Tech support scams resource page

[4th March 2019]

It’s not exactly hot news that support scammers have tended to move away from cold-calling towards other techniques such as deceptive pop-up messages and putting their contact details in deceptive advertising that victims with a real problem might come across.

Still, this is quite interesting. Trend Micro: Shifting Strategies: Using Social Media, SEO in Tech Support Scams

[November 5th 2018]

Jérôme Segura for Malwarebytes: Browlock flies under the radar with complete obfuscation – “Browlocks are the main driving force behind tech support scams, using a combination of malvertising and clever browser locker tricks to fool users.  [….] Recently we’ve seen the “evil cursor” that prevents you from closing the fake alert, and the fake virus downloadthat insinuates your computer is already infected. This time, we look at how browser locker pages use encoding to bypass signature-based detection.”

[22nd October 2018]

Lawrence Abrams for Bleeping Computer: McAfee Tech Support Scam Harvesting Credit Card Information. A scam that has its cake and attempts to eat it. Several times.

“Essentially, these scammers are not only earning commissions on affiliate sales, but also stealing your credit card and personal information. This information can then be used to charge other purchases or perform identity theft using your credentials.”

[11th October 2018]

The recent (rescinded) Windows 10 upgrade – if you’ll pardon the expression – does seem to have attracted a load of scams as well as creating problems itself with profile corruption and deleted files and folders. Scams I’ve seen mentioned include ransomware masquerading as the upgrade installer [Microsoft doesn’t distribute upgrades – or links to upgrades – through email!], and tech support scammers offering ‘help’ with the upgrade (via phone calls or pop-ups). Here’s an example of the latter: Remove “Windows 10 Pro Update Failed” Fake Alerts (Microsoft Scam)

[10th October 2018]

Probably won’t get to be a full post, but a comment on one of my ESET blog articles pointed out that “A similar variation is still going round starting with the assertion that your broadband speed is below par and he was working on behalf of my ISP. When we got as far as typing “assoc” in the command window I looked for proof of identification (which I should have asked for at the start!). As tempers flared I hung up the line.”

[24th September 2018]

Jérôme Segura reports (20th September 2018) for Malwarebytes on Mass WordPress compromises redirect to tech support scams. There have been high volumes of hijackings of sites using the WordPress content management system, especially sites using outdated plugins. Prominent among the client-side payloads observed by Malwarebytes are redirections to tech support scams. Segura notes that:

“That .TK URL pattern is well known and has been documented in detail as part of a large Traffic Distribution System (TDS) responsible for massive redirections to browlock pages. Note the custom mouse cursor (the “Evil cursor”), which we reported on recently, has yet to be patched.”

[18th September 2018]

Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”

Summary/commentary from Zeljka Zorz for Help Net: Tech support scammers leverage “evil cursor” technique to “lock” Chrome

John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”

[28th August 2018]
(Transcription of article for Chainmailcheck, my scams resource page.)

William Tsing for Malwarebytes: Green card scams: preying on the desperate – Green card scams are far from new. Though in fact this site does actually indicate in the small print that its usefulness to someone wanting to improve their chances of getting a green card via the diversity visa lottery is going to be very limited indeed. But Tsing makes the interesting point that the scam site looks more authentic than the real site because it provides more information, and compares it to “what we see with legitimate tech support and tech support scammers. An official entity does a poor job communicating with its constituency, and that creates a vacuum that scammers are all too eager to fill.” Seems an entirely valid point.

I talked about the issue of inadequate tech support in an article for ESET – Tech support scams and the call of the void – The importance of providing the best possible after-sales service to customers. That article was sparked off by a useful article on the Security Boulevard site by Christopher Burgess on When Scammers Fill the Tech Support Void.

[17th August 2018]

Symantec: Tech Support Scam Integrates Call Optimization Service  “In this blog, however, we look at how scammers are now making use of legitimate call optimization services in order to make their scams more efficient.”

[1st August 2018]

Sean Gallagher for ArsTechnica: Click on this iOS phishing scam and you’ll be connected to “Apple Care” – “This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.”

Commentary from Sophos: Porn-warning security scam hooks you up to “Apple Care”

[27th July 2018]

ZDnet: US makes an example of Indian call center scam artists with stiff sentences – “The worst offenders have been thrown behind bars for up to 20 years… a number of call centers were established in Ahmedabad, India, in which operators impersonated the IRS and USCIS… in order to threaten US victims with arrest, prison, fines, and deportation unless they paid money they apparently owed.”

[5th July 2018]

SANS Ouch Newsletter: Phone Call Attacks & Scams

[22nd June 2018]

Sophos: Elderly victims conned out of millions by tech support scammer

[8th June 2018]

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

[20th May 2018]

Malwarebytes: Fake Malwarebytes helpline scammer caught in the act – (Given how much work Malwarebytes have done on these scams, not good targeting on the scammer’s part.)

[12th May 2018]

Article by me for ESET: Tech support scams and the call of the void

“Christopher Burgess for Security Boulevard on what happens When Scammers Fill the Tech Support Void … says: “I still haven’t figured out why those companies that provide tech support tend to hide the connectivity to these saviors of their brand in the weeds of the website, but they do, and we search—and sometimes we strike gold.”

However, I don’t think the reluctance of companies to draw attention to their support services is too much of a mystery…”

There may be persuasive reasons why providers are reluctant to engage directly with their customers, but the consequences may be grim for both provider and customer.

[27th April 2018]

Erik Wahlstrom for Microsoft talks about tech support scams, the volume of complaints Microsoft receives, and the partnerships it has built in an effort to reduce their impact. Worth reading. Teaming up in the war on tech support scams. Some commentary and basic advice from Graham Cluley: Reports of tech support scams rocket, earning handsome returns for fraudsters.

[25th March 2018]

Christopher Burgess for Security Boulevard: When Scammers Fill the Tech Support Void Burgess says: “I still haven’t figured out why those companies that provide tech support tend to hide the connectivity to these saviors of their brand in the weeds of the website, but they do, and we search—and sometimes we strike gold.” (I have more to say on this…)

[20th March 2018]

Sophos: Fake Amazon ad ranks top on Google search results. “Yep, not for the first time, Google’s been snookered into serving a scam tech support ad posing as an Amazon ad.”

[8th February 2018]

For Malwarebytes, Jérôme Segura continues to fight the good fight against support scammers by warning us that ‘Tech support scammers find new way to jam Google Chrome‘. (If you saw this when it first appeared, note that it has been updated since.) By abusing an API, the scammers manage to freeze the browser in the hope that users will be panicked into calling the fake ‘helpline’ advertised on the pop-up or pop-under that accompanies the freeze.

However, he observes:

Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker. As a last resort, the Windows Task Manager will allow you to forcefully quit the offending browser processes.

[1st February 2018]

It’s not all about tech support scams, but Microsoft’s announcement about beefing up detection of ‘coercive messaging’ in Windows Defender is certainly related to some approaches used by tech support scammers, such as the use of malware that directs victims to a scam-friendly ‘helpline’.

Coercive messaging? As indicated in Microsoft’s evaluation criteria for malware and unwanted software,  that would be messages that ‘display alarming or coercive messages or misleading content to pressure you into paying for additional services or performing superfluous actions.’ That includes exaggerating or misrepresenting system errors and issues, claiming to have a unique fix, and using the well-worn scamming technique of rushing the victim into responding in a limited time-frame.

Certainly that’s all characteristic of the way that fake tech support is monetized, but it’s also characteristic of the lower-profiled but persistent issue of useless ‘system optimizers’.

Microsoft’s article actually strongly resembles some of the hot potatoes topics addressed by the Clean Software Alliance, which describes itself as ‘a self-regulatory organization for software distribution and monetization’. Unsurprisingly, since Microsoft had a great deal to do with the launching of the initiative. Anyway, it covers a great many issues that are well worth considering. I don’t think Microsoft and Windows Defender will be able to fix all these problems all on its/their own, but any movement in this direction is a Good Thing.

Shorter article focused more on coercive messaging from Barak Shein, of the Windows Defender Security Research Team: Protecting customers from being intimidated into making an unnecessary purchase.

Commentary by Shaun Nichols for The Register: Windows Defender will strap pushy scareware to its ass-kicker machine – Doomed: Junkware claiming it can rid PCs of viruses, clean up the Registry, etc

On behalf of the security industry, which provides a large chunk of my income, maybe I should stress that not all programs that claim to rid PCs of viruses are junkware. 🙂 But perhaps it’s worth remembering that the difference between legitimate and less legitimate marketing is sometimes paper-thin. And talking about papers, here’s one on that very topic. 🙂 However, since that ESET paper for an EICAR conference goes back to 2011, maybe I should consider revisiting the topic.

[23rd January 2018]

Article for ESET by me: Scammers and jobhunters. Sparked by an article in the Guardian on The scammers gaming India’s overcrowded job market  by Snighda Poonam. Hat tip to Steve Burn for calling my attention to it.

[15th January 2018]

I’m a little behind the curve here: I’ve just noticed an article by Martijn Grooten of Virus Bulletin from 5th January offering Tips on researching tech support scams. I’ve worked with Martijn a couple of times on support-scam-related research in the past, so pleased to see he’s still working away on that particular nuisance.

[12th January 2018]

The Register: ‘Mummy, what’s felching?’ Tot gets smut served by Android app – Google’s Play Store fails again

Actually, I didn’t know about felching, either, and I wish I hadn’t looked it up.

Based on Checkpoint’s blog article Malware Displaying Porn Ads Discovered in Game Apps on Google Play. Checkpoint says that this is a triple-threat attack: it may display ads that are often (very) pornographic, engineer users into installing fake security apps (which is why it’s mentioned on this page), and/or induce them to register with premium services.

David Harley

[18th December 2017]

Paul Ducklin for Sophos: Watch out – fake support scams are alive and well this Christmas

The first part of the article is a recap of old-school tech support scam cold-calling, but the rest describes what happened when someone clicked on ‘one of those “you’ll never believe what happened next” stories’. The resulting ‘alert’ included an automatic voice-over. While the voice-over (which you can hear on the page above) is full of laughable transcription errors and false information, it could certainly scare someone not particularly tech-literate into falling for the scam.

[12th December 2017]

Lawrence Abrams for Bleeping Computer: Tech Support Scammers Invade Spotify Forums to Rank in Search Engines

Extract: “Over the past few months, Tech Support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google & Bing search results. They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google.”

[8th December 2017]

Tara Seals for Infosecurity Magazine: Tech Support Scam Malware Fakes the Blue Screen of Death

“The infamous Blue Screen of Death (BSOD) is one of the most-dreaded sights for Windows users. Adding insult to injury, a new malware is making the rounds that fakes a BSOD, and then tries to swindle victims into paying for tech support tools.”

Malwarebytes describes ‘Troubleshooter’ as a hijacker, but it’s one of those instances where a tech support scam edges close to ransomware.

[22nd November 2017]

Microsoft’s Windows Security Blog on Technet: New tech support scam launches communication or phone call app

“A new tech support scam technique streamlines the entire scam experience, leaving potential victims only one click or tap away from speaking with a scammer. We recently found a new tech support scam website that opens your default communication or phone call app, automatically prompting you to call a fake tech support scam hotline.”

The scam is supplemented by an audio message from ‘Apple Support’ (yeah, right…) that threatens to ‘disable and suspend your Mac device’ if the prospective victim closes the ‘alert’ window. However, the scam is ‘optimized for mobile phones’.

Commentary from Zeljka Zorz for HelpNet: New scam launches users’ default phone app, points it to fake tech support hotline

[12th October 2017]

Sophos: Three Apple Malware Scams

The estimable Paul Ducklin advises us to Watch out for these high-pressure Apple malware scams. 

To be precise, a couple of tech support scams and a fake Flash Player update. Ho hum… Still, the first one is particularly interesting, if you’re a connoisseur of these things.

[6th September 2017]

Tech Support Scammers Target BT Customers (article on this site)

Well, this isn’t the first time. But a report by Kat Hall for The Register suggests that some of the scammers may have more information about potential victims than they should. Which makes me wonder whether there’s a leak similar to that affecting TalkTalk customers. I’ve certainly been contacted in the past by BT sales people who were clearly not based in the UK.

I don’t know whether there’s been such a leak at BT, of course. However, it’s not unknown for people working in legitimate support to be also implicated in some way in support scamming, whether by leaking data or by working in a call centre that encourages scam calling as well as offering legit support for legit organizations. And it’s hard to police that kind of activity.

That article by Kat Hall: Indian call centre scammers are targeting BT customers – In some cases fraudsters knew their mark’s personal details

[29th August 2017]

Article on this site: Tech support scams – FTC offers money back…

…well, there’s no foolproof way of getting your money back every time, unfortunately. But Shaun Nichols reports for The Register that FTC ready to give back tech support scamming money to the bilked.

“Those who have been identified as eligible by the FTC will get an email from the commission with a PIN number that can be used to obtain the claim forms. In order to claim a share of the payout, consumers will have to fill out a claim before October 27.”

The article does, very sensibly, point out the risk that scammers will use the FTC’s initiative as a springboard for further scams. Unfortunately, I can’t predict exactly what form such scams will take, but I’d be surprised if they don’t happen…

The Federal Trade Commission’s own press release is here: FTC Announces Refund Process for Victims of Deceptive Tech Support Operation.

It states:

Eligible consumers bought tech support products and services between April 2012 and November 2014 from Advanced Tech Support, which also used the name Inbound Call Experts. Consumers will have until October 27, 2017 to submit a request for a refund.

[11th August 2017]

The Register: TalkTalk fined £100k for exposing personal sensitive info – 21,000 accounts handled by Indian outsourcing biz exposed

‘…TalkTalk found an issue with the UK ISP’s portal … One of the companies with access to the portal was Wipro, a multinational IT services company in India that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf … three Wipro accounts … had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.’

See also TalkTalk confesses: Scammers have data about our engineers’ visits to your home Info exploited, say customers

[28th June 2017]

Graham Cluley for ESET: Four arrested as Microsoft and UK police team up to crack down on technical support scammers

Me for this site: The Mechanisms of Support Scamming

[15th June 2017]

Hacked web pages redirecting to tech support scam pages. Info from Malwarebytes.

Jérôme Segura for Malwarebytes: The numeric tech support scam campaign

David Bisson for Graham Cluley’s blog: Compromised websites redirecting tech support scam hosted on numeric domains – Wait, there’s a malvertising vector, as well?!

[7th June 2017]

Tech support scammers poisoning Google search results is hardly new – see My PC has 32,539 errors: how telephone support scams really work – but there’s an interesting example flagged by Malwarebytes in the article Ads in Google Search Results Redirect Users to Tech Support Scam by Catalin Cimpanu. Also some useful commentary by Lisa Vaas for Sophos: Google ads for tech support scams – would you spot one?

[30th May 2017, revised 28th June 2017]

Dial One for Scam: A Large-Scale Analysis of Technical Support Scams is an academic paper, but interesting*. While it doesn’t tell seasoned scam watchers much we weren’t already aware of, it does take a systematic look at how the scheme is implemented, and hopefully that will be useful to someone in a better position to pursue more fundamental approaches than the occasional analyses from the anti-malware industry that this paper dismisses as ‘ad hoc’.

Sid Kirchheimer’s article from April 2017 for AARP – From Pop-Up Warnings to $9 Million Payout: Inside the Tech Support Scam – includes an easily-digestible summary of some of the main points of the paper.

Hat tip to Mich Kabay for bringing the article to my attention, and to Fat Security for flagging the paper for me some time ago.

*However, it’s irritating to see in section VII a paper of which I was co-author apparently credited to Malwarebytes. Reference [5] is to this paper for a Virus Bulletin conference – My PC has 32,539 Errors: how Telephone Support Scams really Work – and I appreciate having our work referenced.

Nevertheless, although Steve Burn, one of the authors, was indeed working for Malwarebytes, I was working for ESET, Martijn Grooten was working for Virus Bulletin, and Craig Johnston was an independent researcher. It is, of course, perfectly true that Malwarebytes researchers have done much useful research in this are.

[17th May 2017]

Consumer information from the Federal Trade Commission on Tech Support Scams.

No deep dive, but as long as it helps raise awareness…

[11th March 2017]

Article by Josep Albors and myself for ESET: Spanish Harmada: more on tech support scams

‘After our recent joint blog Support scams now reign in Spain, Josep Albors was contacted by a Spanish online newspaper asking for further information and general commentary. So here, first, is my general commentary on the evolution of the tech support scam and why the current high incidence of reports in Spain (and, to a lesser extent, other parts of the world) is so significant. The subsequent article in El Confidencial can be found here (in Spanish).’

[30th March 2017]

William Tsing for Malwarebytes: Tech support scammers and their banking woes. Well worth reading, but the short message is that as high-risk processors have become more nervous of accepting support scammers as clients, scammers have had to resort to other methods.

“… barred from traditional banks and losing access to high-risk processors, tech support scammers have gotten a little creative. An increasingly common method we’ve seen for payment is Apple or iTunes gift cards.”

[28th March 2017]

Catalin Cimpanu for Bleeping Computer: Adware Replaces Phone Numbers for Security Firms Returned in Search Results.

“A new adware family named Crusader will rewrite tech support phone numbers returned in Google search results, display ads, and show popups pushing tech support scams.”

[9th March 2017]

Article on this site looking at TalkTalk’s attempts to mitigate its customers’ problems with support scammers (and other scammers): Should TalkTalk blockTeamViewer?

[3rd March 2017]

An article for Microsoft’s Technet describes a somewhat innovative tech support scam. It uses a script associated with the JS/Techbrolo family, known for its habit of generating fake alerts involving dialogue loops and audio messages. So far so average. But in this case, the pop-up isn’t a dialogue loop, but a website element of the scam page. If the victim clicks anywhere on the ‘dialogue box’ or anywhere else on the page, he or she is presented with what looks like a full-screen browser page open at something looking very much like a Microsoft support URL: however, it’s actually just another website element.

Microsoft: Breaking down a notably sophisticated tech support scam M.O.

HT to David Bisson, whose Tripwire blog drew this to my attention: Tech Support Scam Uses Website Elements to Spoof Microsoft Support Page

[20th February 2016]

My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain.

[6th January 2016]

Article for this site: Support Scammers hit Mac users with DoS attacks. Jérôme Segura (for Malwarebytes) examines another DoS attack somewhere on the thin borderline between ransomware and tech support scams.

[15th December 2016]

Malwarebytes makes VinCEmeat of screen locker

Pointer blog on this site: to interesting analysis from Pieter Arntz for Malwarebytes of the VinCE screen locker, intended to persuade the victim into calling the ‘helpline’ number the malware displays. An example of malware that illustrates an almost imperceptible distinction between a tech support scam and true ransomware.

A closer look at a tech support screen locker

This AVIEN article also added to Tech Support Scams and Ransomware.

[3rd November 2016]

Thomas Webber brought to my attention his support scam resource page here: Tech Support Scam: More than Just Fake Calls from Microsoft. I’ve only skimmed it, but seems to provide useful information and advice.

[24th November 2016]

Entertainment rather than novel information – in fact, it’s an old-school cold call scam – but worth a minute or two of your time: Dr Solly Yanks a Support Scammer’s Chain

Less amusingly:

Every so often I get requests for help from people with a computer problem that may or may not be malware-related.

When I have to refuse help, which is more often than I’d like, I try to refer the people concerned to a more appropriate person or forum, and to suggest they do what they can to ensure that the advice is from a reputable and competent source. I’m more cautious about recommending specific resources, even well-known commercial organizations, unless I’m in a position to confirm their competence and bona fides.

Sadly, this reluctance has been reinforced by accusations against Office Depot, which is alleged to have tricked customers into paying for unnecessary repairs to their systems.

I’m not sure it’s that simple, though. As I discuss at some length in an article for ITSecurity UK: Support Scams and Diagnostic Services

[12th November 2016]

There have been suspicions before that TalkTalk customers have been targeted by tech support scammers who know more about their intended victims (and their issues with TalkTalk) than they should. I’ve alluded to them in some articles on this site.

I don’t, of course, know the facts behind those suspicions, but I note that Graham Cluley has encountered another curious incident – I won’t say coincidence…

Brand new TalkTalk customer is targeted by phone scammer – A problem at TalkTalk? Say it ain’t so.

[7th November 2016]

An article by Jérôme Segura for Malwarebytes – Tech support scammers abuse bug in HTML5 to freeze computers – describes the use of a variation on the Tech Support ploy of using Javascript loops to simulate a persistent pop-up ‘alert’. In this case, the attack makes use of a bug that abuses the history.pushState() method introduced with HTML5. According to Segura, ‘the computer that visited this site is essentially stuck with the CPU and memory maxed out while the page is not responding’, though it may be possible to kill the browser process with Task Manager.

Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.

David Harley

[28th October 2016]

Posted here and to Geek Peninsula II: Support Scam that Threatens to Delete Hard Drive
Siddhesh Chandrayan, for Symantec, reports on a particularly vicious example of social engineering designed to scare a victim into ringing a fake support line: Tech support scams increasing in complexity – Tech support scammers have begun using code obfuscation to avoid detection.  (Commentary by David Bisson, writing for Graham Cluley’s blog: Scare tactics! Tech support scam claims your hard drive will be deleted – Scammers tries to frighten you into phoning them up.)

The pop-up fake alert claims that the victim’s system is infected with ‘’ and that the hard drive will be deleted if he or her tries to ‘close this page’. It displays a fake ‘hard drive delete timer’ complete with audio effect.

Don’t panic! In principle, Javascript like this isn’t able to do any such thing: that’s a security feature of the language. (There are, of course, other ways of accessing and changing the contents of a client-side disk, but there’s no suggestion that any of those mechanisms are at play here.)

The obfuscated script also includes code to ascertain whether the system is running Windows, ‘MacOS’, UNIX or Linux, so that the alert can be tailored accordingly.

[24th October 2016]

Security Essentials or Support Scam?

What Hicurdismos actually does is generate a fake Blue Screen of Death (BSoD) including a ‘helpline number’: so yes, it’s essentially a malware-aided tech support scam. (Added 27th October: additional commentary by David Bisson)

[19th October 2016]

Malwarebytes CEO Marcin Kleczynski is heavily quoted by Steve Melendez in an article suggesting an ever-increasing correlation between tech support scams using malware and unequivocal ransomware: Tech Support Scams Are Getting More Sophisticated

[18th October 2016]

Interesting statistics regarding the relative proportions of tech support scam victims in various parts of the world:

[30th August 2016]

For Malwarebytes,  gives details of some tricks currently used by tech support scammers to deceive Chrome users. Tech support scams and Google Chrome tricks

Commentary from Help Net Security: Google Chrome users targeted by tech support scammers

[8th August 2016]

As described in an article on this site: Ransomlock.AT: ransomware meets support scams

Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.

Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.

Today’s second look at a link between tech support scams and ransomware is a bit more tenuous. In fact, it deals with a support scammer who was caught unaware by ransomware, thanks to some quick thinking by a security researcher.

[26th July 2016]

Another of my colleagues at ESET brought to my attention an article in Computer World – Feds shut down tech support scammers, freeze assets – with more commentary about the Federal Trade Commissions instituting of legal action against ‘scammers, who bilk consumers out of an estimated $1.5 billion annually with bogus tales of infected Windows PCs and Apple Macs, high-pressure sales tactics, and grossly overpriced services and software.’

I may have further commentary on that in due course, but right now I’m a little busy. 🙂

[15th July 2016]

Press release from the Federal Trade Commission: Lead Generator Defendants in Tech-Support Scam Agree to Settlement With FTC and the State of Florida – Order Requires the Defendants to Pay $258,000 (HT to Stephen Cobb for drawing my attention to it.)

[4th July 2016]

As reported by Softpedia –  One Crook [is] Running over 120 Tech Support Scam Domains on GoDaddy … and it seems there is no one to stop him from registering new domains and setting up new websites  – it seems that  MalwareHunterTeam is discomfited that it’s so easy to set up scam sites. Well, yes, but that’s hardly an issue that’s restricted to support scams, or even to scams in general. It doesn’t take much effort for criminals to set up web sites.

Commentary by David Bisson for Graham Cluley’s blog,

27th June 2016


[23rd June 2016]

Article by me on Tech support scammers impersonating ISPs

[20th June 2016]

Article by me on this site: Beating the ‘Microsoft scam’ Actually, more a case of why it’s not so easy to beat the scam by education, responding to an article in SC Magazine.

[5th June 2016]

Another FBI alert, this time summarizing an increase in reports of tech support scams. While law-enforcement alerts are often behind the curve, there are several points well worth noting here:

  • The addition of two approaches to initial contact that have been particularly noticeable recently:
    • Via BSOD/locked screen
    • Addition of an audio message urging the victim to report the issue to a fake support line
  • An uptick in the variation where the scammer offers a ‘refund’ on ‘services’ previously paid for. This isn’t the technique much favoured by 419 scammers where the scammer takes advantage of the time it can take for a cheque to clear. Instead, the scammer persuades the victim to give the scammer remote access to the victim’s account as well as to his or her PC.

[2nd June 2016]

James Rodewald has put up an interesting article for ESET on a DNS hijacker. It’s actually the way it conceals its activity that’s of most interest: however, this will also interest followers of this blog:

Typically a computer user affected by DNS Unlocker will see advertisements with a note at the bottom saying, “Ads by DNSUnlocker” … or something similar and multiple different variations of “support scam” pop-ups …

Crouching Tiger, Hidden DNS

David Harley

[20th May]

Here’s another instance where ransomware and tech support scams overlap. Jérôme Segura, for Malwarebytes, describes how scammers have moved on from ‘bogus browser locks and fake AV alerts‘ to real screen lockers. In particular, he describes an example of malware shared by @TheWack0lian that passes itself off as a Windows update. However, during the ‘update’ it effectively locks the computer, ostensibly due to an ‘invalid licence key’, forcing the victim to call a ‘support line’.

The article – Tech Support Scammers Get Serious With Screen Lockers – includes a keyboard combination that might disable the locker, and some hardcoded ‘key’ values that might also work. However, it’s likely that there are already variants out there that use different ‘keys’, and if there aren’t, there almost certainly will be.

Commentary by David Bisson for Graham Cluley’s blog is also worth reading: New tech support scams mimic ransomware, lock users’ computers –Beware if you’re asked to pay $250 for a product key to unlock your PC.

[19th May 2016]

FTC press release: FTC Adds Defendants, Charges in Ongoing Tech Support Scam Case – Amended Complaint Adds India-Based Defendants, Telemarketing Sales Rule Charges

HT to Stephen Cobb, my colleague at ESET.

[12th May 2016]

Malwarebytes gets the jump on a group apparently responsible for impersonating legitimate security companies. Well, that’s pretty standard for tech support scammers, but in this case Malwarebytes is talking about ‘a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number.’

And not only Malwarebytes. The article includes some screenshots of fake sites impersonating Microsoft, AVG, Kaspersky, ESET and so on.

Here’s the Malwarebytes article: The hunt for tech support scammers. Commentary by SC Magazine: Scammers impersonate legit cyber-security companies

[12th April 2016] Extract from blog article here: UK threat prevalence – Symantec

John Leyden for The Register has summarized Symantec’s latest Internet Security Threat Report, and focuses on UK-specific figures threat prevalence: Spear phishers target gullible Brits more than anyone else – survey; Ransomware, 0days, malware, scams… all are up, says Symantec.

Of particular relevance to this site are the statistics for crypto ransomware attacks (up by 35% in the UK) and for tech support scams (7m attacks in 2015). Since this is described as a survey, I guess the figures are extrapolated from the surveyed population’s responses rather than from a more neutral source, but I can’t say for sure.

[Added 2nd April 2016]

Palo Alto describes how a Unit 42 analyst dealt with a traditional cold-call support scammer. Nothing earth-shatteringly unusual as far the scamming methodology is concerned, but useful analysis nonetheless.

Robert Falcone and Simon Conant: Don’t Be an April Fool: Inside a Common Phone Scam

[Added 24th March 2016]

Jérôme Segura has blogged for Malwarebytes about a somewhat innovative tech support scam campaign: Scammers Impersonate ISPs in New Tech Support Campaign.

The scam is pushed by malvertising which

‘detects which Internet Service Provider (ISP) you are using (based on your IP address) and displays a legitimate looking page that urges you to call for immediate assistance.’

[Added 23rd February 2016]

If support scammers are using Dell customer data, as seems to be the case, Dell could certainly be more proactive in warning its customers, despite its own concerns about being seen as vulnerable to external or internal data leakage. But at least they’re now trying to gather info on the issue. See my article here: Support Scammers Targeting Dell Customers


… not everyone who is [a Dell customer] has the technical grasp that Krebs’s correspondents seem to have. So perhaps it’s time Dell at least made more effort to notify people using its products (and especially its support services) that scammers may have such data, and that possession of such data shouldn’t be taken as some sort of validation of the bona fides of a cold-caller.

[Added 17th February 2016]

My latest article for ESET’s WeLiveSecurity blog expands on an article that originally appeared in a lengthy article on support scams for ITSecurity UK, and subsequently in an article for the ESET Threat Radar Report for December 2015.

Support scams: What do I do now? covers some of the options for people who’ve allowed a support scammer to access their PC and, on discovering that they’ve been duped, have asked about the implications of that mistake and what they need to do next.

[Added 8th February 2016]

For the Register, Kat Hall revisits the allegations that the security of TalkTalk customers was compromised by data leaked to support scammers. In the BBC’s Moneybox programme it was claimed that ‘criminals appear to have accessed the details of TalkTalk engineer home visits and have gone on to use this information to trick customers’.

It’s not altogether clear that there is a direct link, but Hall points out that:

‘At the end of January, TalkTalk said it was considering cutting ties with its Indian call centre provider after three employees at the site were arrested for allegedly scamming customers.’

[Added 29th January 2016]

A slightly opaque story about TalkTalk and arrests at the Indian call centre it’s been using to lighten its support load.

[Added 25th January 2016]

For Graham Cluley’s blog, David Bisson summarizes the story of how Symantec ended its agreement with one of its partners after Jérôme Segura reported for Malwarebytes on how the partner was using tech support scam techniques to trick customers into buying Norton Antivirus and a year’s support at prices well in excess of the pricepoint set by Symantec.

Extensive commentary from me – Support Scams and the Security Industry – includes thoughts on specific scam ploys mentioned by Segura, and on reporting scammers to the industry.

[Added 22nd January 2016]

Jérôme Segura for Malwarebytes reports a case where the scammer is claimed to be ‘an official member of the Symantec Partner Program’. My commentary on this site is quite lengthy, and makes what I think is an important point about not being lured into contacting a scammer by popup alerts or by random ‘support links’ flagged by a search engine. While legitimate companies may be unaware of unethical practice by a partner occasionally, this is far less common than links associated with support sites whose adept use of SEO is not matched by expertise, integrity or ethics in the field of tech support.

[Added 21st December 2015]

iYogi tech support – sued by State of Washington – blog article on this site, commenting on Washington State’s legal action against iYogi, to whom a legitimate AV vendor used to outsource its support.

[Added 16th December 2015]

For Malwarebytes, Jérôme Segura reports on another incident where a support scam is combined with other malicious action – Comcast Customers Targeted In Elaborate Malvertising Attack. In this case, malvertising planted on Comcast’s Xfinity search page leads to an attempt to install malware via the Nuclear exploit kit. Malwarebytes weren’t able to collect the malware payload on this occasion, but think it likely to be Cryptowall or another type of ransomware. Subsequently, another site purporting to be the Xfinity portal may serve a fake alert along the lines of:

Comcast’s security plugin has detected some suspicious activity from your IP address.  Some Spyware may have caused a security breach at your network location.  Call Toll Free 1-866-319-7176 for technical assistance

Also reported by Help Net Security.

Adding to both the Tech Support Scam and Ransomware resource pages

[Added 4th December 2015]

Department of bizarre coincidences: yesterday I published a ransomware information page on this site, on approximately the same lines as this tech support page. Today an article by Zeljka Zorz for Help Net Security – A double whammy of tech support scam and ransomware hits US, UK users – directed me to this Symantec article by Deepak Singh: Tech support scams redirect to Nuclear EK to spread ransomware – Tech support scammers may have bolstered their arsenal by using the Nuclear exploit kit to drop ransomware onto victims’ computers.

This isn’t the first time I’ve heard of scammers who try to lure potential victims to a site from which the Nuclear exploit kit is being served as well as the support scam.  Martijn Grooten wrote in some detail about such a case – Compromised site serves Nuclear exploit kit together with fake BSOD – for Virus Bulletin, back in July 2015. In this instance, though, if the exploit kit is successful in finding an exploitable vulnerability on the victim’s system, it will drop either the ugly Cryptowall ransomware or a data-stealing Trojan.

This may not be an instance of support scammers deliberately making use of an exploit kit with the intention of maximizing profit through ransomware or information stealing. But as Singh observes ‘…if this proves to be an effective combination, we are likely to see more of this in the future.’

[Added 26th November 2015]

Tech Support Scams: a Beginner’s Guide – a blog for IT Security UK. I thought maybe it was time we reconsidered what we tell end users what they need to know about support scams, as the scammers change their approach from cold-calling to pop-up fake alerts.

[Added 16th November 2015]

The FTC’s latest initiative in the war against support scams targets the use of fake system/browser/security software alerts.

Article by Shaun Nichols for the Register: FTC fells four tech-support operations in scammer crackdown

Comments by me on this site: Support Scams: FTC Targets Fake Alerts

[Added 12th November 2015]

It occurred to me, reading an article by my ESET colleague Jean-Ian Boutin – Operation Buhtrap, the trap for Russian accountants – that the Buhtrap Operation’s hijacking of Ammyy Admin might have direct consequences for some support scam victims, hence this blog: Buhtrap and Ammyy.

[Added 6th November 2015]

An interesting article by Talos with video and audio of a scammer in action, and details of this particular scamming group. Reverse Social Engineering Tech Support Scammers, by Jaime Filson and Dave Liebenberg.

And my own commentary for ITSecurity UK: Support Scams: Talos Takes Note

Plus an article from September 30th that I’ve seen before but don’t seem to have mentioned anywhere: David Finn for Microsoft – Microsoft hosts renowned ID theft expert to kick off expanded AARP partnership to stop tech scams. The expert in question was non other than Frank Abagnale, who led a discussion at the Redmond campus on the subject. The discussion and a subsequent workshop have been and gone, but the article includes some interesting content in its own right. For instance:

“Since May 2014, Microsoft has received over 175,000 customer complaints regarding fraudulent tech support scams. This year alone, an estimated 3.3 million people in the United States will pay more than $1.5 billion to scammers.”

[Added 21st October]

Article by me for ITsecurity on Support Scams: Splashes in the Phish Pool. Apple users targeted by a pop-up ‘alert’ may be directed to a site impersonating Apple’s own tech support site.

References a Malwarebytes article Tech Support Scammers Impersonate Apple Technicians by Jérôme Segura , also referenced by Ars Technica in an article by Dan Goodin: Support scams that plagued Windows users for years now target Mac customers [Added 22nd October: this article for The Register by John Leyden also refers: Support scammers target Mac fanbois]

[Added 16th October]

Jérôme Segura pointed out that there is a list of scammer-related phone numbers on the Malwarebytes page here. As I’ve pointed out previously, there’s lots of other useful info there too.

[Added 15th October 2015]

Support scammer phone info shared by several people on Twitter today: Support scammer phone numbers

[Added 8th October 2015]

Another article from me for ESET, on the way support scams are gradually moving away from simple-minded cold-calling to fake-AV-like pop-ups, intended to trick victims into making the initial telephone contact. The scams are aimed not only at Windows users but at users of OS X and iOS, Android, and even (rather ineptly) Linux. How many Linux users believe their system uses an NT Kernel? (And no, Wine doesn’t either: it implements the App Binary Interface in userspace, not in a kernel module.)

Tech Support Scams: Top of the Pop-Ups

I also expanded on the theme of cross-platform scanning for Mac Virus.

[Added 14th September 2015]

An article for this site on Tech Support Scams Latest. While pointing to the entry below from 11th September 2015, it also offers commentary on some feedback to one of my ESET articles.

[Added 11th September 2015]

Another article from Malwarebytes on support scams using a fake Blue Screen of Death, this time by Chris Boyd: Avoid this BSoD Tech Support Scam. Also some comment by John Leyden for The Register.

[Added 2nd September 2015]

Blog by me for ESET on recent trends: Support scams, malware and mindgames without frontiers

[Added 18th August 2015]

Another blog by Jérôme Segura well worth a read: The Multi-language Tech Support Scam is Here

[Added 31st July 2015]

A new blog by me, Double Dipping: Nuclear exploit, fake BSOD, support scams, refers to two very interesting blogs by Martijn Grooten – Compromised site serves Nuclear exploit kit together with fake BSOD – and Jérôme Segura  – TechSupportScams And The Blue Screen of Death.

[Added 28th July 2015]

Here’s a translation/summary of that blog by Josep Albors about iOS support scams.

[Added 21st July 2015]

I was quoted in Josep Albors’ blog for Ontinet regarding the iOS support scams. Sorry, it’s in Spanish, but I’ll come back to it in a little while in English.

[Added 17th July 2015]

Here’s a further Mac Virus article in the light of an F-Secure article explaining that pop-up blocking in Safari doesn’t fix the iOS Support Scams issue I added yesterday: A bit more on iOS support scams. I don’t necessarily include links here that are internal to a link that I have added here, but as this issue still seems quite ‘live’ I will this time:

I also notice that there’s a Wikipedia article on support scams here. It’s not exactly comprehensive, but it’s reasonably accurate and even links to a couple of my articles. 🙂

[Added 16th July 2015]

Here’s an extract from another Mac Virus article – iOS Support Scams – on tech support scams, this time targeting iOS users:

A new blog by Graham Cluley for Intego actually has some points in common with my most recent blog here (which also involved pop-ups misused by support scammers, particularly in the context of Safari). However, Graham’s article is about iOS, whereas mine related to questions asked regarding OS X and Safari (citing advice from Thomas Reed that also addressed other browsers).

[Added 14th July 2015]

An article for Mac Virus on tech support scam pop-ups targeting Mac users, and pointing to a useful article by Thomas Reed here, as well as a knowledge base article by Apple on dealing with ad-injection software.

[Added 26th June 2015]

An article for ESET. Not primarily about support scams, but interesting data from reports by the Consumer Sentinel Network Data Book for January-December 2014 and Pindrop Security – The State of Phone Fraud 2014-2015: a Global, Cross-Industry Threat.

I don’t recommend (see my article) that you take the statistics as gospel, but interesting trends and commentary.

[Added 4th May 2015]

I don’t know how many people are still watching this page, but I haven’t updated it in a few months, so here are two things from the WeLiveSecurity page that I should have added:

[Added 26th October]

Alleged US support scam site temporarily shut down: one of my articles for IT Security UK about the FTC securing an injunction against Pairsys Inc, which (according to The Register) is is “banned from deceptive telemarketing practices, and may not sell or rent their customer lists to any third party. The injunction requires that their websites and telephone numbers must be shut down and disconnected, and their assets be frozen.”

Tech support for telemarketers has a somewhat tenuous link to support scams, but might amuse you anyway.

[Added 18th October]

I was contacted on another blog by ‘Steve’ at Emsisoft about a blog he put up recounting an encounter with a support scammer who cold-called Bleeping Computer. There isn’t an awful lot in the account that’s really new: the Event Viewer gambit, remote access with TeamViewer, misrepresentation of Task Manager, the claim that the ‘victim’s’ anti-malware is ‘incompatible and useless’, even the misrepresentation of the ‘tree’ command, with the crude interpolation of ‘virus alerts’ typed in by the scammer. However, the detailed transcription of the conversation is interesting, and there are a few details that are probably worth discussion in another article. Watch this space.

[Added 26th September, 2014]

Jérôme Segura talks about his paper Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam, which he just presented at Virus Bulletin 2014, on the Malwarebytes blog: Tech Support Scams exposed at VB2014. The blog includes a link to a PDF version of the slide deck.

[Added 22nd September, 2014]

Support scam paper at Virus Bulletin 2014 considers the paper to be presented by Jérôme Segura  at this year’s Virus Bulletin, as well as Martijn Grooten’s preview on the Virus Bulletin blog.

[Added 12th September, 2014]

Biting the Biter: considers the proposed use of a flaw in Ammyy Admin 3.5 as a means of attacking a machine used by a support scammer.

[Added 14th August 2014]

Added to this site: Malvertising leading to fake support, which references this article by Blue Coat: A Nostalgic Attack, With a Modern Twist

[Added 25th July 2014]

A video on How to avoid tech support scams from ESET (no, nothing to do with me).

[Added 3rd July 2014]

Another article for Graham Cluley’s blog about a site used to direct support scam victims to remote access software: Support scammers – at your service!

[Added 21st June 2014]

My article for Graham Cluley’s blog: Tech support scams and the wisdom of Solomon

Plus the six blogs referenced in that article “where Dr Solly messes with the heads of assorted grades of support scammer”:

[Added 29th May, 2014]

Some of us remember with affection Dr Solomon’s Antivirus Toolkit. Alan Solomon hasn’t been very active in the AV scene in recent years, but recently he had quite a lot of fun with a support scammer: Technical support scam

[Added 22nd May, 2014]

Yet another Harley support scam article for ESET’s WeLiveSecurity blog: Support Scam Using (MS-)DOS* Attack

The never-ending Windows support scam often misrepresents obsolete MS-DOS utilities. But three simple rules will bypass most of that social engineering.

[Added 21st May, 2014]

[Added 2nd March 2014]

An article by me for ESET that I should have posted here ages ago: Scams: Tech Support, Accident Insurance, PPI, Oh My My.

And I just realized that I didn’t actually post a link to an excellent post by Martijn Grooten that’s briefly referenced in the same blog: Tech support scammers won’t give up.

[Added 29th January 2014]

An article by me at (ISC)2 commenting on the article by  Jérôme Segura previously flagged here.

[Added 23rd January 2014]

An interesting article by Jérôme Segura for the Malwarebytes blog: Tech support scammers target smartphone and tablet users. With particular reference to scammers advertising support for Android.

You might also find this thread, flagged by my good friend Steve Burn, also of Malwarebytes, of interest:

[Added 9th January 2014]

An article by me for ESET pointing to and commenting on a recent article by the FTC on a new-ish twist to tech support scams: Tech Support Scams: Second Byte at the Cherry.

[Added 22nd December 2013]

An article by Andy O’Donnell on Beware of the ‘Ammyy’ Security Patch Phone Scam: A new twist on an old scam. Rather a narrow AMMYY- and US-centric view of how tech support scams work, but has some suggestions that may be useful to all those people who ask what to do when they’ve allowed a support scammer access to their PC. HT to Patrick Nolan.

I also forgot to add a recent article by Rob Waugh for ESET: Reverse charges: How one man turned the tables on PC phone scammers. My own blog Scamming the Scammers also refers.

[Added 22nd November 2013]

Another blog by me for ESET on how support scammers sometimes convince you that they’re providing product support on behalf of the vendor.

  1. By social engineering in the course of a cold-call.
  2. By seeding the web with sites and using SEO to promote them that support their claims to provide AV tech support, though they’re unlikely to claim there that they’re directly affiliated with individual companies.

I had a lot of helpful discussion with ESET’s support team that inspired the article. And I regard this kind of fraud as an insult to the sterling work that real AV tech support teams do.

Tech Support Scammers: Talking to a Real Support Team

[Added 5th November 2013]

Blog by  for ESET. Update on some new gambits and reports by other researchers.

[Added 20th June 2013]

An article by me for ESET: Support Scams: we don’t really write all the viruses…

Which includes commentary on and references to this article by Eddy Willems: A curious phone call – when a help desk scammer offers you a job

[Added on 11th May 2013]

An article for (ISC)2: that references an article by Paul Ducklin – An unholy alliance – Fake Anti-Virus, meet Bogus Support Call! – and summarizes some of the other recent developments.

[Added 8th May 2013]

An article for ESET in which I commented on some recent developments in the support scam landscape, including a pointer to Jerome Segura’s article for the Malwarebytes blog Support Scam Cold-Calling: the Next Generation and another to Jean-Ian Boutin’s article Online PC Support scam: from cold calling to malware.

Support Scam Cold-Calling: the Next Generation

[Added 13th December 2012]

I have a load of content to add here, but I haven’t had time to sort it so far. So I’m afraid all I can do right now is add a couple of links to the ESET blog, where I have blogged on the topic once or twice since the 8th November (and they do point to other recent posts by others working in this area):

And Stephen Cobb blogged a nice collection of informational resources that you might find useful: Free cyber security resources to keep on your radar

[Added 8th November 2012]

A comment from Toronto to one of my blogs tells us that the commenter “Received a call yesterday evening and confirmed that a family member received a similar call during the same timeframe…it appears they are going through the phonebook for contact numbers.  The call came from a blocked long distance number.  A man with an east Indian accent was on the line and from what I could hear he was in a call centre.  Managed to get the “name” of the caller aka “Sam Spancer” but no other contact info.  In an attempt to gain my trust, he claimed to be working for the “Digital Network Server Department of Canada”, a supposed anti-hacking division of the Government of Canada, that my computer was being hacked and my assistance was required to stop the hackers before more damage was commited.”

[Added 6th November 2012]

A recent blog article at ESET is primarily about phishing and other scams related to Windows 8, but also includes some content relevant to this page.

I’m reminded to remind you that SANS is looking for information from people who’ve received support scam calls. They’ve shared a little of that information here.

And the paper by myself, Martijn Grooten, Craig Johnston and Steve Burn that I presented at the CFET Forensics conference in September is now available here: FUD and Blunder: Tracking PC Support Scams.

Also some other articles of mine:

[Added 12th October 2012]

Oops. I’ve fallen behind a bit with this. So here’s a bumper bundle of links:

[Added 11th September 2012]

Added an article including some comments to one of my ESET blogs on support scams: Last week I presented on support scams at the CFET forensics conference in the UK: I’ll post a link here when the paper is up.

[Added 28th August 2012]

Report received via the ESET blog of a scam call using the ASSOC and Event Viewer ploys: scammer used the name Alex Parker, and said his company was Creative Solutions Online: came up with a number 4034563615 used by scammers claiming to represent the same company, or for Windows Internet

Office address given as Clearwater, Fla., and phone numbers in UK, US, Australia

Sibyl Technology Solution
Rubel Debnath
339, purbasinthi
west bengal
Phone: +91.9230062065
Email Address:

[Added 24th August 2012]

Blog here with more details about the way Ammy’s warning about misuse of its service: More about Dorifel as a scammer ploy, and Ammyy warns of misuse of its service

Steve Burn on Ammyy’s warning

And at ESET: Support scams and Quervar/Dorifel

[Added 21st August 2012]

More on from ESET Threatblog reader Allan. In the case he reported, the prospective victim was given the US number on the same site I looked at, 1-800-986-4764. Oddly enough, when I looked at the site again just now, the Canadian page failed to load and the Australian page loaded, but popped up a somewhat intrusive live chat button that doesn’t show on other pages. Currently offline, echoing Righard Zwienenberg’s experience with a similar chat facility in a slightly different – but related – context: Scareware on the Piggy-Back of ACAD/Medre.A

Allan supplies some whois data for the site, registered with GoDaddy:

Created on: 18-Dec-10
Expires on: 18-Dec-13
Last Updated on: 15-Jul-12

As he says, ‘The rest is useless as it pertains to DomainsByProxy.’

Another comment from Michael told us about a scammer claiming to be “David Foster from Online Tech  Ph. 02 2039846662. I dialled the number while  talking to him but of course it is a dead number.” Veronica was called by someone from ‘IPC Support’: I haven’t had time to check these companies out yet, unfortunately.

Steve in the UK was told by a scammer that he knew the CLSID of his motherboard. I haven’t heard that one before. 🙂 And Melissa was referred to the number 302-261-2620 and

[13th August 2012]

More from SANS on its tech support scam report form: ISC Feature of the Week: Report Fake Tech Support Calls.

Unfortunately, SANS hasn’t chosen to follow up on our offer to exchange information on this type of scam. Still, there are some useful additional resource links in the article:

  • An article by Johannes Ullrich
  • Two podcasts
  • And a relevant Threat Update Webcast

Meanwhile, SC Magazine reports on a couple of somewhat related issues:

Dorifel/Quervar: recent malware used by support scammers to support the con [11th August 2012]

The threat of the Dorifel/Quervar malware, spreading in the Netherlands, is used by telephone scammers to trick local PC users into paying for ‘protection’. Dorifel/Quervar: the support scammer’s secret weapon.

Support Scam Anna-lytics and a very dodgy phone number [9th August 2012]

Another day, another support scammer. Anna claimed to be from Global PC Helpline, and gave me a UK phone number 0800-0148910 which does indeed correspond to the Global PC Helpline page for the UK at She also told me that my PC was sending out messages about system errors, and tried to pull the CLSID gambit on me.

Much more here: Support Scammer Anna’s CLSID confusion

And reader Paul reports getting a very similar call from this number: 210 301 0307. A little googling found that this number (with a San Antonio, TX area code – maybe Anna’s real name is Rose!)  is associated not only with this scam, but many others, from cruise scams to credit card interest scams.

Misrepresenting System Utility Output [6th August]

Lengthy commentary on some issues raised by Krebs and Jacoby (see below): Misusing VERIFY (and other support scam tricks)

[5th August]

A comprehensive article by Kaspersky’s David Jacoby describing some of the ways in which scammers misuse system utilities to mislead their victims. Interesting to see confirmation of the misuse of Task Manager (as I previously described in Support Scammer Update: Misrepresenting Task Manager), and a gambit I haven’t seen before, i.e. the misuse of VERIFY. I’ll go into detail shortly on the ESET blog, but in the meantime Jacoby’s article has a lot of detail worth checking. Trying to unmask the fake Microsoft support scammers!

[2nd August 2012]

Interesting article by Brian Krebs on what he describes as a Tech Support Phone Scams Surge including some useful info on “a company in India called NIAS E Business Solutions” apparently implicated in a couple of reports that he’s received.

[15th July 2012]

As mentioned here, Martijn Grooten, Craig Johnston, Steve Burn and I have been working on two papers on the topic to be presented at CFET and Virus Bulletin respectively. Links to both papers will be added here once they’ve been presented.

Articles (mostly) from the ESET ThreatBlog that shed additional light on the evolving PC Tech Support Cold-Calling Scam

  1. Support scams: social engineering update looks at some of the other aspects of scam calls that have been reported to us at ESET.
  2. Support Scammer Update: Misrepresenting Task Manager looks at slightly novel twist on the misuse and misrepresentation of legitimate utilities to con victims into believing that there is something wrong with their systems. Other utilities we more commonly see misrepresented in this way include Event Viewer, ASSOC (the CLSID ploy), INF and Prefetch, none of which have much to do with security.
  3. Support Scam Poll looks at an information-gathering exercise by the Internet Storm Center. Unfortunately SANS hasn’t shown much interest in exchanging information with us, but if you have any direct experience of the scam, I’d encourage you to take a look at their survey anyway. The more that people pay attention to the scam, the likelier it is that someone will manage to achieve something. The SANS Ouch! newsletter for July 2012 also looks at this issue: nothing really new here, but probably a reasonable resource for people unaware of the problem.
  4. How to recognize a PC support scam is a fairly lengthy consideration of some of the social engineering devices the scammers use when they call.
  5. Fake Support, And Now Fake Product Support: how a legitimate and ethical AV company outsourced its support to a company accused of perpetrating support scams.
  6. Support Scammers (mis)using INF and PREFETCH: the details of how two legitimate utilities are misused by scammers.
  7. Cybercrime and Punishment An account of the Association of Chief Police Officer’s conference where I talked at some length about this type of scam.
  8. Facebook Likes and cold-call scams: a joint blog about the use of social media and other resources to bolster the tech support scam.

[30th November 2011]

New article on the ESET blog about additional information posted to blogs on this type of scam: Support-Scammer Tricks

[12th November 2011]

I guess you could consider this page a partial answer to a question I posed on the AVIEN blog: Support scams: what can AVIEN do about it? I plan to expand on this in the next few days, but right now it’s essentially an information resource following up and expanding on my blog at ESET on Facebook Likes and Cold-Call Scams, though of course that was just one of many. But it may well include links to material originating here, in due course. First, here’s a white paper on the topic published earlier this year: Hanging on the Telephone: it aggregates some of the information on the topic ESET had built up in the year previously. Later articles for ESET here.

And next, some relevant recent blogs.

30th November 2011: ESET blog about additional information posted to blogs on this type of scam: Support-Scammer Tricks

12th November 2011:

David Harley on how (not) to scam the BBC (expands on the Cellan-Jones story below)

11th November 2011:

10th November 2011

  • New blog by someone claiming to work for one of the scam companies: Exposing Indian Call Center Scam. It’s not clear which company, and some of the information doesn’t jibe with some of my experiences with some of the scammers, but seems an interesting insight anyway. I’ll probably look at it in some detail in due course.
  • The above was actually flagged as a comment to this joint blog talking about some of the deceptive techniques used by PC support sites to enhance their credibility. Facebook Likes and cold-call scams. That one actually includes copious links to other informational pages.

Articles on the topic for SC Magazine’s Cybercrime Corner:

Articles for chainmailcheck.

David Harley