Most people associate tech support scams (AKA the fake Microsoft support call) with technicians sitting in a crowded and buzzing boiler room somewhere offshore.

Indeed all of the tech support scams we have tracked so far were with companies located either in Mumbai, Kolkata or elsewhere in India. But last month, we stumbled upon fake warning pages urging users to call a number for ’emergency tech support’.

When we rang the number, we were surprised to hear that the technician sounded American. It turned out that their company was based in ‘the sunshine state‘ of Florida, USA.

Improved scare tactics

The following are fraudulent sites that display a warning message and play sound effects with the goal of scaring the user and making them believe that their computer is infected [1].

“Your Computer May be Infected”
“Your computer may be at risk”
“For emergency tech support call immediately”
“The system may have found (2) viruses that pose a serious threat Browser.Hijacker.Spy ./ Trojan.FakeAV-Download”
“Your personal and financial information may not be secured.”

aredwarning

abluewarning othererror

There is an ongoing and strong affiliate campaign pushing these warnings. You may come across them as you are browsing the net, especially on sites that have a poor reputation.

Here is a list of URLs we have found with a similar theme (we publish it here so that other people can blacklist them as well):

hxxp://www.error711971669.com/
hxxp://www2.securedship.com/
hxxp://errormessagenumber.com/
hxxp://system32warnings.com/
hxxp://www.systems32security.com/alert/indexna.php
hxxp://esystemalerts.com/345/
hxxp://warningmessage32.com/

Sites are typically registered anonymously via a proxy (WHOISGUARD PROTECTED, Domains By Proxy, LLC).

To get an idea of how popular these scamming pages are, take a look at some stats (courtesy of SimilarWeb):

traffic

There were 11.6 million visits in June to systems32security.com.

A bogus sales pitch

Upon seeing the warning message, many people may feel as though there is really something wrong with their machine.

In fact, the pages themselves are designed in such a way that you cannot close them by clicking the ‘X’. Instead you need to forcefully ‘kill’ the browser either via TaskManager or other Windows utilities.

Those who take the bait will call the 1-800 number to speak with a technician and this is where their real troubles begin.

The warning page is essentially a launchpad for the technician to talk about online threats, giving examples of recent attacks and eventually scare the user:

“It is a spyware infection, it’s very similar to the infection that got into Target’s systems a couple months back, as well it also got into eBay’s systems last week.”

But why are users receiving such warnings directly onto their computers in the first place?

“Microsoft wanted to run a diagnostic on all of its machines. Now when they ran the diagnostic, any machine that showed to have the virus or signs of the virus, they went ahead and received a warning so they could go ahead and call in and make them fully aware of what is going on with your machine.”

This is not true of course. Microsoft has stated many times that “You will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes.

If there were any doubts left with the legitimacy of this technician, they became squashed in a matter of seconds:

evwr

“It looks like as of right now you have 127 infected files.”

The Event Viewer does not show the number of infected files, it is not a virus scanner. Scammers overseas have used this trick for years and it is really shocking to hear their US counterparts go for it too.

To make matters worse the technician went on using metaphors to further drive his point and convey a sense of urgency with the situation:

“That’s just gonna continue to spread. It’s almost just like a cancer, it’s going to get down into your system, it’s going to continue to spread and infect more and more files every day until this computer does crash.”

Taking advantage of innocent victims and defrauding them of their hard-earned cash and pensions is despicable.

In case the victim expresses any doubts, the technician does not hesitate to lie even more.

Question: So how does it scan to find those things?
Technician: To be honest with you I’m not really sure how Internet Explorer works as far as security goes.

For someone who is supposed to run a security diagnostic this is a shortcoming.

Question: Can we trust that this information is correct?
Technician: Why would you doubt it?

First attempt at confirming that the page is fake and yet the technician does not budge.

Question: Why is your phone number on there?
Technician: Because they wanted you to call someone at Windows and have them run a diagnostic on the system.

Second attempt: once again, the technician has absolutely no problem with his company’s phone number being printed on a fraudulent webpage.

Question: You’re part of Microsoft?
Technician: Yes.

No comment.

Question: It’s a legitimate webpage?
Technician: Correct.

A third and final attempt to give him a chance to change his mind failed miserably.

We tried the number on many occasions and we always got redirected to the same ‘help desk’ which consistently recommended that one tech support company: E-Racer Tech (AKA Clean IT PC).

The thing is, the help desk and E-Racer Tech are the same entity. The two-step process is simply meant to have the victims believe they talked to different parties and that E-Racer Tech is recommended by Microsoft’s help desk.

Customers ripped off, license agreements violated

Enters Mr B., your typical retired and unsavvy computer user who agreed to play the victim for the purpose of this investigation.

Mr B. was just browsing the web when all of the sudden, a scary page (same as the one pictured above) took over his screen.

Question: There’s a lot of red things, is that bad?
Technician: That’s all infections, that’s what’s called malware. Yes, that’s very bad.

After the scare tactics worked, the technician made the final pitch:

“It’s 100% guaranteed work and it’s through a company called E-Racer Tech. They are a Microsoft Partner.”

Mr B. received a discount to bundle the virus removal and computer cleanup. Instead of paying $299, Mr B. was ‘only’ billed for $199.

The package also included Malwarebytes Anti-Malware which E-Racer Tech charges $99 for. Note: you can purchase the same program (actually the newer version) for $24.95 directly from malwarebytes.org.

transaction_record

inuse

The technician began downloading various tools and ran a script to automate the ‘repair’ process.

MBAM

The installation, registration and scan with Malwarebytes Anti-Malware is automated using a script that includes a hardcoded license key:

reg

When you buy Malwarebytes Anti-Malware Premium, you are authorized to use of the same license key for only three PCs.

We checked the key and found it had been used 2,341 times in the past few months. At $99 per customer (the price they are charging), we estimate that adds up to $231,759 worth in sales for a single Malwarebytes license key!

For the record, this is not the first time unscrupulous tech support companies have used and abused Malwarebytes Anti-Malware. The License license agreement is quite clear on the subject:

You may not run the Software on a network, but must install it only on the individual Computers you are licensed for and run it locally on those Computers. You may not use the Software, or make the functionality of the Software available to third parties, for any commercial purpose, including, but not limited to, providing any computer repair, help desk or troubleshooting service to any third party. You may not combine this Software with any third party script, application, hardware or tools which would cause it to run on an automated or unattended basis.

South-East Florida: a hotbed for tech support scams

flag

“We do what’s best for our customers and that means no outsourcing tech support to countries like India.”

The technician’s IP address points to Southeast Florida:

Florida

Interestingly, the area of Boca Raton seems to be rife with technical support companies, many of which have had a lot of complaints.

Here are the LogMeIn codes that were used (useful for LogMeIn, Inc. to investigate and shutdown their account):

  • 988610
  • 914889
  • 882157

Different countries, same scam

Whether the technician is from India or the US, the recipe and the goals are the same. Some tech support companies are taking advantage of computer-illiterate users and lying to their faces with absolutely no second thoughts.

It would be easy to assume that the scam moved from India to the US because of how effective and lucrative it is. But the reality is probably more complex than that. For starters, US-based companies are much less likely to cold-call people because of the risks of getting caught, not to mention the fact that this practice has such a bad reputation.

Instead, they will look for ways to drive traffic to their phone support in various ways:

  • ads in Google or Bing search results [2] targeting certain popular keywords (i.e. FBI virus, Netflix support)
  • free registry cleaners/optimizers generating a misleading number of errors [2]
  • borderline fake/fraudulent pages designed to scare the user

In many cases, you will see what seems to be a layered infrastructure so that if something goes wrong, they can blame someone else instead. For example, it’s very smart to dissociate yourself from affiliates or even the Tier1 support guy whose job is to make the sale.

One other major difference from the scammers based overseas is the desire to ensure customer satisfaction in order to make this business viable in the long run. For one thing, you have a lot more to worry about if you get caught for abusive business practices and happen to be in the US.

In fact, these fraudulent US-based companies may even get legitimate and positive reviews from their customers. The technician was friendly, spoke proper English and the work was done in a timely and efficient manner.

But, what these victims may not see and what we decided to expose here, is how some dishonest tech support companies have trained their staff to fabricate lies in order to scare their prospect customers into paying a lot of money for a service they may actually not need.

At the end of the day, this is a tough issue because there are a lot of people out there (especially the elderly) that do need some assistance with their computers and often don’t have many options to get it. If they look for it online, chances are that they will get ripped off.

For the sake of legitimate companies and potential victims, it’s important to identify those that are abusing the system and to expose them.

We sent E-Racer Tech a cease and desist letter about their fraudulent use of our software but have not heard back.

We have added their sites and numbers into our Tech Support Scammer blacklist.


Special thanks to JP Taggart for his assistance on this project.

[1] Feel free to check out our own extensive resource page about tech support scams (tricks used, companies involved, etc.) here.

[2] If you come across a misleading or fraudulent ad, please report it here. TrustInAds.org is a coalition dedicated to fighting bad ads.

[3] Microsoft recently made an interesting statement regarding registry cleaners: “Some products such as registry cleaning utilities suggest that the registry needs regular maintenance or cleaning. However, serious issues can occur when you modify the registry incorrectly using these types of utilities. These issues might require users to reinstall the operating system due to instability. Microsoft cannot guarantee that these problems can be solved without a reinstallation of the Operating System as the extent of the changes made by registry cleaning utilities varies from application to application.”