In the Tech Support scam, a scammer hijacks a well known brand in an effort to lure a victim who is then deceived into paying for an unnecessary/non-existent service or installing malware infected payloads.
This scam has been picked up by quite a few players in the last couple of years, successfully catching people left, right and center. If you want to bring yourself up to speed on how scammers have evolved in this space, you’ll find lots of documentation from the FTC, the Malwarebytes team and Microsoft.
When I think about a scam, of course the first question I ask is who is the victim, and eventually it’s interesting to figure out how the money flows. In today’s example, I’ll show you how a Tech Support scam flows from beginning to end. We’ll discuss who the victims are and we will examine the players that make money from all of this.
So with a couple of cell phones, a few false names and an intentionally flawed Virtual Machine (one which had not been activated) I decided to see what Tech Support scams looked like for myself.
The reason I chose a VM which had not yet been activated is because I wanted to see if the people I phoned for tech support pointed out the most obvious potential problem with the machine, i.e., that it had not yet been activated.
On Friday the 23rd of May 2014, I found this Google advertiser:
5/23 – Google Advertiser URL leads to http://rrlogg.in/Log_In.htm
5/23 – Google Advertiser URL leads to http://rrhelp.in/Log_In.htm
5/24 – Google Advertiser URL leads to http://rrlogg.in/Log_In.htm
5/27 – Google Advertiser URL leads to http://www.rrlgn.in/Log_In_To_Account.htm
For each of these ads, the landing page will display the following message:
“Attention: Your Account Has Been Disabled Please Call 1-855-666-8849″
It’s obvious what is happening here, but to be clear: this advertiser has hijacked the TWC Road Runner login page and is trying to deceive the user into thinking that there is a problem.
Depending on your referrer to this page is (the site responsible for sending you here), the message could also be:
“Attention User Account Is Under Review Please Call RoadRunner Support 1-800-463-6338″
That the message/number changes matters not, for the intent remains the same: deception. In each case the advertiser has hijacked the TWC RoadRunner page and is trying to con the user into phoning the falsified tech support line.
What I thought is really interesting here is that they are not even bothering to steal credentials, they just want you to call in and fall victim to a quick scam that will send real dollars their way. Re the pic below, note that I entered false credentials and then pushed Login. Upon analyzing a packet trace for this activity, I found no evidence of credentials being sent to a server.
Not stealing credentials actually makes a whole lot of sense if you think about it a little. If they were stealing usernames and passwords then this would be an open and shut case. It would not take much for chaps like me to gather evidence against players that steal credentials in this manner, in which case they could land themselves in hot water pretty quickly.
Moving on, I called the guys behind 1-855-666-8849 a few times and each time I phoned they always answered with “Thank you for calling <GARBLED> technical support”. The <GARBLED> part is intentional from their side, they want you to think it’s your fault you did not hear them properly. Sometimes I asked what technical support they were, but I never got an answer.
Unfortunately my initial attempts to get to the bottom of the scam didn’t get me very far. I think I came across as unconvincing, someone who may be a threat to their scam and so each time they ended up putting the phone down on me. Upon reflection, I think my problem was that I assumed that they were trying to sell me an antivirus solution from the get go, so my guess is this is what kept throwing them off. They would always tell me my computer was broken/compromised, that things had gone wrong and they needed to access it. They never told me how to facilitate this, I told them I had no idea what they were talking about and kept waiting for them to take the lead.
As I kept trying to see what this particular tech support scam was all about, it became evident to me that where other scammers were trying to get folks to download and install something, these guys were up to something different.
So I involved a senior citizen (my dad!), someone who I figured was the real target of their scam.
The result was quite different.
Highlights of the call:
04:50 scammers convince my father to let them take control of the machine. They ask him to load logmein123.com, this redirects to secure.logmeinrescue.com where they then ask him to enter the code 24227
07:10 My father asks who they are, he clearly says “Are you TWC?” This is followed by a moment of silence and then their response “Yeah”
09:39 They have taken control of the machine, they then ask my father to log into his email so they can see the problem. What they did here was really sneaky. As he was typing in the password, they would keep pushing the caps lock key on their side, which meant that even if we were at the right service URL typing in the right credentials, it would be entered incorrectly and our login would be denied. This would open the doors for the scammers to prove that there certainly was a problem.
10:28 you can hear my father tapping the keyboard five times for a five character password and counting silently to himself. Mysteriously, a sixth character appears in the password prompt. Obviously scammers are entering the final character to keep forcing incorrect credentials.
11:30 scammer opens a command line window and types “EMAIL HAS BEEN HACKED”. My dad falls for this and starts to panic, when my father asks if his email has been hacked the scammer says “Yeah, that’s the problem sir, yeah”
13:58 scammer says “don’t worry, I am here to help you” whilst trying to scare my father by showing him logs from the Windows event log, all of which is completely normal
18:52 “are you a senior citizen sir?”
“Yes mam I am 76″
19:22 my father asks “are these experts from Microsoft?” to which the scammer responds “yes sir”
20:00 scammer explains to my father the difference between what Bestbuy’s Geek Squad offers and what they are offering. It’s all so confusing, but it’s supposed to be a good deal. Note the question my father asks at 20:50
“And these are specialized technicians from Microsoft, Yes”
For the first time we are privy to what their real identity may be, or at least what they are using to transfer funds: “International Technical Support Corporation”. If you’re following this call carefully, you know that the scammer just made a mistake on their side. They just logged my father directly into their merchant account – obviously they don’t know that I just fell off the chair next to him.
22:50 They enter the Order ID ITSC102504 and will try to convince my father to complete the form with his details. Note the question my father asks before trying to complete the form
“Do you have special rates for over the age of 75?”
23:38 My father asks if he can spend the $599 over a period of time instead of one large payment. He explains that $600 is his rent for the month. They know he is an elderly gentleman, they know they are exploiting his trust. They know they are about to steal money that he cannot spare. What’s sad here is that my father is not a victim, but they don’t know that. How many elderly people have potentially fallen for this scam? We’re about to answer that questions thanks to these guys logging us into their merchant account.
26:18 scammer shares their address: “1113 6th ave, New Hyde Park, NY 11040″
31:00 scammer becomes impatient after we click refresh, nullifying everything we had spent the last ten minutes completing. She decides to transfer us to another scammer, but we decide to end her remote session and take a closer look at their merchant account.
Of interest to me at that point in time is how much money these unscrupulous individuals have made thus far. I used the Quickbooks feature of the merchant panel to get a quick idea.
Just to be clear here, for this account alone the scammers have conned 1538 people with this scam. At a total of $439,254.91, they are averaging $258 per person. What’s more terrifying here is the extremely low 3% rate of chargebacks/reversals. These are people that were savvy enough to see the scam and then demand a refund from their credit card company.
I shouldn’t have to say that this practice is unscrupulous. These are without a doubt scammers of the lowest possible order, bottom feeders that target old people and those that are not tech savvy enough to know any better.
1. Google facilitates the first part of this scam by allowing advertisers of this ilk onto their network. Average users, old people, kids, moms, tech elites, you name it, they trust the results given to them from a search engine. So why shouldn’t they trust what the page behind that first click tells them: “Attention: Your Account Has Been Disabled Please Call 1-855-666-8849″. After all, there’s no warning on the search result page saying “Hey be careful of these advertisers, we have no idea who they are or what they are going to try to sell you!”
Obviously the scammers know how trust is delegated here, so they will pay Google to exploit this as an advertiser for as long as they are allowed to do so.
But is Google a victim? Sure. Whilst they are taking the scammers money to show the ads in question, they are also indirectly a victim. Fingers will point to services the likes of theirs when one tracks back the scam to its origin.
2. NMI.COM – Network Merchants LLC, for a fee I presume, is allowing the money to flow from the target of the scam (my senior citizen dad in this case) through to the scammers. At the end of the day what the scammers are doing here is wire fraud, plain and simple. So if NMI didn’t know about the half million dollars these scammers potentially defrauded from victims before, they sure know about it now.
3. TWC Road Runner. They’re another victim. It’s their service that is being hijacked and their users plundered. Ultimately victims are dialing the support number listed because they thought TWC Road Runner disabled their account.
4. Microsoft. The scammers are using legitimate programs on a Microsoft Operating System to make the victims think something is wrong with Microsoft software. We know that it’s all just a lie though, the event viewer is filled with legitimate warnings and errors. Typing “EMAIL HAS BEEN HACKED” in a command prompt does not mean that your email is hacked.
Furthermore, they hijack the Microsoft brand by saying that they are from Microsoft. Recall 19:22 where my father asks “are these experts from Microsoft?”
5. The scammers themselves. From the Google ad landing pages, we know of three domains that they are using: rrlogg.in, rrlgn.in and rrhelp.in. Whois pages for these (here, here and here) list Dayanad Colony as the registrant using the number +91.9818290300 and email address firstname.lastname@example.org
So what now?
Why are unscrupulous advertisers of this ilk allowed to run rampant? How is it that they can get away with something like this over and over again? Why aren’t the players responsible for playing a part in all of this (knowingly or unknowingly) made accountable here?
The bottom line is that it’s the innocent consumers that are being nailed over and over again. Hard legal action coming in on the tail end of these scams is just not going to solve anything. In my mind I see the need for a very big and very angry gorilla stepping into the arena of online advertising sometime soon, and its name is regulation.
* 5/29/2014 – download links to the audio added *
* 6/3/2014 – scammer is still running strong through AdWords (Advertiser URL), now using the domain rrloginin.in and the number 1-855-808-1175 *