When investigating a website used as part of an IT support scam, I came across a web page that attempted to fool the visitor into thinking that the persons system was infected. The goal was to persuade the potential victim to call a Microsoft Certified Live Technician at the designated phone number for assistance on how to remove malicious pop-ups.
The scareware page resided at 247tech.help (don” />
The source code of this scammy page, which you can see on Pastebin, included the following HTML comment:
Mirrored from clients.worldnetconsultants.com/Lander3/ by HTTrack Website Copier/3.x [XRCO2014], Thu, 08 Jan 2015 03:52:17 GMT
Such comments are automatically added using the non-malicious website-mirroring tool HTTrack Website Copier. This comment offered a pointer to the origin of the pages code.
The Lander3 page was available on the clients.worldnetconsultants.com server as of this writing. It showed a web page that was almost identical to the one captured above, except it lacked a pop-up and specified a different tech supportphone number: (855) 662-9616. Also, it contained pointers to YourTechSupport.org and YourTechSupport.com (dont go there), who may have been the client that paid to develop this code. You can see Lander3 source code on Pastebin.
The clients.worldnetconsultants.com server contained a publicly-accessible listing of other projects, which included other variations on landing pages for YourTechSupport.org, inviting people to get a free secure diagnostic session (lander1 screenshot), detect, diagnose and troubleshoot all spyware problems (lander2 screenshot), perform a security check” />
The server also contained code for other websites, which seemed to be associated with legitimate, less shady companies.
By performing some Google searches, I came across pop3.yourtechsupport.org (dont go there), which was live at the time of this writing. Its look-and-feel matched the lander1 screenshot.
Google also pointed me to yourtechsupport.org/L3 (don”>YOUR COMPUTER MAY NOT BE PROTECTED FROM ADWARE / SPYWARE
Call 844-325-8014 immediately for assistance on how to remove potential spyware. The call is toll-free.
I captured a screenshot of that page for those who wish to see it in its full glory.
The site www.worldnetconsultants.com describes Worldnet Consultants Inc. The company describes itself as a leading web design company in USA for offshore web design, offshore web development, etc. The site lists office addresses in Forest Hills, NY and Gurgaon, India. This company appears to have developed the code used by yourtechsupport.org and 247tech.help. I saw no indications that the software development firm is malicioushowever, they dont seem to be particularly selective about their clientele.
If this topic interests you, you might also like my article The Manipulative Nature and Mechanics of Visitor Survey Scams.
— Lenny Zeltser
Lenny Zeltser focuses on safeguarding customers IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.