Support Scams On The Rise (1)
Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland, contributed an article to ESET's July ThreatSense report about support scams. Since this is an issue that is still being under-reported, we thought it was worth reproducing, with the urbane Mr. Schrott's permission, on the blog.
While we're on that topic, there's a video worth watching here, where our friends at Symantec carried out a conversation with one of the companies claiming to offer support. (Thanks Eric Chien for drawing my attention to it.)
Thanks also to my friend and colleague Aryeh Goretsky for pointing out that Innovative Marketing Ukraine (IMU), a notorious purveyor of scareware (fake AV, not just cracked or pirated security software) seems to have had hundreds of employees:
- http://www.reuters.com/article/idUSTRE62N29T20100324
- http://www.ftc.gov/os/caselist/0723137/index.shtm
Thanks also to McAfee's Toralv Dirro for his further insights into IMU's operation. (That's a topic I may come back to in another context.) And to Alan Thake and his colleagues at ESET UK, who have contributed vastly to my own knowledge of this scam. And not least, and not for the first time, to Steve Burn.
OK. That's me done. Take it away, Urban.
Several months ago, reports started coming in from our ESET Ireland tech support staff and on online forums, that people are receiving unusual phone calls. These are calls from people claiming to represent online computer repair services, with various generic names such as PC Support, PC Doctor, Online PC Repairs, etc, and offering to“fix” someone’s computer.
This sort of scam has been going on quietly since 2008, but has hit big this year. Worst affected, of course, are English speaking countries (and some sites and crimefighting institutions' public warnings have already been set up in the UK, USA and Australia), but cases have also been reported in countries with other languages.
Usually the caller says they have MCSEs (Microsoft Certified Systems Engineers) and Cisco Certified engineers available and offers to fix and optimise the computer remotely and clean it of any malware. The hesitant “customer” is told his system is probably riddled with worms and viruses, and is given simple instructions on how to open the Event Viewer and look for errors and warnings.
As the Event Viewer is a reporting tool and therefore usually flags frequent but usually non-critical errors and warnings anyhow, this looks convincing enough for most computer-wary victims to lend the caller an ear, believing that something may actually be seriously wrong with their computer, and being all too ready to believe that their antivirus has let them down.
The victim is then usually instructed to access a certain website with Internet Explorer (which is more likely to be targeted for exploits) and download components needed to remotely “fix their computer”(and we all know what that can entail). But to add insult to injury, the victim is asked for credit card details to pay for the procedure and then offered an extended "Warranty Service" at serious prices, such as 1 year for €99, 2 years €189, or 3 years €289 in some of the reported cases.
A number of similar stories come from the UK. In one case, the caller claimed to belong to a Microsoft-affiliated organization called "Support One Care" and had contacted a prospective victim to tell her that her PC was infected, her AV was out-of-date, and that for a one-off fee of £79 they would install a better product and give her a year's support. But in this case, unlike the above “no-name” magical solution, they claimed that the product they would be installing would be ESET's. And while "Support One Care" is a real India-based company, upon contact, they claimed to have nothing to do with the phone calls.
Investigation by ESET researchers in the US, Ireland and the UK, in consultation with independent researcher Steve Burn, law enforcement and other agencies, has thrown up a number of similar cases, nearly all of them traced back to companies based in Kolkata, India. And sure enough, cracked/pirated versions of ESET software have been installed by the scammers, though of course, being illegitimate copies, they have failed to work. This has led to a number of requests for support being placed with real ESET support desks. We can’t tell how many similar scams have used or claimed to use products from other legitimate companies, but as we are aware of many sites offering cracks for other companies, it may be that reports to ESET are just the tip of a mighty iceberg.
So, what we’re seeing in these and many other similar cases is a further personalisation and development of computer-related criminal activity. Evidently it is proving financially sound for cyber-criminals to set up call centres with own personnel, then cold call and bait their way through long lists of phone numbers all over the world, making some easy income in the process.
>> Part 2
11 Responses to “Support Scams On The Rise (1)”
Leave a Reply
- David Harley (770)
- Randy Abrams (437)
- Cameron Camp (103)
- ESET Research (61)
- Pierre-Marc Bureau (50)
- Stephen Cobb (49)
- Aryeh Goretsky (30)
- Paul Laudanski (17)
- Andrew Lee (15)
- Jeff Debrosse (14)
- Robert Lipovsky (11)
- Sebastian Bortnik (9)
- Dan Clark (8)
- Sébastien Duquette (5)
- Tasneem Patanwala (3)
- Peter Stancik (2)
- Righard Zwienenberg (2)
- C. Nicholas Burnett (1)
- Andrea Kokavcova (1)
- David Carnevale (1)
RSS
August 19th, 2010 at 10:52 pm
So… Online Support PC supposedly based in Melbourne (phone number 0390086240) cold called my neighbour and proceeded to offer assistance and point out issues. Luckily he got a bit suspicious and pulled out of the conversation. Beware…..
January 11th, 2011 at 12:12 am
I just got a phone call from 'Online Support PC' claiming they had been informed by unnamed sources that my PC had been infected with malicious spyware. I asked to speak to his supervisor as I am on the 'no call list' and he refused. He even gave me an ABN number – I haven't checked if it's fake yet. He had a thick accent and he assumed that I was sitting in front of my computer at the time and got cranky with me when I said I wasn't and I wouldn't. I then proceded to inform him that I am currently in Brisbane on the day of some of the worst floods in decades and that people were dying and I was not going to 'fix' my computer, and he hung up on me. No one in Australia would not know about these events today, surely.
January 11th, 2011 at 8:17 am
Thanks, Zanna. For non-Australians, an ABN is an Australian Business Number. I’ve come across a web site with the same name that seems to be administered by a company in Mysore. I’m looking for more information.
March 7th, 2011 at 8:19 pm
I just had a great call from these guys. After giving them a mouth full, i had a chat with them about this scam, they scam around 100 people day. So make sure you tell every one you know, make sure you give your grand parent a heads up.
April 3rd, 2011 at 9:39 am
I was on the my laptop when I received page came on screen say that I had viruses/threats. It looked like the one that shows to ESET (the company I use) and it said to start removing the threats. So I clicked on remove and it started to scan the threats. When it came to the end to remove them another window opened with a page to buy their antivirus program (MS Tools). It has now over taken the ESET program and I can not remove the threats. I know this is a bogus company but how do I get ESET back to help me clean up the computer?
April 4th, 2011 at 8:21 am
@Wayne, we can’t offer support through the blog, I’m afraid. You need to contact tech support at http://www.eset.com/support/contact.
June 27th, 2011 at 8:18 am
I received a suspicious call from a person with an Indian accent claiming to be from windows tech support…after reading this web page I realize that this call was one those tech support scams.I foolishly downloaded there software.I deleted it immediately after he asked for a credit card number.The software goes by the name zero bit.
October 14th, 2011 at 6:04 pm
They scammed me out of $125, they trick you into giving them your credit card information then make it look like they are doing work when what they are really after is your credit card. I watched everything they did, they did not find any viruses or infected files, they installed a bunch of free programs ran them then turned off my computer.
I talked to my computer tech today and he said it is a scam and many people have come in with their computers because of this scam, he also said the inf folder is full of necessary files your computer NEEDS, they are NOT infected files. DO NOT TRUST THEM, ONLINE SUPPORT PC IS A SCAM. Do NOT believe their lies.
December 14th, 2011 at 4:54 pm
Just received a call (I am from California) from an Indian accented "technical support person" who claimed he was from Support One Care and was calling in behalf of Microsoft to remove viruses and infected files on my hard drive. He needed for me to get on my computer so he could show me my problems. I refused and then had a heated exchange with him, saying that I am starting with the premise that he was lying to me and is a scammer, so it was up to him to prove to me who he was and that he and his company were legitimately affiliated with Microsoft. He gave me an 1-888-408-6651 number to call to verify that he was from Support One. However, when I reversed looked up this number nothing was found (strange given that he said they are a legitimate company with seven years of doing business for Microsoft. He also said his name was "Ryan Wills" hardly believable given his thick almost incoherent Indian accent. Had a good fifteen minutes having fun with him. This being December 2011, this company is obviously alive and well and doing business here in southern California.
February 8th, 2012 at 8:40 am
hello my sister-in-law fell for this and what can we do to help her fix it
February 9th, 2012 at 11:03 pm
We can’t really give one-to-one support on the blog, and we usually refer product support queries to the Support tab on the main ESET page: I haven’t actually been through the process of cleaning a system compromised in this way, and a step-by-step isn’t practical without knowing exactly was done on this occasion.
You could try telling them you know you’ve been scammed and demand your money back. From time to time, that actually works, apparently. More probably, they’ll argue and bully: if so, just drop the call. Shut down the system while you’re talking to them, or disconnect from the internet. Obviously, talk to the credit card provider, and see if they have advice.
You probably need to get whatever remote access software they used (mostly seems to be ammyy.com or logmein.com s/w) off the compromised system. Actually, it’s probably not infected as such (they’ve probably used free versions of legitimate utilities rather than malware) but I’m not sure how easy it is for these guys to use it without your knowledge. You should be able to do that from the install/uninstall control panel. If you can’t, get help from someone local.
If she doesn’t have AV (or has something they’ve installed for her) try one or two online scans: if they come up clean, the chances are that there’s nothing actually malicious on there. (In general, these guys take your money for doing nothing much, rather than introducing deliberate infection.) We have a free online scanner (www.eset.com/home/products/online-scanner/) as do other companies but you should install a proper PC-hosted scanner as well (probably better to do that afterwards). Perhaps a full internet security suite rather than just AV. It doesn’t have to be ours, of course, but we happen to think it’s pretty good.
I can’t guarantee this will fix it, but those are approximately the minimum steps that a real support tech would take. It’s probably worth getting in a local professional if you’re not confident wtith the technology yourself. And try to get essential data backed up first.