In the previous post, a run-of-the-mill tech support scam pop-up from the website apple-techsupport[.]online started us on our trip down a rabbit hole. Now I realize that our trip thus far hasn’t been all that unusual. These types of domain relationships are encountered routinely by malware hunters. However, this is where it gets more unconventional…
Here’s our Google search from the last post:
Those links outlined in red look awfully strange. I think that we’ve already determined that the pop-ups suggesting that people call the phone number 1-866-629-0607 are misleading scams but here we have links to websites advertising that they’ll “get rid” of this specific pop-up.
Reading through the Google summary of the links doesn’t reveal a whole lot but we do read things like: scam, bogus, fake, etc – that’s promising, right?
Like Alice, let’s drink from the bottle and click one of the links.
Well, we see a post from Jul 29 that elaborates a bit. Sure, the post is written in somewhat poorly constructed English and the author is listed as John Snow (sic) but those aren’t certain indicators of fraud, right?
But let’s stumble a bit further down the rabbit hole. Here are the first four posts on their website. 3 of the 4 are almost identical to the example that brought us here – “remove” 1-XXX-XXX-XXXX alerts/scam/message/pop-up.
Notice also that all of these posts are from July 30th. Incidentally, there are more posts on the page – 10 to be exact – all from July 30th. Also, there are also 3 pages of posts from July 30th. That’s 30 similar posts per day. Oh, and did I mention that every post was written by John Snow (busy guy – I guess he wants to get the word out before winter comes?).
Let’s look at another one of these websites. The site removalidea[.]com showed up on the second page of the Google search. By it’s description, it looked remarkably like virusfixhelp[.]com. Going to the site, we see:
Yep, the same idea. For July 30th, this site had 28 similar posts and all were written by “mary”.
Let’s look at one more – immuneyourpc.com.
Well, this one looks a little bit different (even if this particular post is just like the previous ones). This site has fewer posts per day and they’re written by two people – either “milee” or Emily Jhonson (sic). Incidentally, this domain is registered to Jhon (sic) Smith).
Another thing that separates this last example from the first two is the domain registration. The first two examples are both registered to Doris Park (there’s one more – fixpcmalware[.]com). The last example, as I said, is registered to Jhon Smith.
Perhaps the biggest relationship is something that I haven’t yet mentioned. Every post – hundreds from all of the sites combined – has the same recommendation to correct the stated problem. The answer to fix everything? Download either:
SpyHunter or Mackeeper.
Ah, mystery solved – these sites are all pushing the same malware – or so I thought. I went ahead and downloaded SpyHunter in my Windows 7 VM expecting AVG Antivirus to start complaining. It was silent…
Thinking that this was an obvious mistake, I uploaded the .exe to VirustTotal . Here’s the result:
I decided to investigate the Spyhunter software that was being offered. Surprisingly, I found a number of reviews (including one by Neil Rubenking at PC Magazine), comparisons and recommendations.
Now I really felt like I was in Wonderland.
I decided to scan my PC with it. It took about the time I would expect. It didn’t find a bunch of fake “malware” on my PC – it found a couple of tracking cookies and something in one of my folders of malware tools. This was reasonable. Next, I clicked the “Fix Threats” button and I was taken to a website where I was prompted to register for the full version for $39.99. The only way to remove the threats is to have to full version. Aha, now I get it.
So, let’s climb out of the rabbit hole and try to figure out what we have really learned from our little excursion.
It looks like the websites that we examined are using (what I would label as) questionable tactics to drive people to purchase Spyhunter or Mackeeper – seemingly legit programs (albeit, sub-par by most standards).
If you think about it, this is not dissimilar from the tactics used by tech supports scammers that phone you with scary tales about receiving reports from your computer, etc. Their real goal (in many cases) is to get you to buy their software / protection plan.
The main difference is that the phone scammers use pop-ups to scare you into calling them so that they can sell to you and the websites we examined use your annoyance at the tactics of the first group to convince you to buy. It could very well be that the same group(s) are behind both methods. I suppose that would be like a second chance to hook someone.
Well, at least I got a nice long list of about 170 tech support scammer phone numbers out of the exercise. That’s got to be worth something.