Posted by Virus Bulletin on Nov 9, 2011
Websites and Facebook accounts created to make callers appear more legitimate.
'Support call scammers' have started to use professional-looking websites and social media accounts to make themselves appear more legitimate.
In these scams - which have been prevalent in many English-speaking countries for some time - victims are telephoned and told that their computer has been engaged in malicious behaviour such as the sending of spam. To make the claim more credible, users are usually socially engineered into opening the Event Viewer in Windows and are made to believe that the harmless alerts they see are a serious problem. To solve this 'problem', the user is told that the caller requires remote access to the PC - which, of course, allows the caller to install malware. Sometimes users are also charged for having their PC 'fixed'.
The callers often claim to call on behalf of Microsoft or the victim's ISP, but now they have started to use phony company names as well. In one case witnessed by researchers from ESET and Virus Bulletin, the call came from a company named 'eFIX', which has a legitimate-looking website, as well as a Facebook account.
The website's domain name was registered in September 2011 from India, although 'eFIX' uses a boilerplate address in Glasgow and claims to have employees in five different countries and to offer 24/7 support. The website also displays testimonials from happy 'customers'; interestingly, one such customer can be seen on another website used by scammers as an employee of that company.
The 'eFIX' Facebook page displays more genuine-looking reviews from customers thanking 'eFIX' for fixing their PC. Comments from people saying it was a scam and demanding their money back are being removed.
Customers whose PCs are infected with malware are a serious problem for ISPs, most of which are looking into ways of notifying infected customers. Support call scams are therefore not only a problem for the victims of such scams, but also potentially jeopardize the trustworthiness of such ISP notifications.