This Place is Taken: “Stains Of Deceitfulness”: Inside The US Government’s War On Tech Support Scammers

Monday, May 19, 2014

“Stains Of Deceitfulness”: Inside The US Government’s War On Tech Support Scammers

 

Aurich Lawson / PCCare247

Sitting in front of her PC, the phone in her hand connected to a tech support company half a world away, Sheryl Novick was about to get scammed.

The company she had reached, PCCare247, was based in India but had built a lucrative business advertising over the Internet to Americans, encouraging them to call for tech support. After glimpsing something odd on her computer, Novick did so.

“I saw some sort of pop-up and I don’t know if there’s a problem,” she told a PCCare247 tech named Yakeen. He offered to check the “management part” of her computer for possible problems.

“This is very, very important part of the computer and it work like the human brain, all the major decision, all the action, all the result is taken by this management part,” Yakeen said in a strong accent relayed over a poor-quality phone line that sometimes made comprehension difficult. All he needed to run his test was total control of Novick's Windows computer.

She agreed, downloading and installing a remote access tool. When it was in place, Yakeen reached out through the Internet, took control of Novick’s mouse cursor, and opened a program called Event Viewer. The scam was about to begin.

Enlarge/

The PCCare247 cricket team after a 2012 match.

PCCare247

Event Viewer is a built-in Windows tool designed to make visible the millions of mostly unimportant background activities running beneath the hood of a modern computer. Few mainstream computer users have even heard of it, much less run Event Viewer of their own volition—which explains why few mainstream users would know that, in a system as complex as Windows, Event Viewer will always display errors, most of them trivial. Thus, should someone want to convince mainstream users that their computers are riddled with problems, Event Viewer is a reliable combination of the inscrutable and the terrifying.

Yakeen showed Novick a series of bright red warning messages in her Event Viewer logs.

“It has 30 errors,” he told her, while a separate subsection of Event Viewer showed 43 more. Based on these 73 problems, Yakeen formulated a quick and utterly improbable diagnosis for Novick’s problems.

“Your computer is hacked by someone,” he said. “They are using your name and your ID, your computer to do some cyber fraud and cyber terrorism.”

Leaving no time for Novick to raise questions about how obscure Windows errors might indicate the presence of terrorist hackers, Yakeen opened a command prompt on Novick’s machine and ran a text-based tool called “netstat.” Netstat shows all of a computer’s network connections, both inbound and outgoing, and in this case it showed a single established link—one that pointed outside the US.

“I’m 100 percent sure and I strongly believe that you have some hacking issue working in your computer,” Yakeen said as he pointed this out to Novick. “Your computer is being hacked by someone. And they are doing some criminal activity using your name, your computer, your computer address.”

This was a brazen lie; forensic examination would later conclude that the single connection displayed by netstat was in fact the remote access tool that Yakeen was using at that moment to control Novick’s machine.

To complete his examination, Yakeen then told Novick that he would scan her computer for viruses. To do so, he ran a command called “tree.” Filenames immediately filled the screen, scrolling away in a blur as hundreds of new names took their place. When the list stopped moving, the command prompt read:

C:\509 virus found

“Now can you see the number of virus found in your computer?” Yakeen asked.

“509 viruses?” Novick asked.

“Yeah, 509 virus working your computer. And they are—the hacker are directing your information and your—it might be possible your e-mail account and your Facebook account is also hacked by the hacker because hacker are using your name and your password. All the data, photographs, radio, and your e-mail are already hacked by the hackers, so we have tried to recover all the data from the hackers and install an anti-hacking tool in your computer, okay?”

The situation sounded bad—unless you knew that the tree command used by Yakeen has nothing to do with viruses. It merely lists all files within a directory, showing them in a hierarchical “tree” arrangement of folders, subfolders, and files. The scrolling list had been entirely ordinary files on Novick’s machine; it had stopped only because Yakeen had canceled its run. As for the words “509 virus found”—Yakeen had simply typed them out himself at the command prompt, hoping that Novick would believe them to be output from the “virus scanner.”

PCCare247 said it was ready to "despise every technical folly ready to play mess with the lives of naïve techno greenhorns."

Yakeen didn’t give Novick much time to think about the diagnosis; with the problem identified, he barreled into his sales pitch for a 45-minute cleaning of her computer. By the end of this process, Yakeen promised that he could “remove all the hackers, remove all the errors and 509 virus from the computer and recover all the data, okay?”

All Novick needed was $400.

“Is there any way to do it cheaper?” she asked.

“Cheaper?” said Yakeen. “Okay, please hold the line because I am just discussing this issue with my accounts department and definitely I will give you a discount, okay?”

After a brief pause, the “accounts department” reduced the price to $360 and threw in three years of future tech support.

“$360 is a lot,” Novick responded, still haggling. “Is there any way you could do it for like $300?”

Yakeen transferred her to the floor “accounts manager,” who offered a $300 plan that included two years of future tech support. Novick agreed and provided her credit card. She thanked PCCare247 for helping her out.

“That’s our pleasure, ma’am, and because, you know, PCCare247 just focuses on the customer satisfaction,” a company rep told her when the work was done. “Our main aim is to satisfy the customer needs, right?”

Enlarge/

The PCCare247 team in the office around Christmas.

PCCare247

What Yakeen didn’t know was that Novick was actually a Federal Trade Commission (FTC) investigator who had been assigned to global “tech support scams.” She had recorded the entire encounter, which had been conducted using a clean PC located within an FTC lab.

After the call, the FTC sent Civil Investigative Demands—requests for information—to just about every US company that had done any sort of business with PCCare247: banks, credit card processors, domain registrars, telephone companies, Facebook, Google, and Microsoft. In October 2012, after months of work, agency lawyers had finally assembled their case into a 15-page complaint against PCCare247 and its owner, Vikas Agrawal (sometimes spelled Agarwal).

“The Defendants operate a massive scheme that tricks consumers into spending approximately $139-$360 to fix non-existent problems with their computers,” the complaint alleged.

Those fees added up to serious revenue for PCCare247. In just one year, from October 2010 to September 2011, $4 million had been deposited in the two main PCCare247 bank accounts—and that was just from US residents.

The company used this cash to build more business, spending more than $1 million through at least seven separate advertising accounts with Google. The money bought “sponsored search results” that appeared when users searched for terms, including “virus removal.”

But PCCare247 went further, taking out ads on search terms like “mcafee phone number usa,” “norton customer service,” and “dell number for help.” The ads themselves said things like “McAfee Support - Call +1-855-[redacted US phone number]” and pointed to domains like mcafee-support.pccare247.com. As numerous complaints attest, less savvy computer users searching the Internet for specific tech support phone numbers would see PCCare247’s number near the top of their screens and assume that this was an official line.

Enlarge/

A sample PCCare247 ad.

FTC

The tactic reached huge numbers of people. One PCCare247 ad account with Google produced 71.7 million impressions; another generated 12.4 million more. According to records obtained by the FTC, these combined campaigns generated 1.5 million clicks—a 1.8 percent clickthrough rate. Rather than cold-calling people—a preferred tactic of many tech support scammers—PCCare247 instead placed its ads and waited for the calls for help to roll in. The calls were forwarded to PCCare247’s operations in India, where people like Yakeen took over. Some may well have offered legitimate tech support, but even PCCare247 admits that not all did.

Not surprisingly, this business model produced complaints. In New York, the state in which PCCare247 lists its US headquarters (in a virtual office), the Better Business Bureau gave the company an "F" after receiving 27 complaints.

A typical complaint runs like this: a woman begins having computer issues late one night. She Googles “Norton” and, instead of calling Norton tech support, ends up dialing a PCCare247-linked company. The technician “told her that her computer was corrupted and being hacked and she had security issues and if it spread to other computers he would have to notify the FBI.” The woman wakes her husband, who is agitated that she already provided her credit card number. He calls PCCare247 to demand they not charge his card but the tech “kept talking about hackers and wouldn’t shut up.” PCCare247 then charges the couple three times at $150 each. When the man calls back later, enraged at the charges, the company promises a refund and asks him “not to contact the State Police or anyone else.”

Over at the FTC, 300 complaints poured in to the agency’s Sentinel database. Reading through them serves as a reminder that most mainstream users have absolutely no idea how their computers work and that they will in fact seek out technical support when their speakers are on mute or when they can’t eject a CD from the drive.

As one senior citizen, who thought he was calling Dell tech support, recounted: “described my problem to the man (heavy Indian accent) and he told me he needed to access my computer to see what the problem was. He took me to the site where he could access my computer using a specific code. After accessing my Dell computer, he said Oh My God. Your computer has been infected by dozens of viruses. There is a hacker in your computer accessing all your personal and banking information right now… I was scared at that time. I do a lot of shopping on the computer and have my banking and retirement information on it.”

The companies processing financial transactions for PCCare247 were also unhappy with the constant stream of chargebacks and complaints. Vikas Agrawal had created many separate PayPal accounts, for instance, but at least three of them had been frozen and set to “Limited-High” status due to security concerns.

PCCare247 faced a constant battle to accept payments, especially credit cards. The company eventually went to a US resident named Navin Pasari, who applied for at least 13 merchant accounts—many of which were declined upfront or cancelled later due to excessive chargebacks.

Given this history, it wasn’t difficult for the FTC to obtain a temporary restraining order (TRO) against PCCare247, an order that made it all but impossible to do business in the US. Most of the company’s cash had already been transferred to Indian banks (only $1,700 was left in US accounts), where it would prove hard to reach, but the TRO did shut down the company’s domain name, local phone numbers, and credit card processing. New money would not be flowing.

“The FTC litigation has effectively shut down the [PCCare247] business,” the company complained to the federal judge overseeing its case. It admitted to “some improper conduct” but attributed this only to “some overzealous sales personnel [who] crossed the line” and said that “they will be dismissed or retrained.”

In PCCare247’s view, it was simply a third-party tech support company that advertised on Google—and what was wrong with that? In a separate declaration, Vikas Agrawal added, “PCCare247 wants to be a good corporate citizen.”

Enlarge/

PCCare247 employees presenting flowers to Vikas Agrawal on his birthday.

PCCare247

§

The gospel truth

PCCare247 wasn't some anonymous boiler room operation. The company employed 115 people at its height and had 8,000 square feet of modern office space in DLF Cybercity, a development to the southwest of New Delhi that also houses the Indian branches of companies like IBM, Accenture, and Oracle.

PCCare247 also had a visible presence on social media, at one point sharing on Facebook photographs of staffers celebrating Diwali, playing cricket, and even delivering a birthday cake to Agrawal. YouTube videos show young staffers wandering around modern cubicles on Christmas as they play the "Treasure Hunt Game."

Enlarge/

Agrawal's birthday cake.

PCCare247

The company’s past LinkedIn profile rather enthusiastically described the company as a “vogue dispenser in online technical support” that would “despise every technical folly ready to play mess with the lives of naïve techno greenhorns.” The company had also “won over the nitty-gritty of every technical impediment so that scalable solutions can be dished out without any crunches.”

Agrawal took pains to address at least some of the online complaints about his company. He repeatedly offered refunds to those who complained, and he had staffers respond publicly to complaints, including at the New York BBB. He even created a strange blog devoted to debunking the (many) online complaints about PCCare247 in some truly delicious prose. Agrawal sensed a conspiracy, he said, to harm his entirely legitimate business.

“If you notice all these different rip-off complaints of PCCare247 carefully,” one entry read, “you will find that each of these faultfinders is alien, and the allegations they put on us are too baseless. To stop these grapevines from spreading, there’s little we can do about it, as they are the part of the cons of the Internet world... The whole rip-off community needs to pull up its socks and has to check these reports for their authenticity so as to remove the stains of deceitfulness that has been marked on online technical support providers as a whole.”

Indeed, Agrawal insisted that his company was a “good Samaritan” that had “stepped into this domain to serve computer users community for long term, so there is no point it is involved in doing any hanky-panky.” Despite the complaints, the company “believes in the gospel truth that at the end one who is righteous, triumphs.”

Just another day at the office.

PCCare247

Collapse

However, PCCare247 did not triumph; it came crashing down. On October 3, 2012, FTC Chairman Jon Leibowitz publicly announced his agency's crackdown on tech support scams, including the complaint against PCCare247. The next day, an Indian blog called Techgoss published an account from a local tipster who worked only minutes away from the PCCare247 offices.

"Their Operational Site has now completely been shutdown by Police," the source reported. "I went there today and I could see approximately 5-10 Policemen standing outside stopping the employees from going in."

The tech “kept talking about hackers and wouldn’t shut up."

In December 2012, the Times of India reported that 50 PCCare247 employees held a protest in front of Agrawal’s home, claiming that “they had not received their salaries for the past three months.” Other employees gathered at the main offices to demand their pay. The local police arrived to mediate, and the protests ended when “company officials gave a written assurance that they would provide the salaries to employees soon.”

In March 2013, Agrawal rather plaintively wrote a letter to the FTC in which he complained that “all our employees have left us” and that PCCare247 could not “afford to keep a technician” anymore since payment processors in the US were now holding back $120,000 in payments. Agrawal said that he was personally providing support to those who could reach him through e-mail. (Agrawal did not respond to requests for comment.)

“We’re a legitimate company,” he concluded. “While looking for bad apples, a genuine company has been punished for no fault of its. [sic]”

Was this true? I reached out to former PCCare247 employees. Only one was willing to speak about his experience, but he described a culture where, in his opinion, “9 out of 10 customers were deceived and misled by the sales representatives… I never saw Mr. Agrawal trying to stop this; rather he encouraged and promoted this scam by paying instant cash to individuals who misled customers by means of false and spurious statements and cracked sales.”

The employee left PCCare247 in late September 2012, just before the FTC announced its crackdown, and he was one of those claiming non-payment for his last weeks of work.

“Mr. Vikas Agrawal should be prosecuted to the maximum extent possible under the provisions and Laws of [the] US Federal Trade Commission,” the employee told me. “Had I been in US, I would have gladly testified against him in a court of law.”

Enlarge/

PCCare247 staffers after a football match.

PCCare247

The wheels of justice

Since its filing, the FTC’s action against PCCare247 has moved slowly but inexorably forward.

Vikas Agrawal initially hired a US law firm to represent his company, but in January 2013 that firm withdrew after not being fully paid—despite $50,000 that the court unfroze for the purpose of paying lawyers. In addition, the law firm cited a “breakdown in communication” with its PCCare247 clients, who “have criticized counsels’ performance and disagree with counsels’ strategic and tactical advice in this litigation.” Finally, despite the many statements about wanting to be a good corporate citizen, PCCare247 never actually complied with the terms of the injunction against it.

With the lawyers gone, communication with the Indian defendants became so sporadic that a default judgment was finally entered against Agrawal in February 2014. Collecting on it may be near-impossible, but the FTC has certainly made life difficult for what was once a significant operation.

According to Colleen Robbins, a lead FTC attorney handling the case, the goal of FTC litigation isn’t simply to retrieve money. “You always hope that there’s going to be some deterrent effect,” she told me. She also noted that the FTC partnered with six other countries to bring this most recent batch of cases, making it an international effort designed to address an international problem that's increasingly important in the Internet era.

The FTC has had more direct success with defendants who actually reside in the US. Navin Pasari, the US resident used to apply for at least 13 financial services accounts on behalf of PCCare247, agreed in late 2013 to turn over the $14,369 he earned from the company. In another one of its tech support scam cases, the FTC got owner and US resident Mikael Marczak to sign a consent decree, give up his 2005 Hummer H2, and pay back whatever money was left in his accounts (it wasn't much). And the agency is going after several other companies it accuses of running similar scams.

The process can be excruciatingly slow, and most of the money gets spent or hidden before it can make its way back to either the government or to the victims, but it's at least more productive than just trolling the scammers.

Most of PCCare247's employees appear to have moved on to other jobs in the Indian IT industry. FTC lawyers continue to file tedious legal documents in the case against the company. As for Agrawal, he continues to write plaintive letters to the court, asking for more money to be released from US payment processors. His company has largely vanished from the Internet, its domain names and social media presence gone, but at least Agrawal has found ways to pass the time. His most recent tweet, from January 21, 2014, says only, "I just flew 1,896m in a totally crazy game of #JetpackJoyride."

Readability — An Arc90 Laboratory Experiment

Follow us on Twitter »

No comments:

Post a Comment