Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 15 June 2010

ALERT: - yet another telephone based fraud (aka SupportOnClick revisited - again)

We've got yet another domain involved in telephony based fraud folks. This time it's, which is housed at (PTR:, AS8560 ONEANDONE-AS 1&1 Internet AG) and registered to an entity in India (sound familiar? it should do, SupportOnClick, TechMyHelp, Comantra et al, are all based there and all involved in the same activity) called "MET", who according to DomainTools, also own a few thousand other domains (still digging to identify them).

The story sadly, is the same as the domains previously reported on. The caller phones the victim claiming to be from company x, y or z (in this case, the victim reports the tech claimed to be from "Microsoft"), and has been told by their computer that the victims machine is infected, then instructs them to view the Event Viewer to see the "evidence" of infection (as you'll already know, there's no such evidence, the Event Viewer simply reports information, warnings and errors regarding programs and Windows services).

Once conned, the victim is then asked to download remote desktop software (usually TeamViewer), to allow the tech to connect to the victims computer, and this finally ends in the victim being scammed out of hundreds of pounds. was created on June 3rd 2010, and the WhoIs details show;

created: 03-Jun-2010
last-changed: 03-Jun-2010
registration-expiration: 03-Jun-2011



registrant-firstname: Kunal
registrant-lastname: Gupta
registrant-organization: MET
registrant-street1: Surya Apt.
registrant-street2: #10,Bangur Avenue,B-Block
registrant-pcode: 700055
registrant-state: WB
registrant-city: Kolkata
registrant-ccode: IN
registrant-phone: +91.3332609070

The UK phone number on the website, 020 3026 3983, was purchased through a company called "Simwood eSMS Limited" (, who are a virtual telephony service provider. Whether they're aware of their customers scamming people is unknown.

E-mail addresses known to be used by "MET" are and One of the other domains they own is, which is living on a GoDaddy IP ( that's also housing such maliciousness as (fraud) and (fraud), both of which are running the all too familiar SMS fraud with the help of, who want to take at least £15 out of your wallet (how nice).

Update 16062010 17:37

I am happy to report, Joerg over at 1 & 1, has disabled this domain.

References,, SupportOnClick revisited

SupportOnClick: Phoned by Malwarebytes? BigPond? Anyone else?

SupportOnClick Update scamming you by telephone!

Fake tech support call scam - prefetch virus

New scam - They call you by phone!

Staffordshire Council - Telephone computer support warning (PDF)

Cold call scam warns of virus infection

Scareware scammers adopt cold call tactics

No comments: