Yet another microsoft scam support company. getsupportforyourpc.com / righttechnicalsupport.com

I had a call from a customer, another fake advert on their browser claiming they had a virus and asking them to call a phone number.

The advert used javascript to prevent the user from closing the tab with the error in it.

The text in the scams said:

Your Computer might infected with an adware causing you to see this popup.

This may happen due to obsolete virus protections.

To fix, please call system support at 020-3805-0575 immediately. Please ensure you do not restart your computer to preovent data loss.

Possibility of Data & Identity theft, if not fixed immediately.

and

Your computer might contain adware

Attackers currently on malware.testing.google.test might attempt to install dangerous programs on your computer that steal or delete your information (for example. photos, passwords, messages, and credit cards).

Call 020-3805-0575 for assistance with removing adware, malware and viruses.

[ ] Automatically report details of possible security incidents to Google. Privacy policy

and

Mouse Move Security Error.

Your computer might be infected with adware.

Attackers currently on malware.testing.google.test might attempt to install dangerous programs on your computer that steal or delete your information (for example, photos, passwords, messages, and credit cards).

To fix, please contact customer care at 020-3805-0574 immediately.

The URLs the adverts were on are:

http://errors2.getsupportforyourpc.com/ADV/1/index.php?id=0000000000&
and
http://errors2.getsupportforyourpc.com/uk/5/1/index.php?id=0000000000&

Both addresses now seem to be redirecting, in one case, successfully to http://127.0.0.1 (although then no page loads as the computer didn’t have a web server running) and the other to http://errors2.getsupportforyourpc.com/ADV/1/127.0.0.1 and return no fake error any more.

Both adverts listed similar telephone numbers:

02038050575 (aka 020 3805 0575 or 0203 805 0575 or +442038050575)
and
02038050574 (aka 020 3805 0574 or 0203 805 0574 or +442038050574)
Both numbers seem to be VoIP numbers hosted at Gamma Telecom.

At the time I called it was just putting me into a queue and then hanging up after about 30 seconds:

The website errors2.getsupportforyourpc.com is hosted on 176.56.225.158 – funnily enough errors1.getsupportforyourpc.com also points to this IP! It is hosted at weservit.nl in the Netherlands. No other popular sites appear to be hosted on this IP. It appears to have an internal hostname of “dedi-srv28.alb.nl.weservit.nl”

The domain getsupportforyourpc.com is registered with a privacy service and points to a popular DNS server with no clues as to who may be running the scam. The domain was recently registered on 2015-06-30

However, there are several other domains pointing to the same server.

serve1.righttechnicalsupport.com (slightly older, registered on 2015-06-04) check.onlinepchelpcenter.com (more recent again, 2015-06-30) and scan.gethelpforpc.com (mid-range ish 2015-06-23) all point to the same IP address!

The righttechnicalsupport.com domain is also protected with the same whois privacy service.
The other domains found, onlinepchelpcenter.com, computernowservices.com, onlinepccomputerhelp.com and gethelpforpc.com are also the same.

The computernowservices.com seems to have a lot more stuff accessible including another scam advert page:

the host tech.computernowservices.com is hosted on a different server [65.49.79.234] which seems to have a reference to the hostname dp.techcoast.com [65.49.79.226]. This gives away another domain name of “esvio.com” which in turn gives away a hostname of “test.esvio.com” [65.49.79.230] which then (long chain here) gives away another domain name of “cpvlabtracker.com” [69.162.74.242].

The test.esvio.com site is interesting. All it does is print out a URL to the screen of:

http://cpvlabtracker.com/base.php?c=1650&&key=890dab8e747d6bf5489e7266bdbfe7cc&&keyword={keyword}&&domain=test

When clicked the cpvlabtracker.com domain then sends you on to a scam avert page!

tech-support-services.com [69.162.74.242] is hosted on the same server as cpvlabtracker.com
At some point cpvlabtracker.com has also had php files containing links to the following javascript files:

http://t.google-analytics-premium.com/js/amf724.js
and
http://t.google-analytics-premium.com/js/9s10bb.js
Needless to say, t.google-analytics-premium.com [96.126.117.191], isn’t an official google domain and has been registered using whois privacy.
It reverse DNSs to js-cdn.com also registered using whois privacy.
The Javascript references yet more obscure domains: pull.js-cdn.com and js-cdn-2.periomedia.netdna-cdn.com [94.31.29.96].

Also related seems to be cpvtracking411.com, server1.cdn-js-query.com [96.126.117.191], images.cdn-hosted.com [96.126.117.191], ajax.surveydonkeys.com.
Possibly also linked: fonts-community.com, www2-alexa.com

Update: 13th July 2015 – So I called them again, this time they answered.
Initially they asked me to go start, run and then type in “hh h” which loads HTML help.
They then talked me through clicking the icon in the top left (as if you were to close the program) but then select “Jump to URL” and type in (here is the interesting bit!) http://www.lmi1.com

Now… lmi1.com is a domain I’ve come across before! It isn’t owned by LogMeIn! It is a domain bought by someone using domain privacy which then forwards you to logmein. I previously saw it in conjunction with the WinZip tech support scam back in December 2014.

They then offered me the following to “fix” the “problems” with my brand new fresh restore of a virtual machine.

Another domain associated with their operation is http://www.techdriveinc.com

I quizzed them about if they were part of winzip or any of the previous company names or domain registrants I had found on the WinZip operation but none seemed to click with the person I spoke to.

So my best guess so far is that it’s a different support department / outsourcing operation but with a script or mandate from the same parent company as the winzip operation. I don’t see why lmi1.com would be common between the two otherwise.