Today we did an experiment with an Internet Tech Support Scam that is reportedly being found online by many in the Reno Sparks area. Below is a screenshot of what first appears when you happen upon the website at online-system-scan.net.
More than likely you were redirected here by a malicious advertisement on another website or a redirect from a fake article; you know all those interesting top 10 articles that look too tempting not to click on, well some of them are not so innocuous.
This can't be good, right... Whether you click "OK" or click on the "X" the same screen appears.
Whoa, whoa, whoa hold your horses and definitely don't call that number! (Although in all honesty we did call that number with KTVN Reporter Erin Breen, on a completely secure computer with a fresh install of Windows to show her what these scam artists attempt to do to unsuspecting victims.)
This also brings up an interesting turn in Microsoft's business model; Microsoft has been working to change as many people as possible over to a subscription based option for their Office products, however that does not apply to the Operating System. Clearly these guys are hoping to play on people's confusion with having a subscription for Microsoft Office that does expire with the Operating System license that came with your computer.
The bottom of the above image shows a check box, "Prevent this page from creating additional dialogs." this only appears when using Chrome as your browser, if you're using IE closing the dialog box is a different matter. This also gives a hint that English may not be the author's first language.
Here is the full image of the blue screen:
Ok, so now it's a bit funny because it's actually calling itself "BSOD" Blue Screen of Death, which is more of an off hand term used to describe a PC with major issues than a real piece of diagnostic information. But perhaps we've bantered around the term for long enough that is seems like a diagnosis in and of itself.
"Error 333 Registry Failure of Operating System" seems pretty serious, but is that really what an error 333 is? Not so much. Event ID 333 is a System event error log that occurs when the registry is unable to complete a flush operation to the disk; put another way error 333 is seen when the computer has too many things going on and as a result there is competition for access to disk space.
Ok so if the Error 333 is bogus what about the "Error 0X000000CE"? This is a rather generic error that happens for a variety of reasons, normally it's from an old hardware driver needing to be updated, or it can be just the opposite and there is something wrong with the latest release of a driver. The error normally includes the file that failed which gives you more information on the exact file causing the problem.
Well now that we know the entire webpage is just scary mumbo jumbo how do we get out of it?
When the "X" in the corner doesn't work your next best bet is to right click on the task bar at the bottom and go to Task Manager, where you should be able to go under Applications, select the browser you were in and hit "End Task". If the popups have your computer tied into so many knots that you can't do anything, hit the reset button on your computer.
As mentioned above we did call the tech support number listed with Erin Breen from KTVN. We let her do all the talking with the tech who, somewhat unbelievably, did claim to be with Microsoft. I've certainly heard of them doing this, but this is the first time I'd heard it for myself.
After the call we dug further into who this online-system-scan.net / 800-901-6142 company really is and found some interesting things.
First we looked into online-system-scan.net and found their IP address, which we then we to the American Registry for Internet Numbers to determine who owns that particular IP. Turns out that IP address belongs to RackSpace, which is where the website is being hosted; what's unusual about this is that it's being hosted domestically, rather than in a foreign country. Most of these kinds of scams are run from overseas as it is harder for law enforcement to shut them down as they did in the OMG Tech Help case out of Florida.
Next we looked into the domain registration history of online-system-scan.net; domain privacy is enabled so there's not a lot of information there other than it is a new domain, created June 12, 2015. Whenever looking into these kinds of cases you nearly always find that the domain being used is less than 6 months old and will be blacklisted soon enough to be good only for a short amount of time. Domain names themselves are so inexpensive that this is likely the smallest amount spent by scammers and as a result are easily disposed of and replaced once the blacklisting starts.
Having learned what we could from the domain we looked into the phone number and found an older likely abandoned, but not yet completely gone from the Internet website acting as a sub-domain under soup.io. For all those who are curious .io is the top level domain county code for the British Indian Ocean.
The page is mostly broken, but the interesting pieces are the handle at the top "casumyrco31" and the Dutch at the bottom. Unfortunately this handle takes us almost no where, the only other time it's found in use is also in Dutch selling some kind of Acai Berry something.
The next listing we found for the phone number actually comes with a name, TechPCdoc, too bad techpcdoc.com doesn't exist, but hey it's a step towards a name of some kind.
The last listing we found showing the tech support number is also offering tech support, only this person is doing it repeatedly through different forums. See below where it is being used in response to a Skype question and again this comes with an interesting handle.
Looking up information on the handle krazeeme612 yields a lot more interesting results. For one, this person answers a lot of online questions on a whole variety of subjects. On the same website above this person has answered things from tech support to getting baptisms. Being a unique name it is unlikely there is more than one person using the handle; however unless you are Leroy Jethro Gibbs I suppose we must say that a coincidence is possible. I say that because the one listing I found using this handle with identifiable information in it is below.
Is it possible it's a different person? I will have to say yes. Is it highly unlikely? I'm going to go with another yes on that one. It obviously doesn't answer who krazeeme612 is, or why she / he is specifically suggesting people call in to the tech support at 800-901-6142. What we do know is that the offending website is hosted domestically and this person lives in the US and is suggesting people call what may or may not be TechPCdoc. That's certainly a place for law enforcement to start and it would be a great victory for the public to take down another tech support scam company.
What should you do if you believe you've been scammed?
There are several things you should do:
First if you’ve found this article and are still on the line with them hang up now and cut off their remote access. If you’re unsure how to cut their remote access, the sure fire way is to unplug your computer from the Internet and/or disconnect the wifi. If you're unsure of how to do this quickly holding the power button on your computer until it shuts down completely also works. As many of the remote support software programs automatically reconnect after a reboot it's best to take it to a professional or be sure the computer will not connect to the Internet when you turn it back on.
If you’ve already had this happen, called them, given them access to your computer, paid them money or not, there are several places you should report them to. File complaints with the FTC, Fraud.Org the National Consumers League, your local Attorney General, and if you’ve been defrauded of money your local law enforcement as well. Fraud.Org is an especially good one to file with as they work to share information with many jurisdictions. Local law enforcement is harder as they really only deal locally and scams like this work on a global scale not a local one.
You will also want to have your computer checked out by a local technical company in case anything malicious was installed on your computer during the so-called technical support.
It is always advisable to do business with a local computer company, you never know what you’re going to find on the other end of that Internet / phone connection!
Additional reading on Tech Support Scams -