The Hunt For Tech Support Scammers

Just when you think you’ve seen everything when it comes to tech support scams, you realize how far the miscreants behind this plague will go to rob innocent people.

A group known as Tech Kangaroos has been impersonating legitimate software companies and charging their victims hundreds, sometimes even over a thousand dollars, for completely bogus software support. In an added twist, the same scammers later call back their customers to offer them a ‘refund’, where they actually steal even more money.

The scammers use search engines and other types of advertising to lure in victims. For example, a query on Bing for certified support for Malwarebytes returns the following top result:

bing

This is a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number:

Fake_MBAM_site

There are also several more scam pages, all looking very professional:

This slideshow requires JavaScript.

The next phase of the con consists of taking remote control of people’s computers and performing a fake security scan as a scare tactic.

Koobface

We called the number and went through the process; it was hard not to notice the constant stream of voices from the boiler room where those so-called technicians operate from. Within minutes, we were presented with a bill for over one thousand dollars.

invoice

When asking for the name of the company, the technician lied repeatedly, but there were enough clues left for us to find out exactly who they were. One thing was for sure, they weren’t Malwarebytes tech support and they certainly did not like being questioned about that. Sadly, these scammers can’t handle rejection too well. While still in control of our test computer, the technician quickly managed to disable all the services and force a reboot, in an effort to damage our computer.

[embedded content]

Customer complaints

A quick lookup for either the phone number of company name returns dozens of complains. People have been defrauded and insulted time and time again by this particular group of scammers.

scam_1

Source: 800notes.com

scam2

Source: community.norton.com

Collecting evidence and fighting back

Traffic analysis during our interaction with the scammer revealed several domains of interest.

  • Scam sitecertified.support
  • Phone number: 1-800-277-6232
  • Payment pageonlinetech.support/contact.php (Registrant mokshtalk@gmail.com)
  • Official company site: techkangaroos.com (Registrant: reemanath@hotmail.com)

The company appears to be located in Singapore, which seems a bit unusual. However, this is not where the call centre is located. A network trace shows the scammers IP address is actually from New Delhi, India:

IP_address

(IP lookup from IPligence)

The email address for the payment page, mokshtalk@gmail.com, is tied to an individual called Moksh Popli:

whois2

According to his Linkedin profile, Moksh Popli is Managing Director at Instant PC Care.

director

Interestingly, Instant PC Care is tied to onlinetech.support (scam payment page mentioned earlier):

DBA

We have reported these websites to the appropriate hosting providers and registrars. We are well aware that those scammers will set up shop elsewhere but we can at least disrupt their business model and more importantly raise awareness.

Besides the actual scam aspect, there’s a concerning trend of rogue technicians breaking people’s computers for revenge. Without a doubt, trolls that try to waste the scammers’ time or simply call up for fun have contributed to this phenomenon.

A more productive and long lasting effort is to research, track and document those scams. In many cases, the FTC goes after entire organizations and takes down their infrastructure, including banking assets.

The official Malwarebytes support page can be found here. For more general information about tech support scams, please visit our help page and feel free to share any experience you may have had.