Many researchers have noted an increase in tech support scam activity during the past few months. This trend, facilitated by browser lockers, is not surprising considering that other web-based infection methods are not as effective.
While people are still receiving cold calls from alleged Microsoft technicians, crooks are mostly relying on other means to get their call centers busy, which they often do by purchasing leads.
During an investigation into a particular strain of tech support scams, we came across the same scammers we had already exposed in May 2016.
After calling the number posted on the fake Windows alerts, a technician prompts victims to download remote software required to take control of their computer. The company is called GeeksHelp, aka AmericaGeeks, previously known to us as Geeks Technical Solutions LLC, which operates out of Chandigarh, India.
The company claims that they are working with Microsoft and that the number posted on the tech support scam page is from Microsoft’s headquarters, redirecting to them for assistance.
When you call on this particular number, first your call will be routed to the Microsoft headquarters. And after that the headquarters route all these calls to us.
Actually in America we are the only one who are providing support on Microsoft issues.
The sales pitch invariably turns into purchasing a support plan to get rid of the “computer viruses.”
To make matters worse, AmericaGeeks also provides unauthorized Malwarebytes support:
We discovered that this company is targeting the French with the same tactics, but with a localized native language tech support service. This time, the call center responding to the calls is named GeeksFrance. Their website, geeksfrance[dot]com, displays the different plans they offer, ranging from 99.99 euros to 499 euros.
This company lists an address in France: 7 Boulevard de la Liberation City Marseille, Provence-Alpes-Côte d 13014, but according to a job offer for inbound call sales associates found online, they are more likely located in Tunisia, a country where over 60 percent of the population can speak French.
Just like the scammers from the Indian call center, the rogue Tunisia-based techs also come up with false statements about the state of their victim’s computer. The final invoice page looks identical to the one used by AmericaGeeks.
This is not surprising because the infrastructure that powers the French version of the scam (geeksfrance[dot]com) can be tied to the original group we identified back in 2016, Geeks Technical Solutions LLC (geekstechnicalsupport[dot]com), by the same IP address (18.104.22.168) where both domains are hosted.
Victims of tech support scams often have to part with hundreds of dollars and, in some cases, crooks will further manipulate them in order to collect even more. The scam only really works if people make the call first, which is why browser lockers are a big part of these schemes.
Despite efforts to curb the rapid proliferation of tech scams, we are witnessing intense activity and more outsourcing of roles and responsibilities, which not only contribute to better efficacy but also make it harder for law enforcement to tackle them on a global scale.
*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Malwarebytes Labs. Read the original post at: https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2018/03/same-tech-support-scammers-caught-again-two-years-later/