Tech Support Scam

[Fluke]

A friend called yesterday to say that she thinks she has been scammed. She's been paying some tech support company for a number of years to sort out Windows security problems on her Lenovo laptop. She has regularly given them remote access and they appear to have installed Webroot - some sort of security software for which she paid them £150 just recently, she paid a similar amount for something else last year and more before that. She bought the laptop she thinks about 4 years ago along (she thinks) with some sort of support package which is possibly where it started. She has always paid them using her credit card.

The company has changed its name a few times, it is currently going by Zone Firewall or Firewall LLC Ltd but started off as AOI Tech Solutions:

https://scammer.info/t/tech-support-sca ... ions/67230

She does not appear to have had anything stolen or been locked out of anything. No problems with her bank account. As far as I can tell she does not keep much by way of important documents on the laptop.

She's now put a stop on her credit card and changed her Windows & email passwords. I tried to talk her through running a virus scan using Windows Defender but this appears to be switched off or possibly overridden by Webroot. This was all over the phone and I'm not a Windows user.

Short of resetting her laptop back to factory settings, what else should she do? She thinks it was recently updated to Windows 11 but I've yet to confirm this.

[Fluke]

One other thing, they emailed her an invoice for the work they did recently which came from this address:

service@sender.zohoinvoice.com

[dionaeamuscipula]

One other thing, they emailed her an invoice for the work they did recently which came from this address:

service@sender.zohoinvoice.com

Zoho are an indian software as a service company

"What is Zoho used for?

Zoho Invoice was created to simplify online invoicing and billing for freelancers and small business owners."

So they are almost certainly blameless.

DM

[Infrasonic]

If they aren't technical then the best bet would be to take the laptop to a local qualified service tech and get them to do some basic forensics to see what type of remote access software is installed and then get it removed and cleaned up.

Hopefully the scammers haven't got into the firmware/BIOS level as that would be a lot more difficult to fix and a factory reset or in place repair/upgrade wouldn't necessarily solve it.

If you go onto Youtube there are loads of channels dedicated to reverse scamming these Indian call centre setups - some show you the exact methodology of how they infect PC's using remote software exploits, how to remove et al. But for non techies - get someone who knows what they are doing to sort it out.

Zoho is an office style cloud service that is being used by scammers as it has all the authentication protocols/certification needed to successfully send out emails etc.
Scammers also often use Google (Workspace/Docs) and MS 365/Azure hosting for the same legitimisation reasons.

[AF62]

but started off as AOI Tech Solutions

"Tech Support Scam" - Yep - https://uk.trustpilot.com/review/aoitechsolutions.com

Aside from the other suggestions about getting the laptop cleaned up, as the source of the problem would have been an unsolicited phone call, then I would suggest they replace their landline phone with one that intercepts such calls - https://shop.bt.com/guides/ideas-inspir ... ance-calls

[Fluke]

If they aren't technical then the best bet would be to take the laptop to a local qualified service tech and get them to do some basic forensics to see what type of remote access software is installed and then get it removed and cleaned up.

Hopefully the scammers haven't got into the firmware/BIOS level as that would be a lot more difficult to fix and a factory reset or in place repair/upgrade wouldn't necessarily solve it.

If you go onto Youtube there are loads of channels dedicated to reverse scamming these Indian call centre setups - some show you the exact methodology of how they infect PC's using remote software exploits, how to remove et al. But for non techies - get someone who knows what they are doing to sort it out.

Zoho is an office style cloud service that is being used by scammers as it has all the authentication protocols/certification needed to successfully send out emails etc.
Scammers also often use Google (Workspace/Docs) and MS 365/Azure hosting for the same legitimisation reasons.

Thanks I've suggested she takes it to the customer support desk at PC World/Currys where she bought it, hopefully they'll be able to do some of those checks.

Just had a look at a couple of those scammer exposé videos, that could become a new YT habit.

[mc2fool]

Aside from the other suggestions about getting the laptop cleaned up, as the source of the problem would have been an unsolicited phone call...

"Tech Support Scam" - Yep - https://uk.trustpilot.com/review/aoitechsolutions.com

No, the OP says "She bought the laptop she thinks about 4 years ago along (she thinks) with some sort of support package which is possibly where it started.", and indeed one of the TrustPilot reviews says "I was directed to this site by Currys 3 years and trusted it was a secure site."

I've suggested she takes it to the customer support desk at PC World/Currys where she bought it, hopefully they'll be able to do some of those checks.

It may be lost in the mists of memory, but it'd be worth her while looking through info from the time to see if it was Currys that got her into them in the first place!

[Infrasonic]

Thanks I've suggested she takes it to the customer support desk at PC World/Currys where she bought it, hopefully they'll be able to do some of those checks.

Just had a look at a couple of those scammer exposé videos, that could become a new YT habit.

PC World will normally give you a fixed quote for basic procedures - not so sure how it ramps up if they need to do a deep dive.

Have a look at the Kitboga channel on YT - the guys acting chops are seriously good and it's really funny when he spends days wasting the scammers time to the point where they explode in rage.

Jim Browning does a good channel too - closes down entire call centres.

The scammers have started learning from them though, e.g. using backed up VM's instead of bare metal installs so they can recover more quickly from anti-scammer wipe out/lockout attacks...

[pje16]

sounds like a con to me
I have a Lenovo laptop (nice bit of kit) no security issues -
Windows Defender and McAfee
why would there be any problems

[Fluke]

Aside from the other suggestions about getting the laptop cleaned up, as the source of the problem would have been an unsolicited phone call...

"Tech Support Scam" - Yep - https://uk.trustpilot.com/review/aoitechsolutions.com

No, the OP says "She bought the laptop she thinks about 4 years ago along (she thinks) with some sort of support package which is possibly where it started.", and indeed one of the TrustPilot reviews says "I was directed to this site by Currys 3 years and trusted it was a secure site."

I've suggested she takes it to the customer support desk at PC World/Currys where she bought it, hopefully they'll be able to do some of those checks.

It may be lost in the mists of memory, but it'd be worth her while looking through info from the time to see if it was Currys that got her into them in the first place!

That's an interesting thought. She definitely said something about thinking she'd bought support as apposed to being called out of the blue by the firm. I'll follow up, thanks.

[UncleEbenezer]

One other thing, they emailed her an invoice for the work they did recently which came from this address:

service@sender.zohoinvoice.com

Zoho are an indian software as a service company

"What is Zoho used for?

Zoho Invoice was created to simplify online invoicing and billing for freelancers and small business owners."

So they are almost certainly blameless.

DM

Zoho use zoho.com and zohocorp.com. That doesn't mean other related-looking names necessarily have anything to do with them. Do you know for sure whether zohoinvoice.com is theirs or someone passing themselves off?

Also an email from address is trivially forged.

[Fluke]

It gets worse. She thinks she's paid in the region of £1000 in support charges over and above the cost of the laptop. They've been using her as an ATM I think. She's a perfectly sensible, intelligent person, what she thought she was paying all this money for I've no idea.

[pje16]

How can she be described using those adjectives then (no offence)

[Urbandreamer]

People get taken all the time. Sometimes by scammers, sometimes by reputable companies like banks.

Anyone remember the payment protection insurance thing?
Or the structured product thing?

The difficulty is that such people are not in fact dumb or stupid. They tend to be normal people who prefer not to think about such things.

In this case she apparently bought the laptop from a well known white goods outlet. Anyone looked at the relative costs of the warrenty that they sell on their washing machines?

Then again, anyone else had a cold call about the warrenty on their washing machine THAT THEY DIDN'T BUY expiring?

Sadly we all need to be more aware of what we do.

As this is the board that it is, can I point out that there are serious questions about the statement

Windows Defender and McAfee
why would there be any problems

In the first place if multiple virus checkers run together, one tends to take over from the other. Were they to both run they could easily have very significant effects upon performance.
Ignoring that for a moment, there is a Microsoft Word "zero day" exploit (Follina) that is not being caught at the moment.

I suggest watching youtube video's on it. Some are quite fun with people playing with the exploit on their own virtual machines.
Here is a link to a suggestion about how to disable this "feature" and restore it once Microsoft have issued a patch.
https://wethegeek.com/fix-microsoft-fol ... erability/
The exploit actually uses dubugging tools that Microsoft built into Windows, which is why some might want to re-enable it in the future.

In the meantime be careful what documents you open.

[stewamax]

Be a little understanding of those who are scared of being hacked, aren't technical and don't know what the going rate for security systems is.
Licences (as opposed to subscriptions for the supplier that ratchet up in price in year 2) are dirt cheap: nice Mr Amazon will sell you a multi-device one year Kaspersky or Norton licence for £13.

If the product installed is indeed Webroot Spy Sweeper, it has been around for ages and has not kept pace with the current malware exposures.

So unless the 'support package' is genuinely more than that, she is being ripped off in price with a dated product, but the supplier isn't doing anything obviously illegal.

But it would be sensible to have someone remove whatever remote access host (the excellent Teamviewer is a favourite) was installed

Caveat emptor - even if you don't know quite what you are buying.

[Infrasonic]

Zoho use zoho.com and zohocorp.com. That doesn't mean other related-looking names necessarily have anything to do with them. Do you know for sure whether zohoinvoice.com is theirs or someone passing themselves off?

Also an email from address is trivially forged.

True - without seeing the message source headers we don't know for sure if the invoice is really coming from Zoho.
Their real hosted invoicing webpage contact is support at zohoinvoice.com


If spoofed it's going to run into DMARC authentication issues and probably get spam foldered though with any half decent email service.

The reason for using genuine services as a front is to bypass that issue by having a fully certificated 'trusted' environment to operate from. Hence why Google and Microsoft have so many hosting issues with scammers (both in the top ten on the stats pages that track this sort of thing, and Zoho is in there too...).

These Indian call centre scammers all use legit major cloud based PBX companies to operate their accounts from - and have started using local operators to get around some of the geo blocking measures brought in to stop spoofed IP phone numbers. I saw one anti-scammer video (they hacked the operators webcam) where they had used a midlands based white female operator with a brummie accent to scam a local man - he saw it come up on his phone as a local call.

The other thing they do is put scammer businesses into shared office space where the other businesses are all legit - paying payroll/taxes etc.

The local police are poorly paid and will turn a blind eye with the right bonus packages in place...

Occasionally they make token arrests when the international press coverage and negative PR gets too much for the local politicians to bear...

[AF62]

Aside from the other suggestions about getting the laptop cleaned up, as the source of the problem would have been an unsolicited phone call...

"Tech Support Scam" - Yep - https://uk.trustpilot.com/review/aoitechsolutions.com

No, the OP says "She bought the laptop she thinks about 4 years ago along (she thinks) with some sort of support package which is possibly where it started.", and indeed one of the TrustPilot reviews says "I was directed to this site by Currys 3 years and trusted it was a secure site."

I doubt even Curry’s would direct someone to that bunch of scammers.

Their ‘customers’, or more accurately, victims will be sourced by having websites that are similar to genuine ones - hence possibly the Currys reference - which people mistakenly arrive at via Google.

But lots/most of their trade comes from phone calls. Phone 1000 people at random and tell them you have been passed their details from Currys as you just bought a laptop from them and this is the courtesy support call - you don’t need to strike lucky with a vulnerable and persuadable person many times to make it worthwhile.

[Infrasonic]

There was a major Currys database leak ...https://www.itpro.co.uk/policy-legislat ... 0customers.

The parent company of Currys PC World has been fined £500,000 after its point of sale system was breached by hackers, thought to have affected around 14 million customers.

Between July 2017 and April 2018, hackers were able to install malware onto 5,390 computer systems and tills located at Currys PC World and Dixon Travel outlets, both owned by DSG Retail Limited, according to an investigation by the Information Commissioner's Office.

It's believed 5.6 million payment card records used in transactions were accessed as a result, as well as the personal information of 14 million people, including full names, postcodes, email addresses and information related to failed credit checks... Cont.

What it doesn't say (crucially) is how much of that data was unencrypted plain text, or if encrypted how strong was it?
There's loads of encrypted data for sale floating around on the dark web where they promise to send you a decryption key (that sometimes works...) - you're not exactly going to go to court to get a refund.

[Fluke]

Ok another couple of snippets that I've uncovered is that the laptop was purchased on July 2019 so only 3 years ago and therefore would not be connected to the 2018 data breach. She now believes that they contact her (not the other way round) and it was by phone - so she was cold called, no support arrangement through Curry's.

So far she has found invoices amounting to about £680, the earliest is dated one month after purchase. Doesn't that strike you as a bit suspicious?

[ReformedCharacter]

Ok another couple of snippets that I've uncovered is that the laptop was purchased on July 2019 so only 3 years ago and therefore would not be connected to the 2018 data breach. She now believes that they contact her (not the other way round) and it was by phone - so she was cold called, no support arrangement through Curry's.

So far she has found invoices amounting to about £680, the earliest is dated one month after purchase. Doesn't that strike you as a bit suspicious?

Perhaps Curry's or an unauthorised employee passed on the details of those who made recent purchases?

RC