Another day and while browsing the internet I clicked on an advert that promised 30% discounts on Amazon’s prices… Then got this. (And uncovered a huge scam using about 40 different “it company” domains).
The messages read as follows:
Critical Error! Some suspicious activities has been detected from your network and your system has been blocked. Call immediately on 0-800-098-8413 to prevent further data loss.
Critical Error! Your system has been blocked because suspicious activities has been detected from your IP address. Call 0-800-098-8413 immediately.
ERROR! Call for support: 0-800-098-8413
** YOUR COMPUTER HAS BEEN BLOCKED **
Your computer has alerted us that it has been infected with a virus and spyware. The following information is being stolen…
> Facebook Login
> Credit Card Details
> Email Account Login
> Photos stored on this computer
You must contact us immediately so that our engineers can walk you through the removal process over the phone. Please call us within the next 5 minutes to prevent your computer from being disabled.
Toll Free: 0-800-098-8413
The number victims are asked to call is a UK freephone number. “0-800-098-8413” (aka.. 08000988413 or “0800 098 8413”).
The page, hosted at GoDaddy, that showed the fake warning was:
It directs people to call the tech support scammers “Optimum Global Services” who seem to be operating out of the site http://www.rateditteam.com to take payments.
Unusually for these kinds of things – the address given is a UK address (not USA or India) and the postal address given on the website matches the whois:
Registrant Name: Samuel Verghese
Registrant Street: Flat 5, 25 Brunswick Terrace,
Registrant City: Hove
Registrant State/Province: East Sussex
Registrant Postal Code: BN3 1HJ
Registrant Country: UK
Registrant Phone: +44.7342047912
Registrant Email: firstname.lastname@example.org
When that initial payment failed they then tried to take payment via “www.directcontracta.com” which initially looks like an unrelated “find a contractor” website but after a bit of investigation is actually registered by the same email address as rateditteam.
Associated are the Google Analytics accounts: UA-90478716 and UA-67147650
Also related to the rateditteam.com domain is:
email@example.com (matches the Samuel Verghese name used in the original tech support scam domain and is also near Hove in the UK?)
His local computer fixing business “www.expertpcbook.com”
The shared(?) youtube channel of Samuel Verghese?: Shows three young Indian men in Mumbai and several product reviews or videos attempting to go viral and domain “3wise.men”
The company of someone who lives at the address, supposedly an “Entreprenneur”.
All the following are shady looking web design and tech support companies with similar pricing structure to rateditteam:
www.itshowwedoit.com www.wecansortitforyou.com www.firstitforyou.com www.yourplaceforit.com www.pickusforit.com www.jewelitsolutions.com www.workingwithitteam.com www.itexteam.com www.thetotalitteam.com www.wesortitall.com www.timetotalkit.com www.digitalsconnections.com www.firstinit.com www.timetoaskit.com www.ititcltd.com www.getandgopro.com www.weloveinfotech.com www.itdecided.com www.topmantech.com www.eyeteco.com www.bringhomeit.com www.theitcrib.com www.itstheitcrew.com www.itstheitguys.com www.wegotitguru.com www.quickresponsesolutions.com www.fastexpertsolutions.com www.totalsolutionsexpert.com www.expertproteam.com
Related but probably a “customer” of the scammer:
http://www.amteachings.com – A meditation class around Hove, Sussex, UK.
If you are the owner of the above meditation business above – please contact your web developer and tell them off for being involved in scams.
Another URL used during the scam was http://onlinescanner.somee.com/ which appears to be a fake virus warning site that even has a one time password / unique value that needs to be entered before the fake scan will start! A working code is 84651 if you fancy testing it out.