I was hoping to see them on your list. I am getting tired of the calls.

  • Sam

    Do you need hackers for hire? Do you need to keep an eye on your spouse by gaining access to their emails? As a parent do you want to know what your kids do on a daily basis on social networks ( This includes facebook, twitter , instagram, whatsapp, WeChat and others to make sure they’re not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it, We can get the job done. We’re a group of professional hackers with 25 Years+ experience. Contact at hacksforcash2014@gmail.com ..or text +1 (906) 723-0484 Send an email and Its done. Its that easy, try us out today.

  • NeoSasquatch

    I knew a couple of these but not some of the others. Thanks for the information, it really helps out a lot!

  • Michele F.

    Hi Jerome, My desktop PC, Windows 7 has a virus and has taken over my computer. I have completely shut it down and unplugged from the wall, modem and Linksys. Would you recommend that I just purchase a new tower or take it in to a tech to clean it up and get rid of the virus? I understand they can only guarantee up to 99% removal of the virus. I’m also wondering if my other computers that are linked through Linksys can become infected via Linksys. FYI My HP PC desktop was originally purchased in 2008 but I had it rebuild with 1.5 to 2 years ago. It wasn’t that expensive of a computer to begin with and I have everything backed up on an external hard drive. Thank you, Michele F.

  • Jérôme Segura

    Hi Michele,

    You have several options and I’d say the two that you mention should be a last resort thing (especially purchasing a new computer).

    First, kudos for the backups on the external drive!

    Now, I’d recommend that you clean that machine using our Malwarebytes anti-malware FREE edition because that’s exactly what it is for: to clean PCs that are already infected.

    http://www.malwarebytes.org/

    If you have any more information on the virus itself, feel free to post in our forums where someone else may be able to help you.

    https://forums.malwarebytes.org/index.php?/forum/7-malware-removal-help/

    This would be a good start. Keep us updated to see how it goes. :-)

  • Michele F.

    Thank you Jerome! I do have Malwarebytes installed on the computer. I will do that tonight. Appreciate your fast response!!

  • Pingback: Ingeniería social y las estafas informáticas | netgueko

  • John Dillinger

    Rundll32 is a generic process that is basically a helper app that gives other programs DLLs so they can function properly. It can be used by both good and bad applications. If you delete it, Windows won’t function properly.

  • Jérôme Segura

    Thanks. I see that we had blacklisted iMax already. Will check the youtube channel as well and see if we can get it taken down.

  • Teri Hautzinger

    If I think I’ve been hacked by an organization that I’m currently in a lawsuit with, who can I get to diagnose and verify so I can press charges

  • Jérôme Segura

    My best guess would be to hire a private investigator, but I’m not an expert when it comes to legal matters. Does this have something to do with tech support scams?

  • Kevin Lillis

    Figures I find out that I needed to be registered to post something. Oh well, it`s not the first and won`t be the last time. Anyway, hi everyone, just wanted to say that I`m glad I finally took the time to check out this `Unpacked` website. Since I really don`t want to retype everything all over again, I`ll put it like this. I have been through some of these scams and virus/malware attacks, and have come out mostly successful. I spent many all day sessions, all night sessions, and a few tech support calls( legit ones ), and much frustration, I am still dealing with some issues. If you don`t have the Chameleon addition, I highly recommend getting it asap because it has served me well. I will visit again soon, but in the meantime have a good day/evening. Good hunting as well( malware and viruses that is ).

  • Pingback: Tech Support Scams – Help & Resource Page • Computer Repairs Bob The Helper PC Doctor

  • Indelible

    My dad got rooked by smartguru.us. Same story as Pixiey Dust. My daughter took a call from these people who were ‘helping’ dad with his computer, at dad’s house and made note of caller ID, which was a persons name and a local number. She offered to take a message for my dad, but the caller hung up on her. I called the number on the caller ID and it was a real person (elderly) who was having the same fake tech support troubles. I suspect phone spoofing as this woman did not place the call that my daughter took.

  • Jérôme Segura

    The reason you were mentioned in the Netflix blog is because your company was caught scamming. It is recorded in the following video: http://youtu.be/0HfdWcnyhp0

    “Not to mention you Investigator even appreciated us for the good work and assured that we will not be mentioned among scammers.” >> you must be mistaken since we never did that.

    Having said that, you are showing that you care about this and willingly to operate cleanly. You will be removed from the blacklist but keep in mind that if we hear user reports about scamming activities and these reports turn out to be true upon investigation, then your company will be listed again.

  • Jérôme Segura

    Thanks, will follow up on this for appropriate DMCA.

  • Mike Ross

    I have a quick and easy response to these people…

    “Oh there’s a problem with my server and you need to connect to it to fix it?”

    “Yes”

    “OK, fire up your TN3270 client”

    “Wha…???” (In a thick Indian accent)

    *click*

    :-)

    MainframeRules!

  • Pingback: Blog Intelligent-ware.com | You get a call "We've been getting technical notice errors from your computer and can help you out" or was PT Barnum really right?

  • techysucks

    Hi, I currently work as a remote Tech for one of the companies listed above and I also do PC Tune-up locally (no cold calling, i hate calls). I’ve been with them for 4 months now and as far as the Tech Support Department is concerned, we doing great. I don’t know about sales tho. I would agree about the event viewer being interpreted falsely to customers as viruses.
    I also worked as an answer desk for Office (Microsoft) before and we do not call customers unless they have an open escalation ticket.

  • Phillip Remaker

    Here are a few more potential scammer numbers that pretend to be HP for HP printer support. They log on to the machine and invent viruses that aren’t there and try to get your credit card.

    888-308-9454
    866-376-9043

    If they call back it comes from 800-243-0389.

    All of these numbers should be blacklisted.

  • Iamastinky Douchebag

    These criminals are committing cyber-terrorism. This is justification for our FBI, CIA, NSA to engage in a little bit of cyber-warfare, take out a few of their systems, and have bastards reap what they sow!

  • jessy cabrera

    i fell for the scam guys. i called them after my computer kept freezing, which i now realize was because of a virus(astromenda or something of that sort). I called them up because i saw an app that said PC Tech Hotline and i was desperate. Once i called them up they explained to me they needed remote control of my computer and so i trusted them and gave it to them. they then proceeded to show me all that fake misleading stuff and i got really scared. They convinced me to pay 300 dollars to be secured for 8-9 years on my pc. i told a friend as soon as i payed and he said i was an idiot for what i had just done. he told me to look up PC Tech Hotline and i found this side, and i literally just discovered i was scammed 2 minutes before writing this. What do I do now guys?(btw just deleted every virus off my computer which solved the freezing problem)

  • mikmouse@aol.com

    a person with Indian accent called me supposedly from California to help me clean up my computer as he allegedly worked with HP care,( there were other voices from the background, obviously a call centre) gave me his phone number 675 268953 apparently named Steve Semterol ( or something like that ) . Persuaded me to check my PC, since on the phone I considered to be safe…and lead me to see a screen on my PC which displayed hundreds of “risks” and warnings… than asked me to input “9826743”number — but I knew he wanted to take the control of my PC and told him the call was finished, that I would rather afford control of my PC to a recognized, confirmed and reputable company….and ask him if he would give access to his PC to someone who just calls him on the phone…..THANK GOD I did not fall for this one, and I do consider myself “streetwise”………..then I called real HP company whose technician tried to tell me my McAfee protection is inadequate that some “yogi” program would for over $ 180 per year save me much trouble ….but I also ended the call saying that for that much money I can purchase a new PC….

  • Tom

    I found this number for Yahoo support, but it turns out to be a scam exactly as described in this article.

    8005635508

  • TankGirl✫

    I had heard about this scam last year from my husband. They call his grandmother often, so thank goodness she has a tech savvy grandson. A few weeks ago I answered my 9 year old sons phone only to hear the familiar canned speech most everyone in this thread has heard. I even made him repeat it just to be sure. I was armed with my prior knowledge of the scam, coupled with the fact that he was calling my son’s phone, so I pretty much told him to take a hike. I can’t remember all of what I said to the scum bag scam artist, but I’ve thought of tons of things I wish I had said since then. Which leads me to a question- what WOULD be a good reply? I’ve imagined saying that he should call my husband about it and give the caller the phone number to the local Sheriff’s office.

  • Moder Chod

    this is how Indians operate, they are born liars and thieves, out to steal from you any chance they get. Their thinking, is that if they are robbing you, then they are doing their “job”

  • Jman

    There’s some kind of online “myspeedypc[dot]com”(can’t remember if
    that’s the site name) had a tv commarcial saying “do you have a slow PC?
    Call us now, we’ll scan your system (shows a picture of a VB antivirus
    probably on XP) and BAM! the viruses are gone! Go to
    myspeedypc[dot]com!” Notice how they go from “slow PC” to “virus”. I
    don’t know if myspeedypc[dot]com is the exact site name but if you see a
    commarcial similar to that one and tells you to go to a link something
    like myspeedypc[dot]com then check it out.

  • Prof321

    A big culprit is a company called Elfinam Technologies. They called me saying my computer had been hacked. I regret I took the bait, but after a lot of talking and writing it turned out they were scam artists. So I had my Visa charges reversed. After that I contacted Microsoft, with which I have a service contract. The tech there cleared out my overfilled cache and deleted malware that I believe Elfinam put on my computer. Yes, I know I was an idiot to fall for this scheme, but I want to warn everyone about it,