As most people realize the first reason there are so many tech support scams is they are a cash cow for those perpetrating them. The second reason is those who are working to profit off of tech support scams are not just running a single scam website, they are running scams across multiple websites, all the time.

As recently reported by MalwareHunterTeam (@malwrhunterteam) an individual with 135 known domain registrations was using many of them to “host tech support scams”. Additionally MalwareHunterTeam reports that 120 of these domains are registered with GoDadday.com. We tested a handful of the 135 websites and all sites we tested are blocked or taken down.  To see the full list of domains click here.

Prior to the sites being taken down, MalwareHunterTeam took a screenshot from one of the tech support scams, see below.  Looks legit, right?  The more legitimate the popup looks the more likely they are to get someone to click.  These guys are constantly working to make sure their sites look reputable and trustworthy.

It is interesting to do a web search on the Call Microsoft number “800-964-8718”.  A lot of results appear noting this is a scam, but the first website result that appeared for me is “Mac Care” based out of South Field Michigan, themaccare.com.  Searching under the list of 135 domains this domain does not appear, but the WhoIs information matches the 135, so this would be domain number 136 registered to the same individual.

Unless an individual or company pays for domain privacy the registration information for a domain is public record.  Below is the domain registration details for one of the 136 domain registrations:

What we learn from the registration is the name, address, phone number and email of the person who registered the domain.  Is this accurate?  Is this a real person?  Can’t really tell just from the information provided.  Sure we could do more digging into the existence of a Gaurav Kriplani in India, but that would only be out of curiosity, nothing can really be gained.

We often have people ask why are these people allowed to continue to perpetrate these scams?  Why aren’t they arrested and punished?  These questions bring to light both the greatness and the complexities brought to us by the Internet.  The Internet functions on a global scale, unless you are in one of the countries that vastly limits access (such as China).  At any given moment, on the Internet, you may be accessing a website in any number of exotic locations.  Also consider that India doesn’t have the same laws as the United States.  For instance Section 43 of their Information Technology Act, 2000 states “whoever destroys, deletes, alters and disrupts or causes disruption of any computer with the intention of damaging the whole data of the computer without the permission of the owner of the computer, shall be liable to pay a fine upto 1 crore to the person so affected by way of remedy.”  Does perpetrating a scam on a person constitute causing disruption?  1 crore is equal to 10 million ruppees or $160,000 USD so this might seem a suiting punishment, but per our reading cyber crime in India is more civil than criminal.  The victim is a US citizen, how would he or she go about seeking this remedy?  And if there is not much of a criminal punishment to the crime, how is there any real justice. This should give you a small view into the complexities of crime on the Internet.

The best defense really comes down to the service provider’s Acceptable Use Policies (AUP).  All providers have some version on an AUP; it’s job is two fold, one is a protection for themselves and the 2nd is consumer protection.  Let’s say these domains are registered with our Internet side, as an example, the end user who purchases of them signs our (AUP), which among other things says they will not use our services to commit fraud or any kind of crime.  If it is reported to us, and substantiated, that they are using our service to that end, they will be immediately turned off for violation of the AUP.  This is also the reason that those committing tech support scams are so frequently purchasing new domains, the old ones are getting marked as fraudulent, making them worthless.  It’s also why some of those new domain names are getting so long, the shorter names are all used up.

So there it is, a billion dollar industry broken down, crime and often no punishment. When you look at it this way, it’s unbelievable that it comes together to make these people so much money, but in that moment, when you see the popup that you have an infection and the scammer has used the logo of a reputable / trusted company like Microsoft, you may have a much different perspective.