Windows tech support scammers take root in the U.S.

Security company accuses Florida firm of mixing old and new tactics to dupe unwary consumers with fake infection anxieties

Not every Windows tech support scam starts in India, not every scammer speaks in heavily-accented English, a security company said today.

In a new trend, scams have gone home-grown, said Malwarebytes on Monday, with twists that include bogus warnings driven by malicious websites that urge users to call a toll-free number.

"This is the first instance [of a Windows support scam in the U.S.] on this scale that I've found," said Jerome Segura, a senior security researcher with San Jose, Calif.-based Malwarebytes. "Most scammers are in India, but we wanted to expose this because they're harming U.S. customers, who will feel more comfortable with a [native] English speaker."

Segura, who said he has been tracking fraudulent support schemes for the last 18 months, stumbled across the latest operation while investigating violations of Malwarebytes' software licensing. Previously, the company had found other borderline businesses illegally selling its security software.

Segura tracked down the company responsible for the latest licensing theft, which he said had used a pirated activation key to install Malwarebytes Anti-Malware Premium more than 2,300 times in the past few months.

He identified E-Racer Tech of the Boca Raton, Fla. area as the firm that not only purloined Malwarebytes' software, but charged customers $99 for the stolen program. Malwarebytes sells a one-year subscription to the same software for $25, and allows customers to install it on up to three PCs.

But the licensing issue, said Segura, was "just a byproduct" of his real investigation, which was to expose the scam E-Racer Tech was conducting.

Rather than cold-call victims -- most India-based scammers blindly dial telephone numbers, figuring that most people who answer will have a Windows PC -- E-Racer relied on fake alerts. The warnings, which were embedded in fraudulent websites, those sites often tied to URLs that might appear in search results for Windows errors, scream "Warning! Your computer may be at risk. For emergency Tech Support call immediately." A toll-free number is prominently displayed.

Malwarebytes found examples of the phony alert on several domains.

The warnings were totally bogus, a point made clear as soon as they were viewed on a Mac running Apple's OS X: They were unchanged, even though the notices claimed the system was infected with malware that targets only Windows. To add to users' anxieties, some of the sites played a short audio file in the background that resembled an ominous hum, as if something was wrong with the computer.

Although the warnings don't resemble traditional Windows alerts, they are convincing enough to prompt some to call the toll-free number.

Which is just what Segura did.

"I called the number, and the person who answered sounded American," said Segura in an interview. "I was even more surprised when he told me that my clean computer had viruses, and said 'It's almost like a cancer. It's just going to spread.'"

The technician from the "help desk" used Windows Event Viewer, a log of recent, normal operations in the OS, to try to convince Segura that his PC had 127 infected files -- in reality, there were none -- and then pitched a $199 package that included "virus removal" and "computer cleaning" services, as well as a pirated copy of Malwarebytes Anti-Malware Premium.

Support scams like the one Segura uncovered have become more than just irksome, but a plague on computer users everywhere.

A fake Windows infection warning
One of several fake Windows infection warnings that Malwarebytes uncovered being used by a U.S.-based tech support scam scheme. The Web-based alert was bogus: It showed the same message when viewed on a Mac, which is immune to the malware listed. (Image: Malwarebytes.)
1 2 Page
FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies