Scam Warning:
Today I'd like to point the "finger of shame" at a specific scam site. I'm going to provide a little technical information about them, as well as the specifics of how they are operating.
There are a few very important things to keep in mind:
- Microsoft does not call users about viruses, computers being hacked, or errors on a computer.
- "Your bank" or "Your credit card company" will not phone you from a forged number, for any contact they make.
- Legitimate businesses will properly identify themselves through Caller ID (CID) information.
- Any caller that refuses to properly identify should be viewed as deceptive, and this is a violation of some federal laws.
- "Your bank" or "Your credit card" or PayPal, or any other financial institution will not contact you using a generic salutation (Dear ____ user, for instance).
- Any offer to "launder money for profit" - or contact about a lottery or prize you do not remember entering - is a scam intended to separate you from your money.
You are instructed to turn on your computer, RUN "eventvwr". This is the Windows Event Viewer. They will have you look for warnings and errors, and attempt to tell you that these are signs of viruses, or being hacked. Their schtick will change periodically, as it's meaningless. If they think you have no clue, than any lie will do. They may even have you open the Services tab on MSCONFIG and try to scare you through showing you the stopped services there.
Not about what really goes on here. Event Viewer shows events within the computer. "warnings" and "errors" are normal. They do not imply any malicious activity. They do not indicate that your computer is being attacked (although if you're not careful, it soon will be).
They may have you check a few other things to convince you that you're in trouble. At this point, they may transfer your call to a "tech", "senior tech" or something else of that nature. Essentially, you're being handed to another call center scammer to continue the script. The goal here is to get you to grant them remote access to your computer. This will be accomplished through a software package like Ammyy Admin or TeamViewer. These are both credible businesses, that each have a statement on their site regarding this abuse of their service.
If you give them access to your computer, one of several things may happen. They may install a logging software to your computer, which will transmit information (including banking and passwords) to them. They may intentionally damage or delete files and attempt to charge you to get them back. They may charge you to p0ut on an "antivirus" program, which does nothing but enrich them. They may go rifling through your files. If you grant them administrative control they can even damage your computer's operating system by deleting specific files.
My latest interactions have come from an outfit that is actually using "their own" website to initiate the scam. Their site instructs you to download the Ammyy Admin application, and provide them with the information from it.
The site they are presently using is "geekscare.com". I'm not sure if that's supposed to be Geeks Care, or Geek Scare. Regardless, here is some information about that site:
host geekscare.com
geekscare.com has address 118.139.175.1
geekscare.com mail is handled by 0 smtp.secureserver.net.
geekscare.com mail is handled by 10 mailstore1.secureserver.net.
whois geekscare.com
.
Domain Name: GEEKSCARE.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS09.DOMAINCONTROL.COM
Name Server: NS10.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 22-dec-2013
Creation Date: 22-dec-2013
Expiration Date: 22-dec-2014
Registrars.
Domain Name: GEEKSCARE.COM
Registry Domain ID: 1840009049_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-12-22 00:49:40
Creation Date: 2013-12-22 00:49:40
Registrar Registration Expiration Date: 2014-12-22 00:49:40
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Ravi Mahato
Registrant Organization:
Registrant Street: Kanke Road
Registrant City: Ranchi
Registrant State/Province: Jharkhand
Registrant Postal Code: 834008
Registrant Country: India
Registrant Phone: 9031143738
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ravishankarmahto@gmail.com
Registry Admin ID:
Admin Name: Ravi Mahato
Admin Organization:
Admin Street: Kanke Road
Admin City: Ranchi
Admin State/Province: Jharkhand
Admin Postal Code: 834008
Admin Country: India
Admin Phone: 9031143738
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: ravishankarmahto@gmail.com
Registry Tech ID:
Tech Name: Ravi Mahato
Tech Organization:
Tech Street: Kanke Road
Tech City: Ranchi
Tech State/Province: Jharkhand
Tech Postal Code: 834008
Tech Country: India
Tech Phone: 9031143738
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: ravishankarmahto@gmail.com
Name Server: NS09.DOMAINCONTROL.COM
Name Server: NS10.DOMAINCONTROL.COM
DNSSEC: unsigned
From their website, we can see a phone number (800) 903-1361. This phone number is provisioned by Voce Communications (480-344-1340). If contacted, these criminals will act like a legitimate business, however, they will quickly fall back into running the above scam.
The above information is provided as a service message to the public in general. The phone number will change, as soon as their provider decides they are abusing the service. Their IP will likely change as their host finds out they're violating terms of service. Their domain will also change as it gets cancelled. Another of each will sprout up. Ammyy Admin, Go Daddy, and Voce Communications are not responsible for the actions of the scammers. The latter two have merely provided service to a paying customer - until that customer violates TOS. The former is a free utility that is being exploited by criminals.
Please don't fall for this scam. If you' would like to have some fun at their expense, be advised that they are criminals, and they will harm your machine if you grant them access. However, nothing stops people from having a bit of fun at their expense now and again until they get cut off.
No comments:
Post a Comment