In October of last year, Jerome Segura uncovered a tech support scam trading on Malwarebytes’ good name. (Found here, and still worth a read.) So half a year later, what happened to the perpetrators?
Still scamming, apparently, and now with a snazzy new website! Rather than coding a website from scratch and possibly making mistakes, they seem to have lifted assets from the Malwarebytes website directly, which can make it tough for some users to know exactly who they’re talking to.
Generally one can look up the history of toll free numbers on a scammer’s site and find a long and sordid history of fraud and abuse. But curiously, this number had no history, so we had to get a little creative. Digging through the “Terms and Conditions”, we came across this
If you choose to sign this document or agree to make any online/ offline payment at Malwarebytes Support 247, a service provided by Malwarebytes Support 247 (hereby known as "www.geeksinhome[DOT]com" having its offices in India and businesses concerns in USA and Canada, you are agreeing to be bound by the following terms and conditions ("Terms of Service"). You may contact home support 1-888-609-4191 for any kind of question that you have for home support.
So who is geeksinhome[DOT]com? WHOIS data shows the domain registered to Kunal Bansal of Chandigarh, India, at the email firstname.lastname@example.org. Who as it turns out, was behind a Malwarebytes themed scam Jerome reported on in 2015. (Thanks to commenter Rudston for pointing this out.) This is generally where analysis of scams comes to an end – the presumption is that the scammer would never use his real name, and thats that. True-ish, but quite a few criminals will use their real info for a “clean site”, but let details they consider benign cross between the clean and dirty sites, which allows us to connect the two quite nicely. As we can see here:
Partial text below:
Geeks Technical Solutions Private Limited is a Private incorporated on 27 February 2013. It is classified as Non-govt company and is registered at Registrar of Companies, Chandigarh. Its authorized share capital is Rs. 1,000,000 and its paid up capital is Rs. 100,000.It is involved in Other computer related activities [for example maintenance of websites of other firms/ creation of multimedia presentations for other firms etc.] Geeks Technical Solutions Private Limited's Annual General Meeting (AGM) was last held on 30 September 2015 and as per records from Ministry of Corporate Affairs (MCA), its balance sheet was last filed on 31 March 2015. Directors of Geeks Technical Solutions Private Limited are Mohit Bansal, Kunal Bansal, Amanpreet Singh Doad, .
An officially registered company name usually means an official company presence, so let’s follow a few more breadcrumbs for “Geeks Technical Solutions”. Goodness, they appear to be hiring!
Searching on the hiring manager’s number – because who hasn’t considered a mid career change – yields a polished hiring website. Smooth, well done hiring pipelines targeted at limited experience applicants can often convince people that they’re working tech support for a perfectly legitimate company.
“IRATE CUSTOMERS” indeed. But what about Mr. Bansal?
Like most tech support scammers, he operates under a variety of corporate registrations. His include, but are probably not limited to: Mark Software Systems pvt ltd, Blue Alpha IT pvt ltd, Geeks Technical Support, Knowledge Internet Marketing, and PNR Jewelers. A number of companies under these managing entities have addresses in Arlington, VA:
Odds are good that this is in fact a UPS store used to provide a more attractive US-based address to scam targets.
So starting from a single malicious domain, we’ve uncovered several hundred others from passive DNS records, along with a bustling call center enterprise, a host of front companies, and a fairly well developed hiring pipeline that could fool an applicant into thinking they’re working for a legitimate support company. Surely an operation this well developed and long lasting must be technically sophisticated to have continued unabated so long? Well, not really. Going back to the original hxxp://malwarebytes-support-247.com, we can see the email registrant in WHOIS associated with a domain called hxxp://geeksexcellence.com. Which provides the administrative panel to the company’s network router. Whoops.
The only thing really required to stick around as long as Geeks Technical Solutions is persistence, a little bit of money, and a commitment to staying under the radar. A note on that last point:
Disclaimer Malwarebytes Support 247 has no affiliation with any of the third-party companies or brands & service providers that might have been used to related to services. If your product is under warranty , the repair service maybe available from the vendor. We are self-reliant onsite, in store PC support provider. For any kind of brand usage or affiliation of brands with us or any kind of partnership program, you may contact Malwarebytes Support 247 on 1-888-609-4191 and get the required information. We have expertise in handling issues with a huge array of Services of third-party companies and brands however Malwarebytes Support 247 holds no association or affiliation with any of these brands like Malwarebytes, HP, etc. provide support service for the product issues faced by users. Please contact the related third party in case of queries regarding permitted use and specific warranties in concern to the software, hardware, and peripherals. Malwarebytes Support 247 bears no responsibility related to any third party content made available related to the site and we do not cover the risks the user faces while using such third party content, services, support or software. We respect intellectual property rights and trademarks, brand names and logos of other parties, which are provided on this site and they are only for furnishing information and providing references. Note for Brand Owners: If you find any trademark violation or usage that is not appropriate, please send us an email on email@example.com, so that we can take care and remove the violation. Once your email is received, it will take around 1-2 weeks for the violations to be completely removed.
Fraud is still fraud, no matter how long your disclaimer is. Takedowns have been sent, and Malwarebytes will continue to monitor for the next time this group tries again. For more information on what you should know about tech support scammers to defend yourself, please check out the article here. https://blog.malwarebytes.org/tech-support-scams/