Support Scammer Anna’s CLSID confusion

[I've removed some links and registration data from this article that are no longer current. David Harley, November 2013.)

Another day, another support scam call. It appears that one of my PCs has been  sending out messages to India again about system problems. I don't know why it would rather talk about its problems to a call centre in Uttar Pradesh rather than just pop up an error message to me. Does it feel I'm working it too hard? ;-)

‘Anna’ claimed to be from Global PC Helpline, and gave me a UK phone number – 0800-0148910 – which did indeed correspond to a page for the UK claiming to belong to a company of the same name. 15 months on, however, that URL is unreachable. (That number has been reported many times on services like Who Calls Me? as being cited by scammers as a  number to ring them back on, but at least one company has claimed in the past that scammers are maliciously directing victims to use its helpline number to call back on.) ‘Anna’ also told me that my PC was sending out messages about system errors, and tried to pull the CLSID gambit on me, then put the phone down when she realized I wasn’t buying it and tried to get her to tell me what she thought the ASSOC command really does.

While this was clearly a scam call, I can’t, of course, prove beyond all doubt that she was really calling from Global PC Helpline, and in fact Caller ID was disabled (as is usually the case – calls show as International or Withheld when I receive them).

However, after taking a quick look at the GPCHL website, if they’ll excuse the familiarity, it includes some interesting features. While the company is claimed to have been founded in Magnolia TX in January 2009, whois data at the time this article were posted were not  exactly consistent with that claim, being registered with a company in India. The whois registration data for that domain have since changed: the  data are published via Domains By Proxy, so we don’t know the identity of the current registrant.

Anna also told me she was in India,  when she was still answering my questions.

The site claims, among other services, to offer support for a number of well-known antivirus products. I particularly liked the first sentence of a section on support for McAfee products:

Our certified technicians provide you immediate help and best possible solutions for Norton Antivirus.

I’m not sure whether that means that McAfee and Symantec are closer friends than anyone realized. Or does it mean that McAfee detects and removes Norton? Perhaps the AV industry is more competitive than I’d realized.

The site has a number of more serious problems:

  • unfinished stub pages (I can’t wait to find out what Smart Phone Support is, unless it turns out to be Anna, in which case there may be a Trade Descriptions issue)
  •  invalid security certificate messages
  • a Facebook page  that claims the company was founded in Foley TX. Not exactly round the corner from Magnolia TX. That Facebook page has now disappeared.

Any Texas Rangers reading this who can help this confused company sort out its real location?

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Aaron

    As usual, what a great post David! Keep up the excellent investigations exposing these such scammers and never lose your sarcastic writing style. It is informative while entertaining, which is most appreciated.

    • David Harley

      Thanks, Aaron. :)

  • Allan G. Hitchmoth

    August 20, 2012.
    Got a frantic voice-mail from my sister-in-law about a call from a woman named "Shivi", or some such, stating that she was with "Global PC Personal Computer Help Lline" The number she gave was  1-800-986-4764, and does indeed correspond to a company with the URL of ". The woman claimed that Microsoft was reporting that my sister-in-laws' machine was reporting errors and had her go to the comman-prompt and check the screen. Of course, once the woman read back the CLSID, she was amazed and really thought she had a problem. She also, in her befuddlement, completely forgot the "ASSOC" command the woman instructed her to issue once at the prompt. (That's why it took me so long to realize what number the woman "read back" to her) Luckily, she told the woman that she wated HER computer guy to check it out before going any further. It took me a while to decipher exactly what the steps were that the woman walked her through, but it was this very CLSID scam!
    For informational purposes, the URL is registered through GoDaddy,
     Domain Name: GLOBALPCHELPLINE.COM
          Created on: 18-Dec-10
          Expires on: 18-Dec-13
          Last Updated on: 15-Jul-12
     
    The rest is useless as it pertains to DomainsByProxy.
    I have no idea if this is a legitimate company who's information is simply being exploited, or if they're the scammers themselves. Either way, it seems this little gem is about to make the rounds again!
    Thanks for the blog, David!
    Great job!
    I now have something to which I can point when explaining the scam and (hopefully) forewarning my clients.
    All the best!
    -Al

    • David Harley

      Thanks, Allan. It’s always good to have data on specific sites.

  • Mrs Rosemary Bamford

    Had a similar call today from 'John Thompson', very strong Indian accent.  This is the first time we've had an address which sounds even plausible (my husband likes to string them along).  It's been a bit quiet recently but for well over a year we've had variations on this, perhaps twice a week.  I have a post grad. in Computer Science but this doesn't seem to daunt them at all.

  • Suzy

    Yep – just received the call. Said she was from Online PC Advisor. I had her on the phone for about 10 minutes, and she tried to get me to sit at the computer in question. I said that someone else in my family was using it right now, so the timing wasn’t convenient. I asked for a phone number and an ID number for them to verify that they knew who I was and they gave the 800-986-4764 number and the same 00C04FD7D062 ID#. I told them I would Google their company and call them back if it was legit, and she immediately hung up on me. It was very difficult to understand her accent, and she was very insistent that I should do something fast, as they were receiving many error messages to their server. Don’t fall for their bully tactics. ALWAYS verify and say you will call back. ALWAYS.

  • janifair

    Just got off the phone with Rosalyn from “Windows Support” trying to gain access to my system saying they were receiving ERROR messages, etc…using same 00C04FD7D062 CLSID #. She gave this number to call back for verification 1-800-806-0762
    So, I called back and got her on the line after googling your site…thanks! My scolding about preying on a single mom of 4 kids who makes a living on my computer probably fell on deaf ears, but I felt better!
    My question is: I DO actually have ERROR messages on Event Viewer…are these real threats? If so, who do I call to fix.
    Thanks!

    • http://dharley.wordpress.com/ David Harley

      Event Viewer often does show ‘errors’, but they’re usually transient glitches rather than persistent errors, and unlikely to indicate the presence of malware attacks. The utility is only really of use (sometimes) to real tech support people (or _very_ knowledgeable users) researching a possible problem. And, of course, to scammers. :(

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

36 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.