In a previous blog post, we showed how users were redirected to a tech support scam page via a rogue Google Chrome extension. This time we take a look at another clever ruse to trick you into calling for assistance, and ultimately getting scammed.
This scheme is actually hosted on the same domain that was running the fake Windows support we described before and our assumption is that users are redirected to this coupon page via a similar malvertising campaign.
It plays on special offers, discounts and time-limited deals to entice you to claim your product now, choosing between Norton or McAfee. After filling in your personal details (which are actually sent off to the crooks), a page simulates the offer being processed only to fail with an error message. Victims are mislead into thinking that their offer was redeemed, but that they must perform a final call to get it completed.
This is where the tech support scam comes in. Once you call that number, you are routed to an Indian boiler room where one of many agents will take remote control of your computer to figure out what went wrong. (Un)shockingly, the bogus technician will identify severe problems that need an immediate fix.
Despite the scam being about Norton, the technician brushes it off as useless when it comes to the real deal: “Junk is a kind of virus which is the most harmful virus“. With his technical expertise, he proceeds to highly recommend the most expensive plan, for a lifetime low price of $400.
Of course, there is nothing there, it’s a pure rip-off where once they have your money, they couldn’t care less about helping you out (for a problem you didn’t have in the first place anyway).
The crooks are using 123care.co as the placeholder to download remote software and host the payment platform:
There are other scam domains also hosted on this IP (22.214.171.124):
instantpccare.com dodgybrotherswines.com quickbooks-certified.com quickbooksphonenumbers.com ip-166-62-1-15.ip.secureserver.net trckx.xyz carerequired.xyz stop-security.xyz cyber-alert-usa.xyz stopsecuritycheck.xyz before-you-proceed.xyz certifiedsupport.info pccare.site onlinetechhelp.site onlinetechsupport.site cyber-alert-usa.online call-855-345-0911.online airlinescustomer.support
Instantpccare.com is familiar and related to a previous investigation where the owner of that tech support company incriminated himself by posting a comment on our blog which shared the same IP address as the remote technician who had just scammed us.
As always, please stay vigilant online when you see free coupons or other similar offers. They often are the gateway to a whole of trouble. For more information on tech support scams, please visit our page here.
Source: Malwarebytes Labs @ March 3, 2017 at 12:00PM