Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 15 June 2010

ALERT: metsupport.com - yet another telephone based fraud (aka SupportOnClick revisited - again)

We've got yet another domain involved in telephony based fraud folks. This time it's metsupport.com, which is housed at 74.208.232.54 (PTR: perfora.net, AS8560 74.208.0.0/16 ONEANDONE-AS 1&1 Internet AG) and registered to an entity in India (sound familiar? it should do, SupportOnClick, TechMyHelp, Comantra et al, are all based there and all involved in the same activity) called "MET", who according to DomainTools, also own a few thousand other domains (still digging to identify them).

The story sadly, is the same as the domains previously reported on. The caller phones the victim claiming to be from company x, y or z (in this case, the victim reports the tech claimed to be from "Microsoft"), and has been told by their computer that the victims machine is infected, then instructs them to view the Event Viewer to see the "evidence" of infection (as you'll already know, there's no such evidence, the Event Viewer simply reports information, warnings and errors regarding programs and Windows services).

Once conned, the victim is then asked to download remote desktop software (usually TeamViewer), to allow the tech to connect to the victims computer, and this finally ends in the victim being scammed out of hundreds of pounds.

metsupport.com was created on June 3rd 2010, and the WhoIs details show;

domain: metsupport.com
created: 03-Jun-2010
last-changed: 03-Jun-2010
registration-expiration: 03-Jun-2011

nserver: ns51.1and1.com 74.208.2.8
nserver: ns52.1and1.com 74.208.3.7

status: CLIENT-TRANSFER-PROHIBITED

registrant-firstname: Kunal
registrant-lastname: Gupta
registrant-organization: MET
registrant-street1: Surya Apt.
registrant-street2: #10,Bangur Avenue,B-Block
registrant-pcode: 700055
registrant-state: WB
registrant-city: Kolkata
registrant-ccode: IN
registrant-phone: +91.3332609070
registrant-email: ceo_met@ymail.com


The UK phone number on the website, 020 3026 3983, was purchased through a company called "Simwood eSMS Limited" (simwood.com), who are a virtual telephony service provider. Whether they're aware of their customers scamming people is unknown.

E-mail addresses known to be used by "MET" are ceo_met@ymail.com and methinkers@gmail.com. One of the other domains they own is metrusty.com, which is living on a GoDaddy IP (97.74.215.127 that's also housing such maliciousness as 24x7livefootball.info (fraud) and 24x7livecricket.info (fraud), both of which are running the all too familiar SMS fraud with the help of rdmedia.com/glomobi.com, who want to take at least £15 out of your wallet (how nice).

Update 16062010 17:37

I am happy to report, Joerg over at 1 & 1, has disabled this domain.

References

techonsupport.com, click4rescue.com, pcrescueworld.com: SupportOnClick revisited
http://hphosts.blogspot.com/2009/12/techonsupportcom-click4rescuecom.html

SupportOnClick: Phoned by Malwarebytes? BigPond? Anyone else?

http://hphosts.blogspot.com/2009/07/supportonclick-phoned-by-malwarebytes.html

SupportOnClick Update
http://hphosts.blogspot.com/2009/04/supportonclick-update.html

supportonclick.com scamming you by telephone!
http://hphosts.blogspot.com/2009/03/supportonclickcom-scamming-you-by.html

Fake tech support call scam - prefetch virus logmein123.com
http://www.digitaltoast.co.uk/fake-tech-support-call-scam-prefetch-virus-logmein123com

New scam - They call you by phone!
http://www.malwarebytes.org/forums/index.php?showtopic=11156

Staffordshire Council - Telephone computer support warning (PDF)
http://www.staffordshire.gov.uk/NR/rdonlyres/6997DBB0-E31E-4AFB-A886-C9DDEE114204/90090/TelephoneComputerSupportWarning.pdf

Cold call scam warns of virus infection
http://www.h-online.com/security/Cold-call-scam-warns-of-virus-infection--/news/112893

Scareware scammers adopt cold call tactics
http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam

No comments: