August 11, 2014, 3:50 PM — Not every Windows tech support scam starts in India, not every scammer speaks in heavily-accented English, a security company said today.
In a new trend, scams have gone home-grown, said Malwarebytes on Monday, with twists that include bogus warnings driven by malicious websites that urge users to call a toll-free number.
"This is the first instance [of a Windows support scam in the U.S.] on this scale that I've found," said Jerome Segura, a senior security researcher with San Jose, Calif.-based Malwarebytes. "Most scammers are in India, but we wanted to expose this because they're harming U.S. customers, who will feel more comfortable with a [native] English speaker."
Segura, who said he has been tracking fraudulent support schemes for the last 18 months, stumbled across the latest operation while investigating violations of Malwarebytes' software licensing. Previously, the company had found other borderline businesses illegally selling its security software.
Segura tracked down the company responsible for the latest licensing theft, which he said had used a pirated activation key to install Malwarebytes Anti-Malware Premium more than 2,300 times in the past few months.
He identified E-Racer Tech of the Boca Raton, Fla. area as the firm that not only purloined Malwarebytes' software, but charged customers $99 for the stolen program. Malwarebytes sells a one-year subscription to the same software for $25, and allows customers to install it on up to three PCs.
But the licensing issue, said Segura, was "just a byproduct" of his real investigation, which was to expose the scam E-Racer Tech was conducting.
Rather than cold-call victims -- most India-based scammers blindly dial telephone numbers, figuring that most people who answer will have a Windows PC -- E-Racer relied on fake alerts. The warnings, which were embedded in fraudulent websites, those sites often tied to URLs that might appear in search results for Windows errors, scream "Warning! Your computer may be at risk. For emergency Tech Support call immediately." A toll-free number is prominently displayed.
Malwarebytes found examples of the phony alert on several domains.
The warnings were totally bogus, a point made clear as soon as they were viewed on a Mac running Apple's OS X: They were unchanged, even though the notices claimed the system was infected with malware that targets only Windows. To add to users' anxieties, some of the sites played a short audio file in the background that resembled an ominous hum, as if something was wrong with the computer.
Although the warnings don't resemble traditional Windows alerts, they are convincing enough to prompt some to call the toll-free number.
Which is just what Segura did.
"I called the number, and the person who answered sounded American," said Segura in an interview. "I was even more surprised when he told me that my clean computer had viruses, and said 'It's almost like a cancer. It's just going to spread.'"
The technician from the "help desk" used Windows Event Viewer, a log of recent, normal operations in the OS, to try to convince Segura that his PC had 127 infected files -- in reality, there were none -- and then pitched a $199 package that included "virus removal" and "computer cleaning" services, as well as a pirated copy of Malwarebytes Anti-Malware Premium.
Support scams like the one Segura uncovered have become more than just irksome, but a plague on computer users everywhere.
One of several fake Windows infection warnings that Malwarebytes uncovered being used by a U.S.-based tech support scam scheme. The Web-based alert was bogus: It showed the same message when viewed on a Mac, which is immune to the malware listed. (Image: Malwarebytes.)
The shakedowns rely on a combination of bald-faced lies, half-truths and pushy sales tactics. Cold callers pose as computer support technicians, most often claiming to be from Microsoft or an approved partner, and try to convince victims that their computer is infected, usually by having them look at a Windows log that typically shows scores of harmless or low-level errors, but have nothing to do with malware. At that point, a frenzied sale pitch starts, as the caller badgers the user into downloading software or letting the "technician" remotely access the PC to "clean" the machine.
The fraudsters charge for their worthless help or sell subscriptions to semi-useless or totally-bogus services, and sometimes install malware on PCs while they control the systems.
Tech support scams became common in 2010, picked up enough steam in 2011 to prompt a real alert from Microsoft about the practice, and in 2012 triggered an investigation by the U.S. Federal Trade Commission (FTC) of six operators, all in India. Last year, the FTC settled with some of the alleged scammers, but even stiff penalties have done nothing to stem the tide.
Microsoft repeated a warning in May, saying the fraud showed "no signs of slowing down." Computerworld constantly receives emails from readers of past news stories about the scams, describing how they either stymied the criminals or were duped out of hundreds of dollars.
"Unfortunately, I was the victim of a recent scam of two men posing as Microsoft Tech Support claiming to be helping me fix my computer," reported Claire in an email yesterday. "They ... tricked me into paying what I thought was 8 but to my horror [it] turned out to be a hell of a lot more deducted from my account."
Unlike Claire, Segura knew what he was getting into. Even so, he purchased the $199 tech support package to document his probe. In a long blog post published Friday, Segura included the emailed receipt, as well as excerpts from his conversation with a technician.
He rang the various numbers listed on the "Warning!" websites multiple times, Segura said, and always reached a "help desk" that recommended E-Racer Tech. "They said 'We recommend you go to Best Buy, or we have this company,'" Segura said, citing one conversation with a technician. "But we know that they're related. We called the phone number for E-Racer and got the same 'help desk.'"
In fact, the help desk at the other end of the toll-free numbers and E-Racer Tech were one and the same. "They're trying to make it look like two different entities, when there is just one. It's meant to make the victims believe they talked to different parties and that E-Racer Tech is recommended by Microsoft's help desk," said Segura. He speculated that the tactic was designed to keep the scam under the radar or let the operators hide behind plausible deniability.
Although some of the tactics were identical to those used by the more familiar Indian outfits, including the use of shady affiliate networks to drive traffic to the "Warning!" websites, ditching the cold-call approach was another way to avoid notice. Cold-called support calls, he pointed out, have a lousy reputation because of the Indian scammers.
"Companies have identified this business model, where they get people on the phone, show them fake errors or viruses, and try to pitch very expensive services and packages," said Segura. "They seem to typically target the elderly."
Even the quality of the service was used to mask the real profit machine. "The technician was actually pretty good," Segura said. "He took the time to give some good advice. But I think that time is spent to keep the company under the radar by making it look like they're honest."
Malwarebytes said it had sent E-Racer Tech a cease-and-desist letter two weeks ago regarding the pirated key for Malwarebytes Anti-Malware Premium, but had not heard back from the firm.
E-Racer did not reply to a request for comment emailed on Saturday.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.