Fake Support, And Now Fake Product Support

[Update: there is now a well-considered response from Avast! on its blog here.]

There's a blog article I've been wanting to write for a few days, but haven't so far been able to make time for. However, Martijn Grooten drew my attention to a blog on much the same topic from our friends at Avast! and one of ESET's partners alerted me to a very relevant and related post by Brian Krebs, so I've pushed it to the top of the stack.

I first became aware of the plague of Indian companies operating PC and anti-virus support scams because one of our competitors advised me that one of them was apparently carrying out unethical marketing on ESET's behalf. (They weren't, of course, anything to do with ESET: see this blog series and this paper.)

I recently learned from my colleagues at ESET UK that cold-callers from Mumbai have developed a new twist on this cold-calling scam, calling people in the UK and apparently claiming to offer paid support in response to problems that don't exist, because, they claim, "ESET doesn''t offer free support." (Don't panic! For genuine ESET customer support, there are contact details on the web page for the ESET partner or distributor responsible for the region in which you live.)

It appears from a recent Avast! blog that Avast! customers are suffering a similar experience, 'receiving phone calls from “Avast customer service” reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege.' Unfortunately, according to Brian Krebs, "users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast’s customer support." (The relationship is confirmed by an Avast! blog here.)

While someone describing himself as the co-founder and president of marketing at iYogi has strongly denied any connection with the usual gang of out-and-out scammers, the use, as described by Krebs, of the Event Viewer ploy characteristic of Indian support scams means that iYogi is going to have to work hard to prove its innocence. My guess is that if Avast!, a company with an excellent reputation previously, discovers that iYogi is indeed operating on the side of the non-angels, heads - and outsourcing contracts - will roll.

Support services for anti-virus products obviously vary according to vendor and product. Free one-to-one support may not be available for free products, and other support may range from free but basic, to cattle-class, to business class or de luxe. However, reputable security companies do have standards that should apply at all points on the spectrum:

• They don't make unsolicited phone calls to tell you about viruses you don't have. Sorry, but I can't guarantee that you won't get marketing calls  but they should be within acceptable legal and ethical boundaries, and that doesn't include pretending to see malware on a system they don't have access to.
• They won't use nasty semi-fraudulent techniques to "prove" you have a virus problem like telling you that Event Viewer, or ASSOC (the CLSID trick described here), or "Prefetch virus" or INF is listing malicious files. (Those last two tricks are now summarized in a separate blog article here.)
• If you're subscribed to some form of premium package that attracts a subscription rate, they're not likely to try to gouge even more cash or financial data out of you by ringing you up to scare you to death.
• They won't try to get direct access to your system free versions of commercial remote access software so that they can upload various free/limited functionality security packages: if a professional AV company needs access to your machine, they won't do it by misusing free licences for another company's software.

Unless, of course, they partner with a support organization that doesn't see the difference between legitimate marketing and outright misrepresentation and fraud. If Avast! has, in fact, fallen into that trap, they have my sincere sympathy. But it will be hard for them to recover from that misstep, and the reputation of the rest of the AV industry has also taken a blow. We can only hope that some good will come out of this, like real progress on effective legal action against support scams.

Paying for third-party support for a free product may sound like a good idea in principle, since AV companies don't don't normally offer one-to-one support for free products. But it's generally safer to upgrade to a paid version, especially if you already suspect that you have malware on your system. The problem here is that sometimes people don't get AV until they have a problem, and at that point, saving money with a free solution may be a false economy.

Cold-calling (or spamming support forums) to offer paid support for products that already offer free support to paying customers may not sound particularly ethical (well, it doesn't to me). Worse, it may actually cause damage to your system which may even, depending on the vendor and the actual circumstances, compromise your ability to get the legitimate support you've already paid for. But it isn't necessarily fraudulent. (Or illegal, though it may go against privacy legislation covering "Do Not Call" lists, for example, though if the Krebs story is correct, the existence of a pre-existing support relationship may be used to get round that. And unfortunately, cold-callers from India tend to ignore local do-not-call lists: in fact, some legitimate companies seem to be taking advantage of offshored support to bypass such lists.)

But if the call is made on the basis of reports of malware that you don't have, or at some stage the caller tries to persuade you that utilities like  INF, PREFETCH, ASSOC and EVENTVWR are proof that you have malware issues, the intent is clearly fraudulent.

Personally, I'd suggest that you regard any unsolicited phone call from a company claiming to offer antivirus support, even for a product you actually have, as a probable scam.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow