The IT Nerd

One of the things that I seem to be getting a lot of business from in the last year or so are Tech Support Scams. I’ve covered a couple of the ones that I’ve tripped over in the last year or so, and I am preparing myself to get more business based on what Microsoft has had to say about the subject:

In 2017, Microsoft Customer Support Services received 153,000 reports from customers who encountered or fell victim to tech support scams, a 24% growth from the previous year. These reports came from 183 countries, indicating a global problem.

Approximately 15% of these customers lost money in the scam, costing them on average between $200 and $400. In some cases, victims pay a lot more. In December 2017, Microsoft received a report of a scammer emptying a bank account of €89,000 during a tech support scam in the Netherlands.

That’s truly scary. It’s clear that everyone needs to take action to make these scams less effective. I have some advice on how to avoid getting scammed here. But the best defense is to get the word out about these scams to as many people as possible. That way when the scumbags behind these scams try to take someone’s money, they will fail miserably.

Last night I got a text message that got my attention. I snagged a screenshot of it for your viewing pleasure:

At first glance it looks like an Interac e-Transfer. And it comes from a Ontario area code to make it look legit. Except that when you look closer, specifically under the words “Deposit your INTERAC e-Transfer” you see a domain called frontsolut-1.com. That’s important because Interac has never used that domain. Besides, I am pretty sure that Interac doesn’t use GoDaddy to register their domains. Because when I ran the domain in question through the Whois database on GoDaddy, I found this:

Domain Name: FRONTSOLUT-1.COM
Registry Domain ID: 2247282825_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2018-04-03T01:30:36Z
Creation Date: 2018-04-03T01:30:36Z
Registrar Registration Expiration Date: 2019-04-03T01:30:36Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: REDACTED 
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: 
Registrant Name: Dean Ataman
Registrant Organization: 
Registrant Street: REDACTED
Registrant City: Belle River
Registrant State/Province: Ontario
Registrant Postal Code: REDACTED
Registrant Country: CA
Registrant Phone: REDACTED
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: REDACTED
Registry Admin ID: 
Admin Name: Dean Ataman
Admin Organization: 
Admin Street: REDACTED
Admin City: Belle River
Admin State/Province: Ontario
Admin Postal Code:REDACTED
Admin Country: CA
Admin Phone: REDACTED
Admin Phone Ext:
Admin Fax: 
Admin Fax Ext:
Admin Email: REDACTED
Registry Tech ID: 
Tech Name: Dean Ataman
Tech Organization: 
Tech Street: REDACTED
Tech City: Belle River
Tech State/Province: Ontario
Tech Postal Code: REDACTED
Tech Country: CA
Tech Phone: REDACTED
Tech Phone Ext:
Tech Fax: 
Tech Fax Ext:
Tech Email: REDACTED
Name Server: NS47.DOMAINCONTROL.COM
Name Server: NS48.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-04-03T12:00:00Z <<< 

Seeing as Interac is not located in Belle River Ontario, this is clearly fake. Thus validating that this is a scam. Even though I redacted some potentially personal information, that info is likely fake as well. Having said that, if Interac or law enforcement are interested in what I found, feel free to contact me and I’ll hook you up.

I decided to dig in a bit deeper to find out what this scammer was up to. So I copied the link to my test iPhone and clicked on it. I got this:

Oooooo. It looks like I am going to get some money. Well, actually no. If you look at the URL in the browser, it’s the same frontsolut-1.com address that I mentioned above. Clearly what this scam is counting on is that you won’t notice that. In the interest of science, I chose my financial institution and got this:

Now that’s a very good copy of the Canadian Imperial Bank Of Commerce website. To illustrate that, here’s the real Canadian Imperial Bank Of Commerce website:

It’s pretty close except that the domain frontsolut-1.com is still present. Again, the scammers are hoping that you won’t notice.

At this point it’s pretty clear what this is all about. This is an attempt to get your username and password to your online banking account so that the scammers can drain it dry. I have to admit that this is pretty crafty as if you’re not paying attention to things like the domain that is in use, you might fall for it. Thus my advice is to pay attention to any Interac e-Transfer that you get. Look for weird looking URLs and anything that doesn’t seem “normal.” If you receive a notification for an Interac e-Transfer that you weren’t expecting, contact the sender through a different communication channel to verify. If the notification comes from someone you don’t know, or you suspect it may be fraudulent, do not respond or click any links. Forward the email or take screenshots and forward those to phishing@interac.ca.

In the meantime, I am reaching out to Interac with all the info that I complied on this scam so that they can hopefully put an end to it. Or at least put it on their radar.

Over the last couple of weeks, Canadian wireless customers, and I am sure this is true in the US as well may have experienced the following:

1. The phone rings once and stops.
2. The phone’s owner checks the phone and it’s a number from the country code of 235 (Chad) or 232 (Somalia).

Now you’re likely tempted to phone the number back. I am here to say don’t do that. No. seriously. Don’t phone the number back. That’s what these scammers want you to do. And it is a scam called the “One Ring” scam. The whole idea is that the scammers are trying to get you to call them back. But when you do, you’ll get billed an astronomical amount of money per minute. I’ve heard of $400 a minute in one case which is insane.

Now in my case, I’ve received four of these calls over the last week. In every case, I’ve blocked the number in hopes that this will stop the calls. Seeing as two of them were at 3AM, that’s important to me. But blocking calls may not solve the problem as the scumbags behind this scam often use caller ID “spoofing” or deliberately falsifying the information transmitted to your caller ID display to disguise their identity. Thus it may end up being a situation where it’s like playing “Whack A Mole.”

The best way to avoid being a victim is to not to call back these numbers. Ever. But here’s a couple of other tips that may be of use:

• Check any unfamiliar area codes before returning calls. Google or whatever search engine that you prefer can help with this. Now this scam seems to use 3-digit country codes connect callers to international telephone numbers. Thus if you see a three digit code before the number, it’s likely a scam.
• If you do not otherwise make international calls, ask your local or wireless phone company to block outgoing international calls on your line. That way you can’t be a victim if you can’t actually dial the number back.

But if you do end up getting burned by this, I would recommend calling your phone company and seeing what they can do to credit the bill. On top of that, you should report it. In Canada, that means that you should go to the Canadian Anti-Fraud Centre. In the US, you can file a complaint with the FCC. Though, because of the nature of this scam, there’s likely not much that either party can do. Thus the best way to protect yourself is to not to call back.

UPDATE: I have also confirmed that calls are coming from 269 (Comoros), strangely 573 (A Missouri area code, but it is possible that it is country code 57 which is Colombia) and 267 (Botswana)

This past week I got three calls from clients who are all men who got emails similar to this one:

Fresh off the heels of the tech support scam that I documented here, I’ve come across another one. Or more accurately, one of my clients has. This scumbag got in touch with her and tried to drain her credit cards and bank accounts of whatever money he could get yesterday while trying to perform some sort of tech support “services.” My client let him into her computer and only gave him the boot after about an hour when the price went from $99 for his “services” to over a thousand dollars. That’s when she called me. I had a look over her computer and found that he had installed GoToAssist to allow him to take control of her computer remotely, but not much else was done with it. I plan on doing a follow up later this week, but from what I saw yesterday, she seems to have dodged a bullet.

Now the scumbag in question goes by the name of PC Tech Support and the phone number that they were calling from was 1-888-308-3363. I’m pointing this out because if you see this number on the call display on your phone, hang up. I found their website which I will not link to as I do not want to send them traffic. But I will display a screenshot of their website that clearly uses stock clip art:

That allowed me to look up who owned the domain that they are using:

What caught my attention was the organization name which was S.M.O.K.E. Technologies. I did a search of the name and found their LinkedIn page which again, I will not link to. Instead I will display a screen shot of it:

The website that they have doesn’t go anywhere. But if you look at where they have locations, they list Gurgaon, which is a city in India that I’ve been to numerous times, and Jaipur-Rajasthan which is where the registration of the domain came from. That cannot be a coincidence. That was confirmed when I came across the company on Gust.com which is India’s service to connect startup companies with investors:

If you look to the right, you’ll see the name Vivek Kosalla. Vivek is the name that’s in the domain registration above. That too cannot be a coincidence. This seems to point toward this company being behind PC Tech Support. And thus being behind this scam.

These guys seem to be rather unsophisticated scammers from a tech standpoint and I would rank them lower than the scumbags that I wrote about earlier this year. But they did try to go to town on my client’s credit card. Which by the way is now cancelled. She also now has credit monitoring just in case they try to steal her identity or something. So these scumbags will walk away with nothing.

Now let me reiterate something that I said the last time I covered a tech support scam. A legitimate company such as Microsoft, Apple, or Google would never call you in this manner. The exception might be your ISP. There’s a minute possibility that your ISP would call you if your computer has been infected with malware that could be sending out something from your computer. If a caller claims to be from your ISP, ask for the caller’s name, where his or her office is located, and for the office telephone number. Ask why you’re being contacted by telephone, what the issue with your computer is and how the ISP could tell it was your PC specifically that had a problem. If a call sounds legit, hang up and call the ISP yourself, then ask for the tech support department or for the person who called you specifically. Use a phone number listed on your ISP’s website or on your bill, not a number that the caller gave you. That way, you could confirm or deny if this is legit.

Now, if you get a call from a scammer. The best way to deal with them is to hang up. But if you want to do the world a favor, do the following….. Though I will not exactly go out of my way to recommend vigilante behavior like this:

1. The name of the company the scammer claims to work for, and the company’s website, phone number or address. Even the smallest pieces of info can lead one down the road of finding out who the scammers are and you’d be surprised how willing they are to give up this information to try and gain your confidence.
2. Hang up.
3. Report it. Microsoft has a Web page dedicated to reporting tech-support scams. The U.S. Federal Trade Commission has a website for fielding complaints, while the Canadian Anti-Fraud Center is the place to go if you’re in Canada.

So, what happens if you get scammed? You need to act fast. First, shut down the computer. Then do this:

1. First download and install legitimate antivirus software. Then, run a scan to see if anything has been left behind. Then change the passwords on the user accounts on your PC. You don’t have passwords on the user accounts? You should precisely for this reason. If you don’t feel comfortable doing any of these items, call an IT expert for help.
2. If you gave the scammer your credit card number, then you really need to act fast. Call your credit card provider and either reverse the charges or cancel the card (my client did the latter).  Then you should also contact one of the three credit-reporting agencies. Namely Equifax, Experian or TransUnion and ask them to place a free 90-day credit alert on your file. For the record, Experian doesn’t operate in Canada but the other two do. The agency you contact will alert the others and you’ll be notified if someone tries to do something in your name.
3. Report it.

As you can see, getting hit by a scammer is not a trivial matter. You need to be on your toes to avoid this sort of thing. If you are, then you should never have to worry about the negative effects of being scammed. I hope this information helps to make sure that you are not a victim of something like this.

UPDATE: My client wrote down details about these scumbags. Here’s a photo of what she wrote:

You’ll see the scumbag’s name and phone number (which works when you dial it by the way). I circled the IP address which is 127.0.0.1 which is a loopback address. As in an IP address that loops back to the machine that you’re on. It could never exist on the Internet. Thus this is another sign that these scumbags are rather unsophisticated. But they don’t have to be as this type of scam is about sounding smart so that they can fleece your bank account as opposed to being smart. The other thing that I should update you on is that S.M.O.K.E. Technologies is located in the same location as the registration above:

That’s further proof that they’re the ones behind this tech support scam.

UPDATE #2: I just got a threat from these clowns via e-mail. Here’s my response:

I don’t respond well to threats. And I will continue to shine an uncomfortable spotlight on you or anyone else who runs a scam like this. Oh yeah, thanks for sending the threat by e-mail. The header information on that e-mail will be very interesting for law enforcement to see.

In part one of this investigation I dealt with the initial threat. In part two I tracked down the scammers and I unwrapped what these scammers were up to in part three. Now I will tell you how to avoid a scam like this.

Here’s the big hint that this is a scam. The scammers will likely be pretending they are calling from Microsoft or from “Windows,” “Windows Tech Support” or “Windows Service Center.” or even your ISP.

Fact: A legitimate company such as Microsoft, Apple, or Google would never call you in this manner. The exception might be your ISP. There’s a minute possibility that your ISP would call you if your computer has been infected with malware that could be sending out something from your computer. If a caller claims to be from your ISP, ask for the caller’s name, where his or her office is located, and for the office telephone number. Ask why you’re being contacted by telephone, what the issue with your computer is and how the ISP could tell it was your PC specifically that had a problem. If a call sounds legit, hang up and call the ISP yourself, then ask for the tech support department or for the person who called you specifically. Use a phone number listed on your ISP’s website or on your bill, not a number that the caller gave you. That way, you could confirm or deny if this is legit.

Now, if you get a call from a scammer. The best way to deal with them is to hang up. But if you want to do the world a favor, do the following….. Though I will not exactly go out of my way to recommend vigilante behavior like this:

1. The name of the company the scammer claims to work for, and the company’s website, phone number or address. Even the smallest pieces of info can lead one down the road of finding out who the scammers are and you’d be surprised how willing they are to give up this information to try and gain your confidence.
2. Hang up.
3. Report it. Microsoft has a Web page dedicated to reporting tech-support scams. The U.S. Federal Trade Commission has a website for fielding complaints, while the Canadian Anti-Fraud Center is the place to go if you’re in Canada.

So, what happens if you get scammed? You need to act fast. First, shut down the computer. Then do this:

1. First download and install legitimate antivirus software. Then, run a scan to see if anything has been left behind. Then change the passwords on the user accounts on your PC. You don’t have passwords on the user accounts? You should precisely for this reason. If you don’t feel comfortable doing any of these items, call an IT expert for help.
2. If you gave the scammer your credit card number, then you really need to act fast. Call your credit card provider and either reverse the charges or cancel the card (my client did the latter).  Then you should also contact one of the three credit-reporting agencies. Namely Equifax, Experian or TransUnion and ask them to place a free 90-day credit alert on your file. For the record, Experian doesn’t operate in Canada but the other two do. The agency you contact will alert the others and you’ll be notified if someone tries to do something in your name.
3. Report it.

As you can see, getting hit by a scammer is not a trivial matter. You need to be on your toes to avoid this sort of thing. If you are, then you should never have to worry about the negative effects of being scammed. I’ve documented what People Connect Inc. were up to in this case, but there are lots of others who are just as evil. I hope this information helps to make sure that you are not a victim of something like this.

In part one of this investigation I dealt with the initial threat. In part two I looked at who the scammers who do business as People Connect Inc. are and showing that they are scammers. Now I will show you what these scammers were up to. Though, that took some effort.

First of all, I grabbed a ZIP file that was encrypted. I needed to break into it. Thus I reached out to a friend of mine who is a white hat hacker (in other words, a hacker that hacks to helps people rather than hurt them) to help with this. We used a program called John The Ripper on a custom computer with a series of Nvidia graphics cards to add computing power to the CPU to help to crack this ZIP file. It took several hours, but I had it cracked. When I got to look at the files, this is what I saw:

Here’s what these files do. First, there were four batch files:

• The first one is called execlock.bat and it takes away Internet access from dozens of websites using a supplied application called hosts.exe which is a Russian designed application that modifies a file on your computer called “hosts” which controls how your computer gets to the Internet. By doing this, it can make you think that you had a serious problem. But not enough to outright kill your Internet access (which would disconnect the scammers of course and keep the scammers from “fixing” things).
• The second one is called execunlock.bat and it restores the Internet access that was removed by the previous batch file.
• The third one is called lock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execlock.bat batch file that I mentioned earlier. This elevate.exe application allows one to bypass any security that might be present on the PC.
• The fourth one is called unlock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execunlock.bat batch file that I mentioned earlier. This elevate.exe application again allows one to bypass any security that might be present on the PC.

Now I believe that the purpose of these batch files is to create a “problem” for the scammers to fix so that they can take your money. But they didn’t stop there. The real threat is three other files that were present.

• The first threat is a file that I found called air.exe. It appears to be a remote control application which would allow someone in some other location to control a PC. It appears it is based on this application:

• Next on the list is are two pieces of software called Nautilus Blue.exe and Nautilus Green.exe which appears to be another remote control application called Show My PC which is based on this:

https://showmypc.com

Here’s the catch, these apps run an install that appears to install other software. That of course isn’t good as it implies that it would create a problem that would be persistent.

One note: I figured out how what this stuff was doing using a piece of software called Process Monitor so that I could log everything that these pieces of software do at very low levels. Be it network access, reading or writing to the hard drive, or whatever else these pieces of software decided to do. On top of that, I used a Windows 10 virtual machine via Parallels Desktop to do my testing so that I could take a snapshot of the environment before running this stuff and go back to that snapshot over and over again during my testing. Plus I would not have to risk a a real PC being infected with something at the end of my testing.

I have reason to believe that if they got a chance to run these files (which they didn’t because I pulled the plug on these guys), the scammers could remote control a PC at will. Plus nothing from a malware or antivirus perspective will detect this stuff as it is based on commercially applications which makes this stuff very dangerous. That makes the scammers very dangerous. Thus I will be submitting all of this to antivirus vendors in the hopes that they will come up with countermeasures against this stuff so that these scammers cannot use these tools do do their evil deeds.

In the final part of this investigation, I will give you my tips in terms of avoiding a scam like this.

UPDATE: On top of submitting the files that I found to a variety of antivirus vendors, I have reached out to AeroAdmin and ShowMyPC as well to inform them that their software is being used in this scam and might have been modified. I will update you if I hear from them.

UPDATE #2: ShowMyPC has been very helpful in terms of unwrapping the files named Nautilus Blue.exe and Nautilus Green.exe. Here’s what they said:

Of the 2 files you sent one of them, green one, it seems like a renamed/perhaps re-bundled or modified file of our free version.

Our free version has an interface that has to be launched, explicitly press a button to start, next a warning dialog to accept settings and before a user could use it. It is very restrictive in time and usage and unlike many other programs has no inbuilt functionality to start remotely.

Our exe does not install anything but does extract files while in use.
Just delete the main exe and if any temporary files exist. You can read about uninstalling and any temp files on this link.
http://showmypc.com/faq/uninstall-showmypc.html

Although its hard to say how the program was modified, however if it was used on your customers pc, we maybe able to help you track the remote IP of the users if they made any connection and we can block those users from using this.

Any session using our program can be easily reported here.
https://showmypc.com/faq/warning.html

Thanks for bring this to our notice, and we continue to keep a watch on any abuse report.

I’d like to thank ShowMyPC for their help with this, Now over to Aero Admin. I am working with them as well and I will update you when I have more info.