Security researchers have spotted an individual who registered 135 domains to host and push out tech support scams.
According to MalwareHunterTeam, the individual’s name and address are tied to 135 tech support scam domains, including 120 which are hosted on Internet domain registrar GoDaddy.
This isn’t the first time crooks have abused GoDaddy accounts for malicious purposes. For instance, back in May, a rogue advertiser hijacked poorly protected GoDaddy accounts, which they in turn incorporated into a malvertising attack that targeted two TV stations affiliated with the American CBS TV network.
Most of the domains registered in the individual’s name host tech support scams, which may or may not lock a user’s computer screen or impersonate their ISP. Some host scareware, while others appear to currently be offline.
Then again, it’s no surprise something mischievous would originate from system-blocked-due-to-malacious-activity-error101c11cmd[dot]info or security-essential-update-failed-call-support[dot]info.
Scam hosted by GoScammers: security-essential-update-failed-call-support[.]info
Registrant is a hardcore scammers… pic.twitter.com/KHSA6nmZEk
— MalwareHunterTeam (@malwrhunterteam) June 30, 2016
What is a surprise to MalwareHunterTeam is the fact that there’s no deny-list to prevent known bad actors from registering scam domains. As the researcher told Softpedia:
“This is a big business. And no one on Earth does anything against them. The main problem is that this man could register 100+ scam domains (the domain names are telling that they are scam) starting from the first days of April, without any problem. It’s simply crazy… And it’s just one man.”
MalwareHunterTeam also claims they sent a full text file of the scam domains to GoDaddy but that the registrar has done nothing.
Catalin Cimpanu of Softpedia attributes this lack of action to an overabundance of reports flooding GoDaddy’s abuse department:
“Nobody’s saying that GoDaddy is protecting such activities, but its abuse department is completely overwhelmed at the moment. To be fair, there are plenty of other Web hosting firms that don’t even run an abuse department, and the only way to reach them is through the national CERT teams. But, there are also awesome hosting firms, that kill these sites in three or seven minutes, only after a tweet and without having to fill in countless of forms.”
In the absence of meaningful action from GoDaddy and other domain registrars, users are urged to not fall for a tech support scam. No one from a legitimate technology company will ever contact you out of the blue and warn you about suspicious programs on your computer, so be sure to not give those people any personal or financial information.
If you feel you have a tech support issue, make sure to contact the appropriate company directly using its published contact details.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “The tech support scam king. 135 tech scam domains registered to one person”
Two quick outs: open task manager, go to processes, right click process, click, "end task".
Or, just reach down (in my case) and turn off your modem. That immediately ends any download in process.
I can think of one event where emails came out of the blue notifying of a security incident. I recently was forwarded an email from the UK NCA (National Cybercrime Agency) informing us that there had been a malicious attack on one of our computers and that the potential for stolen credentials was high. The email was worded in such a way as not to mention our company specifically so this looked like a generic scam email initially, also the to and from fields in the header data was the same person (the NCA person).
Having checked the validity of the email by calling the NCA directly using details from their website not the email I confirmed the message was legitimate. It turned out the infected computer was not ours but one of our customers at which point we asked the NCA to confirm if it was ok to let them know and to reset their credentials.
The reason we did this is we did not know if the NCA were investigating the owner of this computer specifically and did not want us to interfere. It goes to show that not even the lawful agencies have a fool proof method of addressing individuals or businesses without arousing suspicion and goes to show that Big Brother is watching us. I personally have never got an email from the NCA whenever I have had a malware infection at home, so why on earth did this get flagged, do I want to know??
I usually call the number back and ask them, why are you F'n with my computers. then i explain that what they are doing is criminal and they are criminals and that we have been tracking them for a while and we will be closing them down very shortly for their criminal activities. they never believe it until they are in jail, which is a few days after i call them. but they can never say i didn't call or warn them.
the internet is for the same type of people who used CB's in the 70's & 80's