Author Topic: SupportOnClick, FixOnClick, SupportOneCare, et al.  (Read 3741 times)

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
SupportOnClick, FixOnClick, SupportOneCare, et al.
« on: July 18, 2010, 11:25:47 AM »
You are sitting at dinner, possibly watching the nightly news, and your phone rings.  Here's how typical calls, with some slight variations, have been reported to go:  On the other end of the call is someone with a strong, almost unintelligable Indian accent.  Strange, you don't know anyone with that kind of accent, and it can't be a sales call, not with you having put your phone number on the "Do not call ..." lists at both the FTC and your state's Attorney General's site (or possibly Consumer Affairs).

"Who is it?", you ask.  David, Paul, Robert, James or some such common name from SupportOnClick. You continue:  "What do you want?"

Now you get some confusing answer that strongly suggests that SupportOnClick is a Microsoft owned site, or ESET, or MalwareBytes, or some other well known software/security company.  If you push on this issue, you get some movement suggesting it is not owned by Microsoft, but it is a "partner" of theirs.  Further pushing gets you transferred to a "Supervisor" who gives you an even more confusing answer following your question: "OK, so why are you calling?" Their reply states that they are calling because they (whomever "they" might be - we'll deal with that later) have received a "report" that your computer is badly infected, and about to die.  "But," you say, "my computer is working just fine and it isn't even on!"

No matter - it is going to die and "they" will prove it to you.

They tell you to boot your system and give you instructions for doing something like opening Event Viewer, adding:  "Look at all those entries - that's really bad, your computer is going to die if we don't do something right now to fix it."  Now, if you know anything about Event Viewer, it can have thousands of entries, depending on which event log you look at.  In 99.99999% of entries, it is a simple informational entry.  Your system was booted, the defragmenter started, etc.  My Application log has 22,775 entries, almost all of them completely harmless informational reports, and a few errors and warnings - all perfectly normal.  But, not to SupportOnClick.  Not, to them; it is the sign of DOOM!

You wonder: "What do I do?" as you are presented with: "Well, we can fix it for you for an annual subscription fee of (enter amount here, anything from $30 to $300 depending on just how gullible you sound), and we take credit cards."

You rush and get your wallet, because you saw the proof, your system is going to die and SupportOnClick is your only savior, right?  Aren't you lucky they got that report?  You give the telemarketer your credit information, and he or she instructs you to open your browser and click on a specific URL.  Once you do, your caller congratulates you and tells you that the site has downloaded some software (or maybe they don't tell you that because it can sound scary to some), but that now he or she can fix your system.  You see some rapid screens open and close on your monitor, and then you are told "It's fixed!  In addition, if you have any more problems, just log into that same URL and someone will help you."

Well, you have just been taken by a telephone scam and phish that has been running for about the last two years.  The scammers have focused on Australia, UK, US and to a small extent Canada.  We believe there are some 20+ different site/company names being used, including one currently called SupportOneCare to try to add additional confusion as to their relationship with Microsoft.  Now, let me be very clear on this:  They have no relationship with any legitimate software or security provider!  Their claims to the contrary are lies.  See the following link for what respected security software developer ESET had to say recently:  http://www.eset.com/blog/2010/06/23/marketing-misusing-esets-name

Let me also suggest that you immediately call your credit card company and ask them to reverse the charge, and issue you a new card with a new account number.  If you are lucky, you will report them in time to have your credit card company reverse the charge, otherwise you have lost whatever they suckered you into paying for their useless nonsense.  Your credit card information is also compromised, and depending on what, if anything, they downloaded to your system, and what records you keep there, your entire financial information and indeed your identity itself, may be compromised.  If you have used tax or financial software, you may be spending a considerable amount of time trying to get control of your identity back.  Over TEN MILLION Americans alone ANNUALLY suffer identity theft.  We didn't make this up, see http://www.spamlaws.com/id-theft-statistics.html and be scared.  This is a BIG deal if it happens to you.

You should also report this incident to everyone you can think of - a later post in this topic will list some of the important places you should call, write or visit the sites to report this incident.

Our next post will list sites we know are related, and sites that may be related.  Thankfully, we understand that SupportOnClick has had its IP registration revoked, and that site is now gone.  However, its siblings, aunts, uncles and cousins are still there and active.  Here is the Whois information on SupportOnClick:

Quote


supportonclick.com

67.215.65.132

Pecon Software Ltd.
Pecon Software Ltd. (peconcal@vsnl.net )
En-27, Salt lake Sector-V
Kolkata
West Bengal,700091
India
Tel. +91.03340101601

Pecon Software Ltd.
Pecon Software Ltd. (peconcal@vsnl.net )
En-27, Salt lake Sector-V
Kolkata
West Bengal,700091
India
Tel. +91.03340101601

Pecon Software Ltd.
Pecon Software Ltd. (peconcal@vsnl.net )
En-27, Salt lake Sector-V
Kolkata
West Bengal,700091
India
Tel. +91.03340101601

Pecon Software Ltd.
Pecon Software Ltd. (peconcal@vsnl.net )
En-27, Salt lake Sector-V
Kolkata
West Bengal,700091
India
Tel. +91.03340101601

883.venus.orderbox-dns.com
883.mercury.orderbox-dns.com
883.mars.orderbox-dns.com
883.earth.orderbox-dns.com

Google Page Rank : Unknown
Alexa Traffic Rank : 3,778,374

Created: 20-Feb-2006
Expires: 20-Feb-2011
Source: whois.publicdomainregistry.com
Completed at 7/8/2010 5:17:12 PM
Processing time: 2.11 seconds


And here is the same information on SupportOneCare, a more recent evolution of this scam:

Quote


supportonecare.com

67.227.218.100

PrivacyProtect.org
Domain Admin (contact@privacyprotect.org )
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
Netherlands
Tel. +45.36946676

PrivacyProtect.org
Domain Admin (contact@privacyprotect.org )
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
Netherlands
Tel. +45.36946676

PrivacyProtect.org
Domain Admin (contact@privacyprotect.org )
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
Netherlands
Tel. +45.36946676

PrivacyProtect.org
Domain Admin (contact@privacyprotect.org )
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
Netherlands
Tel. +45.36946676

ns6.agtsindia.com
ns5.agtsindia.com

Google Page Rank : 0
Alexa Traffic Rank : 3,701,182

Created: 02-Feb-2010
Expires: 02-Feb-2013
Source: whois.publicdomainregistry.com
Completed at 7/12/2010 1:45:54 AM
Processing time: 1.98 seconds
View source


And, just to be a little more complete, SupportOneCare.com redirects to Support1Care.com which has a little more information public and available:

Quote


support1care.com

67.227.218.100

Zeal IT Solutions Pvt Ltd
Kishore Ghosh (info@support1care.com )
29, Shibtala Street
kolkata
West Bengal,700007
India
Tel. +033.9038660018

Zeal IT Solutions Pvt Ltd
Kishore Ghosh (info@support1care.com )
29, Shibtala Street
kolkata
West Bengal,700007
India
Tel. +033.9038660018

Zeal IT Solutions Pvt Ltd
Kishore Ghosh (info@support1care.com )
29, Shibtala Street
kolkata
West Bengal,700007
India
Tel. +033.9038660018

Zeal IT Solutions Pvt Ltd
Kishore Ghosh (info@support1care.com )
29, Shibtala Street
kolkata
West Bengal,700007
India
Tel. +033.9038660018

ns6.agtsindia.com
ns5.agtsindia.com

Google Page Rank : 0
Alexa Traffic Rank : 4,661,679

Created: 07-Apr-2010
Expires: 07-Apr-2012
Source: whois.publicdomainregistry.com
Completed at 7/17/2010 10:38:08 AM
Processing time: 2.14 seconds
View source


Subsequent posts will discuss the list of site names, we will try to find out more about Pecon and Zeal IT, and finish up with a list of where to report scam by country.


Don't Read?  Can't learn!

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Re: SupportOnClick, FixOnClick, SupportOneCare, et al.
« Reply #1 on: July 19, 2010, 08:18:43 AM »
Don't Read?  Can't learn!

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • Posts: 8146
Re: SupportOnClick, FixOnClick, SupportOneCare, et al.
« Reply #2 on: July 20, 2010, 06:34:12 AM »
I am pleased to report this:

Quote

Nineteen websites which were used to perpetrate a phone scam offering "computer support" that defrauded people across the English-speaking world have been closed down by police.

In the scam, reported by the Guardian today, teams at Indian call centres rang computer users claiming to be from tech support. The computer users were then told there were problems with their PC, which could be fixed.

...

Sources close to the Met e-crime unit said there was "clear evidence of criminality" from the sites taken down.


More information here:  http://www.guardian.co.uk/technology/2010/jul/19/police-crackdown-phone-scam-computer

This was released yesterday, although the sites were taken down in April - so,  the "criminal" scam continues under new names.  I hope our topic contributes to future takedowns.
« Last Edit: July 20, 2010, 06:45:32 AM by PCBruiser »
Don't Read?  Can't learn!


Sorry, this topic is locked. Only admins and moderators can reply.