Yet another microsoft scam support company. getsupportforyourpc.com / righttechnicalsupport.com

I had a call from a customer, another fake advert on their browser claiming they had a virus and asking them to call a phone number.

The advert used javascript to prevent the user from closing the tab with the error in it.

getsupportforyourpcscam3 getsupportforyourpcscam2 getsupportforyourpcscam1

The text in the scams said:

Your Computer might infected with an adware causing you to see this popup.

This may happen due to obsolete virus protections.

To fix, please call system support at 020-3805-0575 immediately. Please ensure you do not restart your computer to preovent data loss.

Possibility of Data & Identity theft, if not fixed immediately.

and

Your computer might contain adware

Attackers currently on malware.testing.google.test might attempt to install dangerous programs on your computer that steal or delete your information (for example. photos, passwords, messages, and credit cards).

Call 020-3805-0575 for assistance with removing adware, malware and viruses.

[ ] Automatically report details of possible security incidents to Google. Privacy policy

and

Mouse Move Security Error.

Your computer might be infected with adware.

Attackers currently on malware.testing.google.test might attempt to install dangerous programs on your computer that steal or delete your information (for example, photos, passwords, messages, and credit cards).

To fix, please contact customer care at 020-3805-0574 immediately.

The URLs the adverts were on are:

http://errors2.getsupportforyourpc.com/ADV/1/index.php?id=0000000000&
and
http://errors2.getsupportforyourpc.com/uk/5/1/index.php?id=0000000000&

Both addresses now seem to be redirecting, in one case, successfully to http://127.0.0.1 (although then no page loads as the computer didn’t have a web server running) and the other to http://errors2.getsupportforyourpc.com/ADV/1/127.0.0.1 and return no fake error any more.

Both adverts listed similar telephone numbers:

02038050575 (aka 020 3805 0575 or 0203 805 0575 or +442038050575)
and
02038050574 (aka 020 3805 0574 or 0203 805 0574 or +442038050574)
Both numbers seem to be VoIP numbers hosted at Gamma Telecom.

At the time I called it was just putting me into a queue and then hanging up after about 30 seconds:

The website errors2.getsupportforyourpc.com is hosted on 176.56.225.158 – funnily enough errors1.getsupportforyourpc.com also points to this IP! It is hosted at weservit.nl in the Netherlands. No other popular sites appear to be hosted on this IP. It appears to have an internal hostname of “dedi-srv28.alb.nl.weservit.nl”

The domain getsupportforyourpc.com is registered with a privacy service and points to a popular DNS server with no clues as to who may be running the scam. The domain was recently registered on 2015-06-30

However, there are several other domains pointing to the same server.

serve1.righttechnicalsupport.com (slightly older, registered on 2015-06-04) check.onlinepchelpcenter.com (more recent again, 2015-06-30) and scan.gethelpforpc.com (mid-range ish 2015-06-23) all point to the same IP address!

righttechnicalsupport getsupportforyourpc scam

The righttechnicalsupport.com domain is also protected with the same whois privacy service.
The other domains found, onlinepchelpcenter.com, computernowservices.com, onlinepccomputerhelp.com and gethelpforpc.com are also the same.

The computernowservices.com seems to have a lot more stuff accessible including another scam advert page:

tech computernowservices com scam advertthe host tech.computernowservices.com is hosted on a different server [65.49.79.234] which seems to have a reference to the hostname dp.techcoast.com [65.49.79.226]. This gives away another domain name of “esvio.com” which in turn gives away a hostname of “test.esvio.com” [65.49.79.230] which then (long chain here) gives away another domain name of “cpvlabtracker.com” [69.162.74.242].

The test.esvio.com site is interesting. All it does is print out a URL to the screen of:

http://cpvlabtracker.com/base.php?c=1650&&key=890dab8e747d6bf5489e7266bdbfe7cc&&keyword={keyword}&&domain=test

When clicked the cpvlabtracker.com domain then sends you on to a scam avert page!

tech-support-services scam cpvlabtracker esvio

tech-support-services.com [69.162.74.242] is hosted on the same server as cpvlabtracker.com
At some point cpvlabtracker.com has also had php files containing links to the following javascript files:

http://t.google-analytics-premium.com/js/amf724.js
and
http://t.google-analytics-premium.com/js/9s10bb.js
Needless to say, t.google-analytics-premium.com [96.126.117.191], isn’t an official google domain and has been registered using whois privacy.
It reverse DNSs to js-cdn.com also registered using whois privacy.
The Javascript references yet more obscure domains: pull.js-cdn.com and js-cdn-2.periomedia.netdna-cdn.com [94.31.29.96].

Also related seems to be cpvtracking411.com, server1.cdn-js-query.com [96.126.117.191], images.cdn-hosted.com [96.126.117.191], ajax.surveydonkeys.com.
Possibly also linked: fonts-community.com, www2-alexa.com

Update: 13th July 2015 – So I called them again, this time they answered.
Initially they asked me to go start, run and then type in “hh h” which loads HTML help.
They then talked me through clicking the icon in the top left (as if you were to close the program) but then select “Jump to URL” and type in (here is the interesting bit!) http://www.lmi1.com

Now… lmi1.com is a domain I’ve come across before! It isn’t owned by LogMeIn! It is a domain bought by someone using domain privacy which then forwards you to logmein. I previously saw it in conjunction with the WinZip tech support scam back in December 2014.

They then offered me the following to “fix” the “problems” with my brand new fresh restore of a virtual machine.
techsupportdrive scam

Another domain associated with their operation is http://www.techdriveinc.com

I quizzed them about if they were part of winzip or any of the previous company names or domain registrants I had found on the WinZip operation but none seemed to click with the person I spoke to.

So my best guess so far is that it’s a different support department / outsourcing operation but with a script or mandate from the same parent company as the winzip operation. I don’t see why lmi1.com would be common between the two otherwise.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Yet another microsoft scam support company. getsupportforyourpc.com / righttechnicalsupport.com

  1. So how do you actually fix the problem and get them off your browser? Asking for a friend.

  2. On windows, go into task manager and end task on the browser.
    Load up the browser again and DON’T restore the last session.

    Then check your add-ins section for rogue junk and also the add / remove programs section for rogue junk too.
    You may also want to check the computer with Hitman Pro
    http://www.surfright.nl/downloads/download-thank-you

  3. Drew says:

    The above did not work for me it had embedded its self in programs and had to delete it using add delete programs in windows

  4. tony hoo says:

    There are too many scam/con adverts which offer free items and then try to charge you, they are lying cheats and there should be a facility to have them removed from the Net.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s