dot-ontechies.com / 0800-090-3906 virus warning and “TourTech” support scam.

This scam is being answered by TourTech (tourtechinc.com) and payments are being processed via FirstData (a payment processor).

Another month another malvertising scam claiming that victim’s computers have the Zeus virus.

dot-ontechies-scam

The message displayed reads:

Security Error Code 0x80070424

****Please Do Not Restart Your Computer ****

Microsoft Windows Detected ZEUS Virus and these Infections indicate that some Un-Authorised File Tampering has taken place on the computer which must be Diagnosed and Rectified to prevent loss of Personal Data.

Call Microsoft Technical support on 0800-090-3906 and share the Error Ticket: WBCKL457 with Support Agent to get it Diagnosed Free of Charge

PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT WOULD LEAD TO DATA LOSS AND OPERATING SYSTEM CRASH

CONTACT MICROSOFT TECHNICAL SUPPORT IMMEDIATELY TO RESOLVE THE ISSUE ON TOLL FREE – 0800-090-3906
—————————————————————————–
for Technical Assistance
—————————————————————————-

Terms and Conditions
All rights reserved.

Victims are asked to call the UK freephone number 0800-090-3906 (aka. 08000903906 / “0800 090 3906” / +448000903906). YouTube has a recording of what happens if you call these people:

The URL involved when I came across it was:

http://chksysonlihneeroorserachinefjoiwrfghjytirtytygkhfhgkm.dot-ontechies.com/000053x56435zx

The domain is registered to:

Registrant Name: JANET FREEMAN
Registrant Street: Mysugar Building, Opposite Ravindra Kalakshetra, J C Road, J C Road
Registrant City: Bengaluru
Registrant State/Province: Karnataka
Registrant Postal Code: 560002
Registrant Country: IN
Registrant Phone: +91.8041325277
Registrant Email: jenny.free7478@rediffmail.com

The code on the page has code that relates to a scam run from

pfzenljnfdkjlejrij-044353423warningalert.microsoftfoundsomesuspiciousactivityfromyouripaddress.somespywaremayhavecausedasecuritybreachatyournetworklocation.livetech-solutions.com

And also “www.gth-techies.com” which is another Apple based scam message giving a different telephone number:

gth-techies-dot-com-scam

This scam page claims..

YOUR Apple COMPUTER HAS BEEN LOCKED*

Your Computer is infected with an adware or malware causing you to see this popup.

This may happen due to obsolete virus protections.

To fix, please call Apple Support at 0808-143-3728 immediately. Please ensure you do not restart your computer to prevent data loss.

Possibility of Data & Identity theft, if not fixed immediately.

YOUR Apple COMPUTER HAS BEEN BLOCKED*

YOUR Apple COMPUTER HAS BEEN LOCKED !!

System has been infected due to unexpected error!
Please Contact Apple 0808-143-3728 Immediately!
to unblock your computer.

\Suspicious Activity Detected. Your Browser might have been hijacked or hacked.

ANONYMOUS ACTIVITY

Private and Financial Data is at RISK:
. Your credit card details and banking information
. Your e-mail passwords and other account passwords
. Your Facebook, Skype, AIM, ICQ and other chat logs
. Your private & family photos and other sensitive files
. Your webcam could be accessed remotely by stalkers

IMMEDIATELY CALL Apple SUPPORT AT 0808-143-3728

MORE ABOUT THIS INFECTION:
Seeing these pop-up’s means that you may have a virus installed on your computer which puts the security of your personal data at a serious risk.
It’s strongly advised that you call the number above and get your computer inspected before you continue using your internet, especially for Shopping or Banking.

Call immediately for assistance.
Contact Apple Support At (0808-143-3728 )

Victims for this scam are asked to call 0808-143-3728 (aka. 08081433728 / +448081433728 / “0808 143 3728”).

This domain is registered to another rediffmail user:

Registrant Name: Jermine Atkinson
Registrant Street: Plot No. 11, Shivashri, Burudgaon Road, Near Hotel Vaibhav, Maliwada
Registrant City: Ahmednagar
Registrant State/Province: Maharashtra
Registrant Postal Code: 414001
Registrant Country: IN
Registrant Phone: +91.2412322268
Registrant Email: koov.atkinson414@rediffmail.com

Another domain associated with the same scam or web developers is:

pfrecloudcompuroorwkjowj4323032fjiasfetafwfad.psp-voism.com/pfrecloudcompuroorwkjowj4323032fjiasfetaf

Which is also registered at another rediffmail address:

Registrant Name: Teoric Parker
Registrant Street: WZ-54 Naraina Village, Naraina
Registrant City: NEW DELHI
Registrant State/Province: Delhi
Registrant Postal Code: 110028
Registrant Country: IN
Registrant Phone: +91.8285040300
Registrant Email: teoric.parker252@rediffmail.com

The IP the original domain points to (107.180.48.126), hosted at GoDaddy, is also associated with the following scammy domains:

  • system-info-require-network-maintenance-contact-remote-support.info
  • system-require-urgent-repair.info

As a side note I believe that these scammers use and buy very controlled advertising runs. For example I think this company is only buying adverts Monday to Friday and probably only during their office hours or quiet hours (if they have a legitimate business running out of the same support center).

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to dot-ontechies.com / 0800-090-3906 virus warning and “TourTech” support scam.

  1. wpaura says:

    Could you please investigate this scammer (if time permits) : urtechmateinc.com.
    I saw a popup coming from website: easyclothes.info. The phone number seen in popup: +1-877-774-9220, the domain registrant: Renu Sadh (Ms), email: admin@urtechmateinc.com.
    The email indicates domain: urtechmateinc.com. This registrant has a few more bad popup websites all having the same registrant and email: admin@urtechmateinc.com. Some of her popup websites are:
    clothesfashion.info
    easyclothes.info
    easyclothes.pro
    easyclothes.us
    fashionaround.info
    fashionaround.xyz

    Appreciate if you can investigate further.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s