Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Who Develops Code for IT Support Scareware Websites? InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Who Develops Code for IT Support Scareware Websites?

Published: 2015-03-20
Last Updated: 2015-03-20 21:38:56 UTC
by Lenny Zeltser (Version: 1)
2 comment(s)

When investigating a website used as part of an IT support scam, I came across a web page that attempted to fool the visitor into thinking that the person’s system was infected. The goal was to persuade the potential victim to call a "Microsoft Certified Live Technician" at the designated phone number " for assistance on how to remove malicious pop-ups."

The scareware page resided at (don't go there). It looked like this:

The source code of this scammy page, which you can see on Pastebin, included the following HTML comment:

Mirrored from by HTTrack Website Copier/3.x [XR&CO'2014], Thu, 08 Jan 2015 03:52:17 GMT

Such comments are automatically added using the non-malicious website-mirroring tool HTTrack Website Copier. This comment offered a pointer to the origin of the page's code.

The Lander3 page was available on the server as of this writing. It showed a web page that was almost identical to the one captured above, except it lacked a pop-up and specified a different "tech support" phone number: (855) 662-9616. Also, it contained pointers to and (don't go there), who may have been the client that paid to develop this code. You can see Lander3 source code on Pastebin.

The server contained a publicly-accessible listing of other projects, which included other variations on landing pages for, inviting people to get a "free secure diagnostic session" (lander1 screenshot), "detect, diagnose and troubleshoot all spyware problems" (lander2 screenshot), perform a "security check" (lander4 screenshot), etc.

The server also contained code for other websites, which seemed to be associated with legitimate, less shady companies.

By performing some Google searches, I came across (don't go there), which was live at the time of this writing. Its look-and-feel matched the lander1 screenshot.

Google also pointed me to (don't go there). Its look-and-feel matched that of, which I mentioned in the beginning of this article. It included a pop-up, thought its text was different from what used, which stated:

Call 844-325-8014 immediately for assistance on how to remove potential spyware. The call is toll-free."

I captured a screenshot of that page for those who wish to see it in its full glory.

The site describes Worldnet Consultants Inc. The company positions itself as "a leading web design company in USA for offshore web design, offshore web development," etc. The site lists office addresses in Forest Hills, NY and Gurgaon, India. This company appears to have developed the code used by and I saw no indications that the software development firm is malicious—however, they don't seem to be particularly selective about their clientele.

If this topic interests you, you might also like these articles of mine:

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.

2 comment(s)
Diary Archives