The latest investigation using open-source data reveals how a small web design and SEO company runs dozens of websites associated with remote support scams.

What is a tech support scam?

Technical support scams are big business. In 2018, the FTC (US) received over 143,000 reports of tech support scams. On average, victims lost $400 each totalling $55 million. Those over 60 were five times likely to become a victim. In parallel, Australians lost $4.4 million in the same year.

A common technique is a fake pop up message warning the unsuspecting victim that the computer has been locked by viruses.

An example of a fake popup message. (Source: Scammer.info)

A tech support number is displayed conveniently on the screen for the victim. The tech support personnel typically poses as a Microsoft or Apple employee and uses confidence tricks to trick the victim into paying for services fixing non-existent computer issues.

There are several variations of the scam. For example, one of them is when the fake technician installs an actual piece of malware on the victim’s computer. Another one is when the victim is tricked into sending large sums of money to the scammers via bank transfer(fake refund scam).

In short, technical support scams are no joke as they tend to prey on the elderly and vulnerable. Companies in this business could make as much as $10 million with tech support scams.

A web of lies and deceit

My latest investigation involves a seemingly legitimate business whose name keeps popping up around shady websites reported for remote support scams. The following OSINT research reveals a large network of websites, phone numbers and individuals associated with the tech support scam.

The investigation found a large number of interconnected tech support scam sites.

My research began with a phone number reported on Scammer.info twice for running tech support scams. A quick Google search of +1 833 295 1999 revealed pages of search results offering tech support services for Gmail, Hotmail, Bellsouth, PC Matic, Norton, Fastmail, Yahoo and more.

Many of these sites from the search appear of giving an impression that the phone number is associated with the customer service team of these companies they name-dropping.

The vague language indicates that +1 833 295 1999 rings at Malwarebytes.

Also, these purposefully confusing sites were all using common SEO tricks to be on the first pages of Google if someone is searching for a solution for a specific error message.

An associated website posing as the customer support at Google.

Suspicious domains and phone numbers

Having filtering through the noise, I managed to find the following featuring +1 833 295 1999 as the phone number of their technical support services:

99techsolutions.com 99webmail.com allclientservice.com antivirushelpnumber.com avcontacthelp.com avtechnumbers.com contactemailexperts.com contactgmailhelp.com e-mailtechnicalsupport.com email-contacthelp.com email-customerservices.com emailnumbers360.com mail-customersupport.com mailcontactnumbers.net mytechtoll.com quicktechbook.com

A couple of these websites feature [email protected] on the WHOIS record, which lead me to more domains associated with this network ran by someone:

email-customerservices.com email-customersupport.com emailsupporthelpline.com gmailhelp.co gmailtechsupportnumber.co mailsupportservice.com

After going down the rabbit hole, I found the additional phone numbers:

+1 800 674 2913 +1 888 318 1004

Other WHOIS records feature or featured the following emails as the technical contact:

The following suspiciously-looking websites were also registered with email addresses and/or were listing the additional phone numbers from above:

360numberdir.com 360numberfinder.com 360techhelpcontact.com 99contactsinfo.com 99entranceexam.com 99printerservice.net 99techsolutions.com 99webhelp.com easyfixhelpline.com mailcontactnumbers.net mailhelpnumber.com wptechhelp.com

Wait, there are even more digits listed on these sites!

+1 800 674 2913 +1 833 410 5666 +1 844 715 3424 +1 855 233 7309 +1 888 318 1004 +1 888 361 3731

Growing confidence

Reports further confirm that these numbers and websites are involved in tech support scams.

According to the report of one of the victims, the technician on +1 844 715 3424 claimed the “computer was infected” and they can fix it. The scammer pulled up GeekTyper.com (presumably on a remote desktop session) to prove that the victim’s computer was hacked and it needed immediate attention.

GeekTyper may trick the technologically inept victims.

In total, the extensive analysis managed to find 30+ websites and 8 phone numbers ready to accept the calls of the unsuspecting victims.

Is a web design company behind all this?

The company that could possibly be linked to these website registrations is a website design company called 99WebHelp at 99webhelp.com .

The reasons are the following:

The email addresses on the WHOIS records of the suspicious websites (e.g. [email protected] ) belong to the key personnel at 99WebHelp;

Legitimate websites ran by 99WebHelp share the same WHOIS contact details as some of the suspicious websites (e.g. [email protected] );

The phone number (1)-844-715-3424 featuring on 99webhelp.com has been reported for tech support scam activity.

One of the main expertise of 99WebHelp is Search Engine Optimisation (SEO).

The two owners of the company are Vivek Rawat and Amit Yadav per the ‘Contact Us’ page at the main website.

The two most important persons at 99WebHelp.

According to Mr Rawat’s page on about.me, he has “good knowledge about Search Engine Marketing, Digital Marketing, Social Media Marketing, Search Engine Optimization”. He is a “good web designer” building several websites. He runs legitimate websites as well such as 99 Entrance Exam at 99entranceexam.in , an educational site providing information for those seeking higher education in India.

99 Entrance Exam has been registered with the same email address as one of the suspicious domain names.

His business partner, Mr Yadav owns the email address Amrita Singh <[email protected]> from the WHOIS records of mail-customersupport.com . It turns out that this email address belonging to ‘Amrita Singh’ is registered to Mr Yadav’s LinkedIn profile for some reason.

The third person associated with these websites is Bhaskar Chakraborty, who registered domains like avtechnumbers.com using the [email protected] email address. Mr Chakraborty is a senior project manager at 99WebHelp for almost 6 years (since the inception of 99WebHelp) managing the day-to-day operation of projects.

The fourth prominent person in this operation is Gaurav Patwal whose name appears on many of the domain names. He is often photographed together with staff on the premises of the company.

Summary

Tech support scammers tend to churn through a large number of domain names and phone numbers as a result of them becoming ‘tainted’. Once the past victims report them to consumer forums ruining the reputation of the domain names and phone numbers, the scammers simply register a new domain name and deploy a cookie-cutter website offering dubious technical support services.

The large number of websites and phone numbers associated with 99WebHelp.com seem to fit this pattern.

Are you a victim of remote support scam? Report it to ACORN (AU), FTC (USA), Citizens Advice (UK).