Support Scams On The Rise (1)

Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland, contributed an article to ESET's July ThreatSense report about support scams. Since this is an issue that is still being under-reported, we thought it was worth reproducing, with the urbane Mr. Schrott's permission, on the blog.

While we're on that topic, there's a video worth watching here, where our friends at Symantec carried out a conversation with one of the companies claiming to offer support. (Thanks Eric Chien for drawing my attention to it.)

Thanks also to my friend and colleague Aryeh Goretsky for pointing out that Innovative Marketing Ukraine (IMU), a notorious purveyor of scareware (fake AV, not just cracked or pirated security software) seems to have had hundreds of employees:

Thanks also to McAfee's Toralv Dirro for his further insights into IMU's operation. (That's a topic I may come back to in another context.) And to Alan Thake and his colleagues at ESET UK, who have contributed vastly to my own knowledge of this scam. And not least, and not for the first time, to Steve Burn.

OK. That's me done. Take it away, Urban.

Several months ago, reports started coming in from our ESET Ireland tech support staff and on online forums, that people are receiving unusual phone calls. These are calls from people claiming to represent online computer repair services, with various generic names such as PC Support, PC Doctor, Online PC Repairs, etc, and offering to“fix” someone’s computer.

This sort of scam has been going on quietly since 2008, but has hit big this year. Worst affected, of course, are English speaking countries (and some sites and crimefighting institutions' public warnings have already been set up in the UK, USA and Australia), but cases have also been reported in countries with other languages.

Usually the caller says they have MCSEs (Microsoft Certified Systems Engineers) and Cisco Certified engineers available and offers to fix and optimise the computer remotely and clean it of any malware. The hesitant “customer” is told his system is probably riddled with worms and viruses, and is given simple instructions on how to open the Event Viewer and look for errors and warnings.

As the Event Viewer is a reporting tool and therefore usually flags frequent but usually non-critical errors and warnings anyhow, this looks convincing enough for most computer-wary victims to lend the caller an ear, believing that something may actually be seriously wrong with their computer, and being all too ready to believe that their antivirus has let them down.

The  victim is then usually instructed to access a certain website with Internet Explorer (which is more likely to be targeted for exploits) and download components needed to remotely “fix their computer”(and we all know what that can entail). But to add insult to injury, the victim is asked for credit card details to pay for the procedure and then offered an extended "Warranty Service" at serious prices, such as 1 year for €99, 2 years €189, or 3 years €289 in some of the reported cases.

A number of similar stories come from the UK. In one case, the caller claimed to belong to a Microsoft-affiliated organization called "Support One Care" and had contacted a prospective victim to tell her that her PC was infected, her AV was out-of-date, and that for a one-off fee of £79 they would install a better product and give her a year's support. But in this case, unlike the above “no-name” magical solution, they claimed that the product they would be installing would be ESET's. And while "Support One Care" is a real India-based company, upon contact, they claimed to have nothing to do with the phone calls.

Investigation by ESET researchers in the US, Ireland and the UK, in consultation with independent researcher Steve Burn, law enforcement and other agencies, has thrown up a number of similar cases, nearly all of them traced back to companies based in Kolkata, India. And sure enough, cracked/pirated versions of ESET software have been installed by the scammers, though of course, being illegitimate copies, they have failed to work. This has led to a number of requests for support being placed with real ESET support desks. We can’t tell how many similar scams have used or claimed to use products from other legitimate companies, but as we are aware of many sites offering cracks for other companies, it may be that reports to ESET are just the tip of a mighty iceberg.

So, what we’re seeing in these and many other similar cases is a further personalisation and development of computer-related criminal activity. Evidently it is proving financially sound for cyber-criminals to set up call centres with own personnel, then cold call and bait their way through long lists of phone numbers all over the world, making some easy income in the process.

>> Part 2

Author David Harley, ESET

  • Sally Capell

    So… Online Support PC supposedly based in Melbourne (phone number 0390086240) cold called  my neighbour and proceeded to offer assistance and point out issues. Luckily he got a bit suspicious and pulled out of the conversation.  Beware….. 

  • Zanna

    I just got a phone call from 'Online Support PC' claiming they had been informed by unnamed sources that my PC had been infected with malicious spyware.  I asked to speak to his supervisor as I am on the 'no call list' and he refused.  He even gave me an ABN number – I haven't checked if it's fake yet.  He had a thick accent and he assumed that I was sitting in front of my computer at the time and got cranky with me when I said I wasn't and I wouldn't.  I then proceded to inform him that I am currently in Brisbane on the day of some of the worst floods in decades and that people were dying and I was not going to 'fix' my computer, and he hung up on me.  No one in Australia would not know about these events today, surely.

    • David Harley

      Thanks, Zanna. For non-Australians, an ABN is an Australian Business Number. I’ve come across a web site with the same name that seems to be administered by a company in Mysore. I’m looking for more information.

  • Matt Webster

    I just had a great call from these guys. After giving them a mouth full, i had a chat with them about this scam, they scam around 100 people day. So make sure you tell every one you know, make sure you give your grand parent a heads up.

  • Wayne Blake

    I was on the my laptop when I received page came on screen say that I had viruses/threats.  It looked like the one that shows to ESET (the company I use) and it said to start removing the threats.  So I clicked on remove and it started to scan the threats.  When it came to the end to remove them another window opened  with a page to buy their antivirus program (MS Tools).  It has now over taken the ESET program and I can not remove the threats.  I know this is a bogus company but how do I get ESET back to help me clean up the computer?

  • Stuart Kohm

    I received a suspicious call from a person with an Indian accent claiming to be from windows tech support…after reading this web page I realize that this call was one those tech support scams.I foolishly downloaded there software.I deleted it immediately after he asked for a credit card number.The software goes by the name zero bit.

  • John

    They scammed me out of $125, they trick you into giving them your credit card information then make it look like they are doing work when what they are really after is your credit card. I watched everything they did, they did not find any viruses or infected files, they installed a bunch of free programs ran them then turned off my computer. 
    I talked to my computer tech today and he said it is a scam and many people have come in with their computers because of this scam, he also said the inf folder is full of necessary files your computer NEEDS, they are NOT infected files.  DO NOT TRUST THEM, ONLINE SUPPORT PC IS A SCAM.  Do NOT believe their lies. 
     

  • socalbrew

    Just received a call (I am from California) from an Indian accented "technical support person" who claimed he was from Support One Care and was calling in behalf of Microsoft to remove viruses and infected files on my hard drive.  He needed for me to get on my computer so he could show me my problems.  I refused and then had a heated exchange with him, saying that I am starting with the premise that he was lying to me and is a scammer, so it was up to him to prove to me who he was and that he and his company were legitimately affiliated with Microsoft.  He gave me an 1-888-408-6651 number to call to verify that he was from Support One.  However, when I reversed looked up this number nothing was found (strange given that he said they are a legitimate company with seven years of doing business for Microsoft.  He also said his name was "Ryan Wills" hardly believable given his thick almost incoherent Indian accent.   Had a good fifteen minutes having fun with him.  This being December 2011, this company is obviously alive and well and doing business here in southern California.

  • william mulligan

    hello my sister-in-law fell for this and what can we do to help her fix it
     

    • David Harley

      We can’t really give one-to-one support on the blog, and we usually refer product support queries to the Support tab on the main ESET page: I haven’t actually been through the process of cleaning a system compromised in this way, and a step-by-step isn’t practical without knowing exactly was done on this occasion.

      You could try telling them you know you’ve been scammed and demand your money back. From time to time, that actually works, apparently. More probably, they’ll argue and bully: if so, just drop the call. Shut down the system while you’re talking to them, or disconnect from the internet. Obviously, talk to the credit card provider, and see if they have advice.

      You probably need to get whatever remote access software they used (mostly seems to be ammyy.com or logmein.com s/w) off the compromised system. Actually, it’s probably not infected as such (they’ve probably used free versions of legitimate utilities rather than malware) but I’m not sure how easy it is for these guys to use it without your knowledge. You should be able to do that from the install/uninstall control panel. If you can’t, get help from someone local.

      If she doesn’t have AV (or has something they’ve installed for her) try one or two online scans: if they come up clean, the chances are that there’s nothing actually malicious on there. (In general, these guys take your money for doing nothing much, rather than introducing deliberate infection.) We have a free online scanner (www.eset.com/home/products/online-scanner/) as do other companies but you should install a proper PC-hosted scanner as well (probably better to do that afterwards). Perhaps a full internet security suite rather than just AV. It doesn’t have to be ours, of course, but we happen to think it’s pretty good.

      I can’t guarantee this will fix it, but those are approximately the minimum steps that a real support tech would take. It’s probably worth getting in a local professional if you’re not confident wtith the technology yourself. And try to get essential data backed up first.

  • smart cookie

    Evidently Support One Care is calling oregon today as I received on of their calls. same story as others share and I was given the 888-408-6651 number as well. why anyone would let some stranger who calls access their computer is beyond my comprehension.
    what I didn't see in your blog was any suggestions on reporting these scams. Is there no hope in shutting them down?

    • David Harley

      I can and do pass on some information locally (i.e. in the UK) to people who can sometimes take effective action, but there is no global authority to whom I can direct you, unfortunately. You can, of course, report them to law enforcement locally. I’m working on establishing better links with law enforcement and putting up more information on a public site that LE can draw upon.

  • Larry Anderson

    I have registered my two computers with my complete foolishness. They screwed my computer number of times. Ari the guy called himself a supervisor, he is rude, even dont know the professional ethics.

    What I found they take money and provide support as a show off. They will offer you free edition of anti-virus, like Avast and AVG free.

    Even I found a very interesting thing that this company has two websites, supportonecare/com and mypccare.com. Even  they sale same this to same customers from this two different websites.

    I got a call from Ari and George. Ari initiated the call and transferred the call to George last Sunday(4th march).  They said Zeal IT solution will close there business so you have to pay money to the new company. To check their intention I have agreed, they took me to Western Union and asked to pay $339 for three years in the name of Preet Mukherjee. I don't know who is this guy. they said he is financial head. I have sent an email to . Still I am waiting for their reply.

    I know this voices very well. I am 100% sure about the guys who called me they were from mypccare or supportonecare.

    So don't go for them you will pay once but they will use the two website tricks and western union trick.

  • LINDA DENVER

    This just happened to me TODAY 8/31/2012!!!!  It is still out there! The fellow calling has such a STONG accent that I asked for someone else to talk to me.  I could understand enough to think that my computer was in danger.  He gave me his manager, who wasn't much better.  The red flags and yellow exclamation points had me worried, stupid me, and I was going along with it.  Until he started talking about purchasing an extension of my warrantee.  By this time, I had spent over 30 minutes with them.  I told him I wasn't purchasing anything without talking to my husband first.  I finally told him that I resented having my time spent on a sales pitch and asked for a phone number to call if we wanted to purchase.  I still hadn't figured what was going on.  Finally, I ended the call and called my son who is a computer tech.  He is the one who told me it was a scam. 

  • Gerry

    Yep, they're still trying. Just got a call from someone with a thick Indian accent called Rose at Online PC Support, who claimed my computer was generating errors on their server. But I've been approached by these people before, and know about the scam. As I raised more objections Rose became more and more shrill, and eventually hung up when I asked for a phone number so I could hand it on to the police.

  • Gerry

    Meant to add that I'm in Sydney Australia

  • Carolyn B

    I used Supportonecare.com for over a year and had good results.  However, I can't reach them on the 1-888-408-6651 phone number and a recording states,number unavailable at this time.  Stupid me. I have another year + an additional promo year to go. Paid for three, got one… Will I ever learn?  Anyone else having the same problem or able to admit it?
    I guess the Lord passed me by when it came to the reasoning department in this matter.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

14 articles related to:
Hot Topic
06 Aug 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.