Following an article I wrote recently for SC Magazine, Martijn Grooten of Virus Bulletin, who shares my interest in and dislike of support desk scams, contacted me about the web site associated with eFIX, a company claiming to offer online technical support. He and I, along with Steven Burn, who has a great deal of experience of working in this area, have been able to dig out some interesting info on a slightly different aspect of flaky support desk operations.
eFIX’s web page lists an office in Glasgow under the name eFIX Ltd, at 8901 Marmora Road, Glasgow, D04 89GR. However, a search at Companies House, while it did turn up several entries with somewhat similar names, didn’t find one in Glasgow, and the address doesn’t ring true. The postcode is a fake, and we can’t find a Marmora road in Glasgow (let alone one long enough to hold nearly 9000 street addresses). In fact, the same address turns up in a great many other contexts (design consultancies, music, accountancy, even a buffet service), suggesting the use of some kind of template/boilerplate. It also suggests that it’s not only PC support companies that are suspiciously shy about their real whereabouts. Or else 8901 must be an awfully big building. Of course, it could be an accommodation address for multiple businesses, but that doesn’t explain why the street address itself is so elusive.
eFIX also claims to be headquartered in London and has a UK 0800 contact number, but its web site turns out to be registered by Impeccable Solutions, in Gurgaon, Haryana, India. In fact, the registration information is practically identical to that of the US-oriented Fusoft. However Fusoft does actually state that it is based in Gurgaon, though it lists a US 0800 number for contact. A little googling suggests that the same registrant is associated with other support sites: investigation continues, but the registration of multiple, similar sites suggests a site that expects to be taken down in the near future. eFIX claims to be “several years” old, but the site seems to have been created at the end of September 2011.
The two web sites have a number of similarities. For example, the testimonials page for eFIX uses one photograph of “customer” Georgina that is also used on Fusoft’s “About us” page. A little strange, unless one company exists by providing support services to the other...
Even more bizarrely, the photograph of eFIX “customer” John Matthew is the same one that is used on eFIX’s own “About” page. A little less bizarrely, the smiley call-centre lady at the bottom of that page is also featured on Fusoft’s index page. Well, using stock photos isn’t necessarily fraudulent, but it doesn’t inspire confidence either. Both sites have near-identical lists of “prides”: this clearly suggests boilerplate text rather than reliable statistics.
eFIX PRIDES
Company Type: Technical Service Provider
Service Areas: PC Optimization
Comapny Strenght :Its Core Values
Availibility :24*7*365
Approval rate :93%
Average waiting rate :60 secs
Resolution Rate :87%
Geographies :UK,U.S.A.Malasya,,China,Australia
COMPANY NAME: FUSOFT
COMPANY TYPE: TECHNICAL SERVICE PROVIDER
SERVICE AREAS: PC OPTIMIZATION
COMPANY STRENGHT ITS CORE VALUES
SERVICE AVAILABILITY 24*7*365
CUSTOMER APPROVAL RATE 93%
AVERAGE WAITING RATE 60 SECS
RESOLUTION RATE 87%
GEOGRAPHY U.S,UK,MALAYSIA,INDIA,POLAND,CHINA,BRAZIL,AUSTRALIA
When we started to write this, I didn’t know whether eFIX was actively engaged in coldcalling. While I see lots of cold-call scam reports, relatively few of those reports include the name of the company – and, of course, the reports usually come from people who don’t fall for the scam, so there are no credit-card transaction data to check back on. However, eFIX’s reviews page (which turns out to be a testimonials page rather than links to independent reviews) showed this interesting entry:
MR ANTHOny SCOTT CaLLED ME TODaY TO OfFER THE E FIX SERVICE, WhiCh has been fully explained to me and Mr Scott has been very helpful and patient. Thanks
(Presumably problems with the keyboard, notably the Shift and Caps Lock keys, weren’t in that particular discussion, then...) That sounds like cold-calling to us, but is it necessarily fraudulent?
One of Martijn’s initial concerns centred on eFIX’s Facebook pages, one of which is largely stuffed with testimonials – or reviews – as to how good the service is. These largely consist of messages going back to October 3 and appear to be from genuine Facebook users, though there is a suspicious similarity of tone, phrasing and misspelling about most of the entries that does not seem kosher. However, this entry clearly suggests that someone is using the eFIX FB page to reinforce a cold-calling fraud campaign. Martijn also noted a comment on the Facebook page from someone claiming to have been scammed and demanding their money back (which has subsequently been removed).
Assuming these Facebookers are correct, could that “someone” be a company other than eFIX? Other companies have, in the past, claimed that their competitors are responsible for similar campaigns. I suppose it’s possible that a company might use its own details for credit card transactions but use a competitor’s contact data to blacken their name.
In fact, while fusoft.org and efix.co are hosted on the same server, it’s possible that they’re also linked to other companies and sites. Steve has noted some similarities in content to several other sites, which lead to rich seams of Facebook pages and blogsites: too many to address in a single blog. But of course, a similarity in content doesn’t always indicate a formal relationship.
Fusoft.org’s Facebook page turns out to consist of pointers to blog sites like http://fixinternetbrowser.blogspot.com/ and http://windowsxptechsupport.blogspot.com, whose blog articles scrape content from sources such as CNET, though the source is generally acknowledged. (Not always the case with other sites we're looking at right now.)
This line of investigation set us off looking at other support sites still under investigation where the content may be more original, but the quality of the advice leads to the suspicion that the idea is less to provide a proven step-through process than to create difficulties that will persuade the victim to follow the copious links to “computer technical support providers” or “Dell technical support” or “Linksys support”, all of which lead to the same support site.
What conclusions can we draw from all this? Well, not as many as we’d like, at least from a legalistic point of view. Flaky marketing techniques are easier to track than unequivocal wrongdoing (definitions of which tend to vary according to region!).
What is clear is that there are a lot of companies and sites out there offering support, and even if they aren’t the same people making scam cold-calls – which in some cases seems pretty unlikely – they are basing their appeal to visitors to their web sites on bona fides that are pretty difficult to verify. It’s not that difficult to set up one or more new Facebook accounts and pages: unfortunately, there’s no simple and foolproof way of telling which accounts might be “dummies” set up purely to promote a product or service. Even where an account looks genuine and well-used, it’s perfectly possible that the victim of a rogue service has been persuaded to “Like” it as part of the scam, and anyone could fake a testimonial using stock photos and made-up names. Unfortunately, it also seems likely that we’re increasingly going to find Facebook pages and blog pages with scraped or even frankly deceptive content similarly used to add credibility to web sites whose authenticity doesn’t stand up to scrutiny. But it’s harder to trace and verify the accounts behind social media sites than it is a registered domain, and even those have their challenges.
Some related material:
- http://hphosts.blogspot.com/2011/09/microsoft-dumps-partner-over-telephone.html
- http://www.crn.com.au/News/274273,indian-partner-fingered-for-microsoft-pc-support-scam.asp
- http://securitygarden.blogspot.com/2011/09/microsoft-removes-gold-certified.html
- http://nakedsecurity.sophos.com/2011/09/21/microsoft-dumps-partner-telephone-support-scam/
- http://it.slashdot.org/story/11/09/21/2237207/Microsoft-Dumps-Partner-For-Fake-Support-Call-Scam
- https://www.welivesecurity.com/2011/07/19/support-desk-scams-clsid-not-unique
- https://www.infosecisland.com/blogview/15066-Cyber-Criminals-Just-Came-A-Callin-At-My-House.html
- https://www.welivesecurity.com/2011/06/24/giving-cold-callers-the-cold-shoulder
- http://www.microsoft.com/Presspass/press/2011/jun11/06-16MSPhoneScamPR.mspx
- http://www.virusbtn.com/virusbulletin/archive/2011/01/vb201101-hello
- http://www.iia.net.au/index.php/all-members/869-get-ready-for-icode-in-force-1-december-2010.html
- http://www.symantec.com/connect/blogs/technical-support-phone-scams
- http://nakedsecurity.sophos.com/2010/11/04/sick-of-call-centres
- http://blogs.protegerse.com/laboratorio/2010/11/16/llamadas-desde-el-falso-soporte-tecnico/
- http://www.eset.com/us/resources/white-papers/Hanging-On-The-Telephone.pdf
- https://www.welivesecurity.com/2010/06/23/support-scam-info-some-more-links
- http://www.securityweek.com/fake-av-fake-support
David Harley, Martijn Grooten, Steve Burn