- May 11, 2016
- Posted by:
- Categories: Cyber Crime, Posts with image
Researchers investigate tech support schemers who lay traps for you on the web.
I’m on the phone with tech support for Kaspersky Lab—at least, that’s what it says on the website up on my screen.
Under the Kaspersky logo, it says, “Before you Proceed! Please call Kaspersky Support at 1-800-277-6232.”
So I do. And the company rep who answers insists he does indeed work for Kaspersky.
“How long have you worked for Kaspersky?” I ask.
“I have been working with Kaspersky from the last six months, and before that I was working with Norton,” says the rep, who gave his name as Bruce Miller.
“So Kaspersky hired you about six months ago?” I say.
“Yeah,” Bruce says. “I do know a lot of about computers, so that’s what they were looking for, the people who know about the computers and the software things, so they hired me.”
But Bruce is not telling the truth. He does not work for Kaspersky—instead, his company, with an address in Singapore, sets lures online, using the names and logos of well-known cybersecurity companies to try to get you to call and ultimately pay up.
Tech support scammers have pounded people with trick calls for years.
Now a cybersecurity company called Malwarebytes is investigating a variation on the scheme, where the “tech support” companies create look-alike web pages using other companies’ logos and graphics.
Researchers from Malwarebytes found a fake page—for their own company.
“Protect your PC,” the copycat page said. “It is highly recommended that you call the Premium Support line for Malwarebytes and get any problem rectified before proceeding further—Malwarebytes Virus Removal.”
The domain name was www.certified.support/for/Malwarebytes. It gave the same 800 number we called—800-277-6232.
Researchers describe what happened when they called the number.
“The next phase of the con consists of taking remote control of people’s computers and performing a fake security scan as a scare tactic,” they said in a blog post. “Within minutes, we were presented with a bill for over one thousand dollars.”
“One thing was for sure, they weren’t Malwarebytes tech support and they certainly did not like being questioned about that,” researchers said. “While still in control of our test computer, the technician quickly managed to disable all the services and force a reboot, in an effort to damage our computer.”
Researchers said the group behind the scheme, known as Tech Kangaroos, has been “charging their victims hundreds, sometimes even over a thousand dollars, for completely bogus software support. In an added twist, the same scammers later call back their customers to offer them a ‘refund’, where they actually steal even more money.”
Malwarebytes found complaints online from people who said they fell for the scheme.
“A representative from Techkangaroos fraudulently withdrew $2100 from my account after convincing me to give my debit card information to refund $99 for dispute over software purchased many months ago,” wrote one. “The software did not work so I complained, and received this call months later.”
“Be aware of software assistance from a company called Techkangaroo,” wrote another. “Some other things that need to be said is when they provide you with software to fix your problems they provide pirated versions!”
“They promise you full results to your problems which seems to not be correct, and then you are calling them again, giving them additional money and or access to your computer. For instance, I recently paid to have them fix my issues and they were unsuccessful, they promised to refund the payment I made and I’m still waiting,” the customer added.
“Bruce” & “James”
Customers might be confused if they see the look-alike site for Kaspersky. It gives a number that it claims is for “Kaspersky Support.” The domain name is www.certified.support/for/Kaspersky.
At the bottom of the page, in very small letters, is a message saying, “We are an independent provider of technical support services for several third party brands and do not own any of the brand names mentioned.” However, there is no mention of which company the “we” refers to—customers might think the disclaimer comes from the real Kaspersky.
The reps seem to have trouble giving the real story about their employment.
A rep named “James,” who works with Bruce, said he was hired by Kaspersky two years ago and works at the Kaspersky offices in Singapore.
“Was it hard to get a job with Kaspersky?” I asked James.
“Yeah, very hard,” he answered. “Yeah, ma’am, it’s very tough.”
If you continue to press the reps, you may get answers that reveal cracks in their claims.
James said his company headquarters were in California, but he could not give out the address. He confessed that “James” was not his real name.
Bruce said he lived in New Jersey for a year while working at Norton, before taking the Kaspersky job in January. But he said he could not remember the street he lived on there.
“Like, you don’t have to worry about these little things when, like, you enjoy your life, going to work and coming back and having a beer at night, right?” he said.
Telling the truth
At last, it was time to confront the reps with the facts. James at first pretended to be Bruce, then said Bruce was unavailable.
“Why do you lie and say you work for Kaspersky?” I asked James.
“Ma’am, I have never said that,” he responded. “Ma’am, you just asked, ‘Was it hard to get a job in Kaspersky?’ and I didn’t even answer that.”
I reminded him that he did indeed answer that and a number of other questions about his Kaspersky employment.
“Ma’am, we provide support to Kaspersky,” he said, changing his tack.
“Does Kaspersky say it is okay for you to work for them?” I asked,
After a pause, he answered, “Yeah. We provide support. They do not have any problems with that. That is why your call is routed over here.”
In the end, James promised to have his manager call. That did not happen. He also promised to stop lying to customers—another tactic, perhaps, to get off the phone and move on to the next “Kaspersky” support call.
The real Kaspersky
Archer News contacted the real Kaspersky about the imitation page.
“Unfortunately, companies trying to take advantage of consumers looking for tech support have been around for years,” the company said in a statement. “At Kaspersky Lab, we are continuously working to raise awareness on this issue and advising customers to be on alert for possible tech support scams.”
The real company said you can find official support contact options here on the real site.
“Smart Internet marketing”
Malwarebytes ties the operation to a man named Moksh Popli, a company Instant PC Care, and the site onlinetech.support.
A person claiming to be Moksh Popli wrote an angry comment on Malwarebytes’ blog page. He said his operation is not a scam, but instead “smart Internet marketing.”
He said that his company does not freeze people’s web pages or call people up and pretend to work for Microsoft and tell them their computers need help. He claimed that there are disclaimers in bold on each of his pages.
“Support for XYZ product doesn’t mean we are calling ourself as XYZ,” he wrote. “It’s like you are taking your XYZ car to a local mechanic for repairing and later calling it as scam.”
He said his company does not run any campaigns “targeting Malwarebytes, etc.”
“What you are looking at is something very old and the reason you are still able to reach it is because we have our numbers active for Customer Service that we promised before!” he said to Malwarebytes.
What this means for you
Malwarebytes said it reported the websites in question to the hosting providers and registrars.
“We are well aware that those scammers will set up shop elsewhere but we can at least disrupt their business model and more importantly raise awareness,” researcher said.
“A more productive and long lasting effort is to research, track and document those scams,” they added. “In many cases, the FTC goes after entire organizations and takes down their infrastructure, including banking assets.”
The researchers warned that people calling the tech support tricksters to harass them are actually adding to the problem.
“Besides the actual scam aspect, there’s a concerning trend of rogue technicians breaking people’s computers for revenge,” they said. “Without a doubt, trolls that try to waste the scammers’ time or simply call up for fun have contributed to this phenomenon.”
Popli contacted Malwarebytes’ legal department, requesting that the company remove the blog post. As of this writing, Malwarebytes has not done so. Popli’s messages, however, revealed a clue in the investigation.
“Interestingly, the IP address from where Moksh Popli wrote is the same IP address as the one used by the scammer (collected from the Teamviewer [software for remote control that the ‘tech support’ reps use to take over control of your computer] log) who didn’t think twice when he willingly broke our computer after we refused to pay hundreds of dollars for ‘Malwarebytes support.’”
“Just when you think you’ve seen everything when it comes to tech support scams, you realize how far the miscreants behind this plague will go to rob innocent people,” the Malwarebytes researchers said.