This campaign is still very active with a few more ISPs added to the list, as well as a new warning message:
If left unresolved, you may be subject to PERMANENT ACCOUNT SUSPENSION as well as possible fines for network damage.
Fraudulent domains hosted on: 188.8.131.52
att-support.com att-techsupport.com bt-techsupport.com charter-support.com cox-techsupport.com dominant-media.com ee-techsupport.com optimum-techsupport.com plusnet-support.com sky-techsupport.com talktalk-support.com tech-support-att.com tech-support-bellaliant.com tech-support-bellcanada.com tech-support-charter.com tech-support-cogeco.com tech-support-cox.com tech-support-eastlink.com tech-support-optimum.com tech-support-rogers.com tech-support-shaw.com tech-support-telus.com tech-support-timewarner.com tech-support-verizon.com tech-support-xfinity.com timewarner-support.com verizon-techsupport.com virginmedia-support.com xfinity-support.com
Tech support scammers are investing a lot of efforts to attract new victims each day, and despite many takedowns, this is a highly profitable industry.
We uncovered a new tech support scam campaign pushed via malvertising which cleverly detects which Internet Service Provider (ISP) you are using (based on your IP address) and displays a legitimate looking page that urges you to call for immediate assistance.
The scam is quite sophisticated, with professional looking phishing pages and even custom audio messages for each ISP:
Our system scans have detected malicious spyware on your computer. Your personal photos, credit card information and passwords may be at risk. Contact our certified technicians for immediate assistance
The ISPs that were targeted in this campaign were mainly American and Canadian ISPs:
We called the number and were handled by a tech support company out of India that goes by the name of Credence Incorporation and operates a website at: support-samurai.com.
As always, the technician that took remote control of our machine found many “infected files”, using outrageous (for anyone tech savvy) tricks:
Many people won’t know the difference, but the above command is by no means a way to scan a system for malware. Sadly, this sales pitch will still prove effective and those crooks will be able to extort several hundred dollars for non existent computer problems.
At the time of writing this blog, we noticed that all the fraudulent websites had been shutdown. They had been registered under disguise with the following identity:
Registrant Name: Elizabeth Gonzalez Registrant Organization: Sky-IP Registrant Street: Addison House Plaza, street 57 Registrant City: Panama
As tech support scams are getting more and more clever, people need to up their guards. We are seeing attacks that go to great lengths to target victims using information collected from the browser (ISP, city, time zone, etc) which is used to make the scams more genuine.
For additional information on tech support scams, please visit our resource page.
Fake webpages involved:
New campaign (03/24):