This is unbeWiivable! “onlineresolve.com” Scam tech support.. on a Wii-U

The other evening we were at a friend’s house and the friend tried streaming a show to his TV using the Wii-U he had connected to the TV.

What made me laugh and take photographs was a scam advert that appeared on the wii while attempting (note, attempting!) to get the show to play.

IMG_20150821_223102

IMG_20150821_223110

IMG_20150821_223122

That is right.. the Wii-U supposedly has a “harmful virus”! The entire message reads:

There is a .net frame work file missing due to a harmful virus

Debug malware error 895-system 32.exe failure.

Please contact Windows specialist technicians to rectify the issue

Please do not open another internet browser to avoid data corruption on your operating system’s registry. Please contact Windows epcialist technicians on their

Toll Free Helpline – 0800 802 11 33

The phone number listed was “0800 802 11 33” or otherwise known as “08008021133” or “+448008021133”.

I’ve actually managed to trigger this on a PC since. Some crappy advert in an iFrame sends your browser to: http://help-video-streaming.com/563782ERROR/errors.html

EDIT: As of 24th August 2015 they are also using:
http://my-favourite-videos.com/err/errors.html
and
http://my-favourite-videos.com/err/warning.html

Which shows you this fake blue screen:

windows health is critical scam

The fake blue screen reads:

0x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS

WINDOWS HEALTH IS CRITICAL
DO NOT RESTART

PLEASE CONTACT WINDOWS SPECIALIST TECHNICIANS

BSOD : Error 333 Registry Failure of operating system – Host :
BLUE SCREEN ERROR 0x000000CE

Please contact Windows specialist technicians on their Free Helpline: 0800 802 11 30

To Immediately Rectify the issue and prevent Data Loss

The page seems to have been authored (or stolen from another site) using a computer that had Norton installed going by some code in the html.

Their hold music is the same as the hosting company 1&1! Probably more a feature of the phone system in use rather than being related to 1&1.

After about 45 minutes of stringing them along I finally got the company name and website where they tried to take payment.

http://www.onlineresolve.com – Remote tech support company listing their phone number as “1-888-304-8237” and “1-888-334-5804”

Registrant Name: Prabhjot Bedi
Registrant Street: 187 E. Warm Springs Road
Registrant City: Las Vegas
Registrant State/Province: Nevada
Registrant Postal Code: 89119
Registrant Country: United States
Registrant Phone: (702) 537-0274
Registrant Email: gurkirpatech@gmail.com

The same server used by these liars also hosts (scroll down to the [X] section for more sub-information about each domain):

  • easyans.com – An accountants in Delhi [1]
  • live-pcfix.com – Technical support company listing their phone number as “1-888-334-5804”
  • livetechnician.com – Another technical support brand or company who don’t even list a phone number. You may wish to leave them a review on ResellerRatings!
  • vebsecure.com – Webdesign, SEO and “pay per click” advertising brand or company listing their phone number as “1-888-235-1526”

What is astonishing is, when payment was declined [fake card], they asked me for my bank phone number and then conference called my bank so they could listen in! Madness.

Here is the video and audio from the call (requires both headphones / stereo sound).
The greeting the guy used on the phone differs from the website that they tried to take payment on. The greeting was “Live PC Fix”.

[1]:
easyans.com is registered with the following details but also leaks “samayvashisht@gmail.com [2]”:

Registrant Name: John Vegas
Registrant Street: 187 E.Warm Springs Rd Suite B156 Las Vegas
Registrant City: Las Vegas
Registrant State/Province: Nevada
Registrant Postal Code: 89119
Registrant Country: US
Registrant Phone: +91.9250283860
Registrant Email: theclearomizer@gmail.com

theclearomizer@gmail.com is also related to the following domains:
-live-rep.com – A remote tech support company listing their phone numbers “1-888-482-3345” and seems to be targeted at Australians.
-live-remote.com – A remote tech support company listing their phone number as 1-888-389-7614, 1-888-334-5804, 1-855-238-3535
-live-pcfix.com – (Already reported on above)
-livetechnicianusa.com – Expired / no longer exists

The above websites that work are all hosted on the same server as the original scam I was investigating.

[2]:
samayvashisht@gmail.com uses the following whois information:

Registrant Name: Sunny Vashisht
Registrant Street: G80 Sector 63
Registrant Street: Noida
Registrant City: Noida
Registrant State/Province: Uttar Pradesh
Registrant Postal Code: 201301
Registrant Country: India
Registrant Phone: +91.9650000412
Registrant Email: samayvashisht@gmail.com

and is also associated with the following domains:
-livetechnician.com – (Already reported on above)
-computer-tech-help.com – A remote tech support company listing their phone number as 1-888-509-0573
-theclearomizer.com – Currently a godaddy holding page. Whois gives away the name “Live Technician Tech Sols”
-http://live.onlinebackupcheckout.com/users/login – The email address appears in the html meta tags and head tag for some reason!
-lt-usa.net – Expired / no longer exists
-Livetechnician.org – Expired / no longer exists

[other]:
The advertising network peddling this crap is adcash.com

http://www.adcash.com/a/display.php?r=455559&sub1=65591141
Which lead onto…
http://www.adcash.com/a/display.php?k=55db55db85d085716149.10798386&h=16ed421cd8353af0f64ec827f930f0bd6a41799b&ban=5716149&r=455559&iid=14404377231454283582249898851703514&sub1=%3DYwAGYgDCIQA&exp=prpd&ci=Kp0BHEABNUhTWtlUTVxGHcwAB8QDV4EVZJlQGJVRRVxGO4gDO4QDV40QeNUWWJkRVwUDVUXFbo0BNUhTWtlUTVxGHcwAB8QDV4EVZJlQGJVRRVxGG0QFONkXDllVCZUFM1QF0VxGKdQDV4kVbJ1UVsxBHMQAP0QFORVWSJkRSVUUVshDO4gDO0QFONkXDllVCZUFM1QFtVBT&pm=%3DUhWHRVF&pabt=%3D%3DQFHcUF&pc=%3DUhBHcwBHcwBHcwBHcwBHcgBZUQF&id=5716149
Which then sends onto
http://track.trkvlm.com/0024947f-559e-48d7-91c2-86ce145b956b

(The trkvlm domain is also related to go.clicks49.com mobile.redirectmediasystems.com secure-link.ad3track.com track.bestappmaster.com track.click4stat.com track.linkouttracking.com and track.myawsomesearch.com)

Update 2016-11-27:

Also related is kwikresolve.com :

Registrant Name: Prabhjot Bedi
Registrant Organization: Gurkirpa Tech Inc.
Registrant Street: 1 Yonge Street
Registrant Street: Suite 1801
Registrant City: Toronto
Registrant State/Province: Ontario
Registrant Postal Code: M5E 1W7
Registrant Country: CA
Registrant Phone: +1.4165292334
Registrant Email: gurkirpatech@gmail.com

And also:

fixitkwikly.com
kwikresolve.com
onlinetabletfixes.com
onlinepczone.com
onlinepcfixes.com
onlinecleanup.com
onlinepcsolutions.com
onlinemobilefixes.com
onlinespeedup.com
onlinephonefixes.com
onlineresolve.info
onlineresolve.org
remotelyfix.com
onlineresolve.net
gurkirpatech.co
gurkirpatech.ca
gurkirpatech.com
gurkirpatech.net
gurkirpatech.info
gurkirpatech.org

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

17 Responses to This is unbeWiivable! “onlineresolve.com” Scam tech support.. on a Wii-U

  1. Pingback: “secure-code-zrb98dkekld.xyz” scam | thecomputerperson

  2. Omer says:

    Hi,

    Thank you for that!!
    This scam appeared on macbook last night.
    We were not sure if it a scam or not.
    We did give them permission to remotely log in our computer,
    Bust we did not give them the credit card number.
    Do you know if that might still harm us by any how?

    Can they now still our personal data from the macbook?

    Will that phone call cost us a lot of money?

    Please advice…

  3. I’m not an expert at macs at all.. you should check what runs on startup (somewhere in system preferences under your user area.. use google to find out where).
    If calling from the UK then the phone call would have been free unless you used a cell phone, in which case the mobile provider may charge for the call.

  4. Omer says:

    Thanks mate, I hope there will not be any damage…
    They logged into the computer exactly like in your video.
    Isn’t it dangerous at all? No possible traces / personal information steal?
    I saw that you had so much confidence when talking to them, I guess you were not worried of any possible information steal?

  5. I used a virtual machine / blank computer so there wouldn’t be anything to steal. I’m actually amazed they don’t check for virtual machines and hang up if they notice one.

  6. Omer says:

    Wow dude, impressive! Maybe they are not that clever like they think.
    I hope they will get what they deserve!

    What is the best way to asses the damage? Should i run a specific anti virus or should I call apple’s thech support?

  7. I expect you are ok. Check startup items for teamviewer, ammyy, logmein or similar:
    http://www.maclife.com/article/howtos/how_remove_startup_items_os_x

  8. Omer says:

    Thanks!

  9. Speroulla Christodoulou says:

    It has happened to me as well. I’m in Australia. I argued with them that this could be a sophisticated Scam and how do I know. Well, this conversation went on for a little longer and they finally convinced me that they were legit (stupid me). The conversation went excactly the same as yours. They showed me on my screen how my computer had been corrupted, and I ended up agreeing to pay AUD279 and they ended up loading their anti-spyware and anti-virus software by remotely accessing my computer. The next day, I locked my Visa so no transactions could be made, though my payment to them had already gone through. I called them the next day to tell them that I had reported them to Microsoft and they panicked saying “no, no maam you do not need to do that, we are a legitimate Tech support for Microsoft blah blah”. I said then, would they give my money back in that case. They said they would return my money but there is no need as I have one year protection and full tech support etc etc. Again I backed down, but after reading this I’m angry again that they are duping people in purchasing their services like this. I now want my money back and what they loaded taken off my computer. I’ll call Microsoft Australia on Monday to see what I can do but wondered whether you have any suggestions. I can get my credit card replaced so they can’t take any more money but can they access my computer still?
    Love your call, great hearing them becoming increasingly agitated and annoyed because you’re not playing the game hy-larious! They actually got a little agitated with me as well but that’s because I didn’t know what I was (or they were) talking about. I even asked why I couldn’t hear call centre in the background and where was he. He claimed he was in Nevada Las Vegas.

  10. I wouldn’t even bother speaking to Microsoft. Just chase the scam company for a refund or do a chargeback through your credit card company under the reason “goods or services not as described” and “retailer not responding”.

    As for access to your computer.. Check the programs list for team viewer or ammyy and install it if you find it.

  11. Speroulla Christodoulou says:

    Thanks. Team viewer is installed.

  12. Shaylene says:

    It popped up on my Kindle and now I cannot use the Web feature. I have shut down and rebooted. How do I get rid of it?

  13. Which kind of kindle? e-paper reader or the kindle fire?

  14. Greg says:

    This happen on my Wii U this morning. Is there any way to get rid of it? How did it get there/

  15. Yolie says:

    I am on a mission to DESTROY these savage bastards! Mine had nothing to do with WiiU nor Apple, but Windows & they claimed to be “Microsoft AND Comcast” so my husband, the dunce, was all “Derrrrrrrrrp, have some remote access to both computers & let me wake up the wifey to get access to her pad too!” I awoke to a living nightmare & am on a mission to make these shifty thuggees SUFFER. If you can, spoof a phone number & just keep calling them. 800/888/877 numbers are free to call, but they aren’t free for them. Just annoy the living crap out of them. Tell them you’re calling from __________ tech support & that they need to send you a payment of a million dollars to make their cursor stop blinking. Have fun with it. >:)

  16. Michael says:

    This is brilliant! Maybe acting should be your next career. Love the part about “Foreign addresses”. Ha!

    My 88 year old mother got burned by the bastards a couple of days ago. She had just gotten a notice that someone had hacked into her personal information at a medical clinic and was freaking about that when she got this (unrelated) stupid alert message on her computer. She called the number and, well, the rest is history.

    It’s odd, but these guys sound and operate just like some of the other scammers I have heard having to do with fake IRS issues. I could almost swear it’s the same idiots.

  17. I’ve now started getting spam to the unique address that I gave to onlineresolve! So they’ve had their database stolen or have sold it to spammers.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s