Office Depot and Support.com to Pay $35M for Fake Malware Scan ‘Scam’

Feds win technical victory against an alleged nine-year plan to fool customers. The Federal Trade Commission (FTC) claims Office Depot and Support.com deliberately lied to consumers, saying their PCs were infected with malware.

However, the scanning tool they used didn’t actually scan anything, according to the FTC. It merely asked a few questions, such as, “Does your PC frequently crash?” And if the customer answered “Yes” to any question, they’d be told the PC needed a $300 fix.

The companies settled out of court for $35 million, without admitting liability. In today’s SB Blogwatch, we feel fine.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Marie Kondo.


FTC v. ODP

What’s the craic? Thomas Claburn soberly reports Tech support outfits settle out of court:

 Office Depot and Support.com have coughed up $35M after they were accused of lying to people that their PCs were infected with malware. … the pair of businesses settled a lawsuit brought against them by the [FTC].

The lawsuit … claimed the two companies, including Office Depot subsidiary OfficeMax, from 2009 until November 2016 misrepresented the state of consumers’ computers by using a sales tool designed to convince people to pay for diagnostic and repair services. … According to the watchdog’s complaint, the PC Health Check Program was incapable of finding malware. … The results, it’s alleged, were predetermined.

The defendants, according to the FTC, bilked customers out of tens of millions of dollars. … The alleged fraud appears to have been first reported in 2016 by Seattle TV station KIRO-TV. … A spokesperson for Office Depot said … “While Office Depot does not admit to any wrongdoing … the company believes that the settlement is in its best interest in order to avoid protracted litigation.”

Sounds dodgy. Chaim Gartenberg alleges the software scam went on for almost seven years:

 Instead of running actual malware scans, the FTC says that the program was set to automatically inform customers that they had malware … if they answered yes to any of the four questions about crashes, pop-ups, slow speeds, or viruses. The program would then provide a “view recommendation” prompt, offering tech services … to fix the “problems,” which could cost up to hundreds of dollars.

According to the FTC, Office Depot and Support.com both were aware of complaints about the software going back as far as 2012. … As punishment Office Depot has agreed to pay $25 million while Support.com will pay $10 million, which the FTC says it will use to provide refunds to customers.

tl;dr? In his opinion, Tom Gara describes it thuswise:

 What an incredible scam.

Only $35 million? Sarty wants the authorities to lock ’em up:

 Seriously, this seems like a whole lot of opportunity for what-did-management-know-and-when-did-they-know-it. “We’ll punish your store if you don’t commit the crimes we’re directing you to commit” seems to meet the casual definition of a criminal conspiracy.

Eight-digit fines don’t particularly excite me in such a case. Those who directed the commission of the fraud should face prison.

And John Brown (no body) is unsettled by the settlement:

 It seem that much of that penalty is refunding the defrauded customers. So, no criminal charges, pay back the affected customers … and if there’s anything left in the “penalty pot”, that’s the actual fine.

It’s barely a slap on the wrist. Corporate buys its justice at a knock down price.

Why are these sorts of cases even allowed to be settled out of court? It sounds pretty much like … the actions of their software were designed that way.

Odd. odemploee claims to be an employee:

 When support.com finally started working I knew in an instant it was a scam. We had brand new computers [it said] had viruses.

It was a scam and I refused to sell services based on it. When I transferred I was passed up on promotions because I wouldn’t sell a 300 dollar service to a computer that had nothing wrong.

Then one day we came in and were told not to … offer the service anymore. It was obvious why they pulled the service because it was [a] scam.

But no admission of guilt? Here’s Christoph:

 The first stage in correcting this kind of behaviour is to accept and admit that what you were doing was wrong. If they had admitted wrongdoing … it might be possible to trust them.

Since they have … refused to accept that there was anything wrong with what they were doing, they can never be trusted again.

However, fred911 has some sympathy for Office Depot:

 It’s how 99% of all service providers earn income.

Creating a product that is able to properly and accurately decide what installed extension, BHO, executable … code or script, isn’t malevolent is significantly more costly than a checkbox that says “My I7 computer now runs like a 386dx40 running Win98”. And as fraudulent as that checkbox is, I’d venture to say 90% of the time it’s checked, Joe Sixpack has granted or installed code to execute processes he really didn’t want or need, that would be easily resolved by a reinstall of whatever flavor Windows the user has installed.

Meanwhile, doginthewoods hasnonosesodoesitmakeasound: [You’re fired—Ed.]

 I had a friend call me about that ****. She took her Macbook Pro there and they “ran” that same software on it and said her Mac was infected.

She brought it to me and had me check – of course it wasn’t infected and there is no way [macOS] would run a PC scan program for Windows.

And Finally:

Does this spark joy?


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Mike Mozart (cc:by)

Featured eBook
A Simple Guide to Successful Penetration Testing

A Simple Guide to Successful Penetration Testing

How effective are your existing security controls against a skilled adversary? Discover the answer with penetration testing. The main difference between a penetration test and an attacker is permission. A hacker won’t ask for permission when trying to expose your critical systems and assets, so pen test to protect. A pen test is not just ... Read More
Core Security

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 34 posts and counting.See all posts by richi