Home » Forums

[jfdi]

Just had a really weird call from 'Support Onclick' saying they'd spotted we'd just opened a malicious file - & offering support.

When asked how they knew they said they worked with 'all the big companies' & were asked to check these things out!

Very weird, coz I was only just booting up the PC at the time, not having been on it since last night.

Allegedly they're from Bradford!

Any ideas?

[DatabaseError]

ignore them....scammers!
(never actually heard of them..but the only way they could get your phone number from your IP address is via a court order...even then I think they'd only get an address.
Probably worth running malwarebytes and a virus scan just to make sure your machine is actually clean...and that they haven't harvested your data through resident malware (extremely unlikely)

[mrJ]

probably trying to get your bank details and charge you for some rubbish anti-virus program

[ericsbird]

My friend has just had such a phone call and was scammed out of £170 for three years subscription of god knows what. They told her that they had remote access to her computer and that they could see that she had problems that needed fixing. The completely convinced her that a: they were from Microsoft and b: that the problems were serious. After telling her to cancel her payment with her credit card (paypal) I then called them and told them exactly what I thought of them. They 'say' they will cancel the payment, but it took me 20 minutes on the phone to India - heaven knows what that will cost me! Does anyone know who to report this to, to get it stopped? At the very best, the company may be legitimate and my friend was simply mis-sold the product. At worst its an insidious scam preying on those who dont understand computers enough to contradict what they've been told!

[tree123]

I was just called and told the same thing, that my computer had automatically downloaded some unwanted files which now made it susceptible to hacking. This sounded very unlikely to me, particularly as when I asked her to repeat herself she used the exact same wording, as if she was reading it from a piece of paper. I asked them to leave a number so that my Mum could call back when she got home from work but the woman on the phone changed the subject and kept asking me to turn on the computer. I didn't understand why that was necessary so I said the computer was broken, and she became really agressive and accused me of lying (which to be fair I was) so I again asked for the company name and I was told support onclick (which i dont believe) and when I asked her to give me a phone number for a second time she hung up.
I thought it was dodgy to begin with but the fact she started shouting at me and wouldnt leave a number was really suspicious...

[dawson001]

I just got a call from them too, according they were working with microsoft!
Tried to get me to run specific programs!
They are just scammers, trying to sign up to their software!

[maxicab]

They sound pretty plausible if you aren't very computer literate. They do have a website. They have just cold-called me and they knew my full name. They sound Indian. I turned on the computer as suggested, and he got me to type in an odd collection of letters into RUN on the start menu. When my computer said it couldn't find this program, he said well my computer must be very badly infected already, and had donloaded a trojan virus to block me seeing the problem. I said that I had anti-virus software installed and it seemd to be OK. He then said to type in eventvwr into RUN and tell him what I saw. I had opened event viewer and saw thousands of items: i information, and hundreds of yellow triangle warnings and red X errors when I further pressed on 'application' as instructed. In fact I can repeat and view these now. All are from the last 4 months or so. He said this showed my computer was heavily infected and it was surprising that it was running at all. He warned me not to click on any of the items!
I said that that was all very interesting but I was concerned that they weren't a genuine company and that they hadn't said their company name or who they were and what their website was and what their phone no. was, and how they had obtained my name and phone number. I was passed to the 'superviser' who went through much of the same spiel but eventually told me the name supportonclick and I could view their website and that they have my details from "local surveys" and because I am a valued client etc. and that they will accept payment in many ways for their computer support services. I typed the name into google as he was talking and saw many entries from around the world and the strong suggestion that it is all a scam. Eventually I said I didn't want to continue the conversation and hung up.
I don't know how they can get your phone no. and name but I don't like that they could have done so. Maybe from TalkTalk my ISP? Their other suppositions were probably fortuitous - yes I have a computer, yes I use Microsoft Windows, yes my computer is not as fast as it was.
Beware. Although they are pretty plausible, I am pretty sure it is a scam. Can anyone clever tell me what all that stuff in event viewer is and whether it means anything?
Thanks.

[350186]

Hi,

Had a call from my father last night who had had an unsolicited call from Support on Click. Unfortunatley he allowed them access to his PC, but eventually stopped short of them actually taking any money from his bank account. The account has been stopped etc. so no worries there.

However, my concern is now the ongoing security of his PC.

I tried called them in India (via UK number) and a manager very strongly told me it is none of my business how they accessed his PC and that once session ended they could not access his PC again.

All well and good if his company had an credibility or was believable, but their marketing strategy removes any faith I have there..

So, to my question.....

Does anyone have any idea what software may have been used to access my Dad's PC, so I can uninstall it, and is there any indication that anything mallicious will heva been left on PC (key-logger etc.) that we should be worried about.

Any comments would be appreicated.

Andrew

[macman]

Quote:

Originally Posted by 350186

Hi,

Had a call from my father last night who had had an unsolicited call from Support on Click. Unfortunatley he allowed them access to his PC, but eventually stopped short of them actually taking any money from his bank account. The account has been stopped etc. so no worries there.

However, my concern is now the ongoing security of his PC.

I tried called them in India (via UK number) and a manager very strongly told me it is none of my business how they accessed his PC and that once session ended they could not access his PC again.

All well and good if his company had an credibility or was believable, but their marketing strategy removes any faith I have there..

So, to my question.....

Does anyone have any idea what software may have been used to access my Dad's PC, so I can uninstall it, and is there any indication that anything mallicious will heva been left on PC (key-logger etc.) that we should be worried about.

Any comments would be appreicated.

Andrew

There's lots of software they may have used, it may be one session, it may not be. Look under the 'add new programs' in Control Panel and you can list the installed software by date of last usage, that way you can ID anything installed on the relevant date. To be safe I suggest you do a System Restore back to the first date before remote access was allowed.
Also I suggest you ensure that your father is running proper antivirus/antispywaresoftware and that this is up to date. If he's unwise enough to allow access to a complete stranger then it's likely he is not using proper security either.

[Swindon_Baggie]

Any company who's 'about us' on the website includes

"Support On Click" is an online technical support system & the people & technology have been battle-tested in many corporate for nearly 20 years.

Is obviously not worth dealing with.


Windows XP includes 'by default' an option to allow remote desktop support, and is facilitated through the use of windows messenger. If you remove windows messenger, you can still download windows live messenger (which is similar but different) and used to be the old msn messenger, your account holds all your contacts so easy to switch, and no more remote desktop.
Just look here to do so.
http://www.dougknox.com/xp/tips/xp_messenger_remove.htm
I would recommend using the manual technique.

Then, make sure you have anti virus.
free.avg.com
or spend a fortune on something else.

How they get your details. No idea. Electoral register, Phone book, personal website, collected from stolen government cd, sold by tesco?

Something I recommend is using slightly different spellings of your name or home address when contacting and buying companies. This allows you to find out who is selling your details, and legitimate dealings get through cause they are basically accurate.
For the internet, use throwaway email address's that link to a gmail address, and then just label what comes in from each address.

Bit of hassle, but lets you know where to direct complaint.

[gaming_guy]

Quote:

Originally Posted by Swindon_Baggie

Then, make sure you have anti virus.
free.avg.com
or spend a fortune on something else.

avg used to be good. avira antivir is one of the best free anti virus programs availible (and malwarebytes as already recommended).

if you want to pay for security software, kaspersky is the way to go.

[macman]

Quote:

Originally Posted by gaming_guy

avg used to be good. avira antivir is one of the best free anti virus programs availible (and malwarebytes as already recommended).

if you want to pay for security software, kaspersky is the way to go.

or it's free if you use Barclays online banking.

[tenacious_hyperion]

I just got a cold call from this company 20 minutes ago. Without a doubt they're trying to scam people out of money.

Once I explained that I worked in IT and that the errors were just general application crashes/errors they put me on hold to speak to a manager. I was then told that these application crashes could damage my motherboard. I then simply asked how they got my number and how they knew my name - at that point they hung up on me. I didn't even shout or sound angry.

I then rang 01274 900 834 (as per their website) to ask a few more questions and they hung up on me again! (Although I did sound a little angry the second time, but never got a chance to shout).

I hope that nobody has been caught out by this type of thing as if you were just a casual IT user it does seem quite plausible.

[Jemma-T]

I'd be more worried that I knew people who were scammed by scumbags like this.

Your house phone line is supposed to be private so why people spew their details to anyone I'll never know.

[asbokid]

Code:

Domain Name:SUPPORTONCLICK.ORG
Created On:11-Apr-2009 11:58:35 UTC
Last Updated On:11-Apr-2009 11:58:37 UTC
Expiration Date:11-Apr-2010 11:58:35 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_7112790
Registrant Name:Ali
Registrant Organization:Pecon Software Ltd
Registrant Street1:EN-27, Salt lake city, Sector-V,Kolkata
Registrant Street2:
Registrant Street3:
Registrant City:kolkata
Registrant State/Province:West Bengal
Registrant Postal Code:700091
Registrant Country:IN
Registrant Phone:+91.3340052240
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:tech@pecon.co.in

You need to speak to "Ali" !!

..Or maybe Calcutta Police fraud squad...

http://www.kolkatapolice.gov.in/contactus1.html

Ask the Cops to speak to a "Mr Mahesh Shah"...


Mr Shah boasts of being the Managing Director of the Pecon Group which is linked to this swindle...

Mr Shah told the Hindu Times that he "bagged" his orders from outsourcing companies based in the US...

http://www.blonnet.com/2006/06/28/st...2804031300.htm


You could also call Mr Shah's hosting company... Net4India Ltd..

Shah rents some rackspace at Net4India's Hyderabad server farm for his Apache webserver.

That is where the websites for Mr Shah's Pecon Software Ltd, and the SupportonClick swindle are both hosted..

Code:

netname:      NET4
descr:        Hyderabad Network Operations
descr:        Net4India Ltd.
descr:        Internet Service Provider
descr:        D-25, Sector 3, Noida,
descr:        UP - 201301, INDIA
country:      IN
admin-c:      NET4-AP
tech-c:       NET4-AP
mnt-by:       MAINT-STERCAP-IN
status:       ASSIGNED NON-PORTABLE
changed:      networkadmin@net4.in 20090219
source:       APNIC
...
person:       Net4 NOC Administrator
nic-hdl:      NLNA4-AP
e-mail:       ipadmin@net4india.net
address:      Net4India Ltd.
address:      Internet Service Provider
address:      D-25, Sector 3, Noida,
address:      UP - 201301, INDIA
phone:        +91-120-4323500
fax-no:       +91-120-4323520
country:      IN
changed:      networkadmin@net4.in 20080912
mnt-by:       MAINT-STERCAP-IN
source:       APNIC

[devils advocate]

looks like they are doing the rounds at the moment. I've just had a call from them, claiming to be calling from Bradford, and giving the 01274 900 834 phone number. After a bit of discussion, he also told me that the UK address is at 17 Chester Street, Bradford, West Yorkshire BD1 1SW.the caller identified himself as phoning from Calcutta.

I wanted to see how far he would go ( and I knew that I would stop when I reached the limit of my PC knowledge!)and he took me through the instructions of right clicking on "my computer", going through the manage option to computer management, and showing me all the errors and warnings on the logs of the event viewer. He then took me into on the run command, and told me to type "prefetch". I was then told that all the programs which came up on the window were problems with my computer!

He then wanted me to type the name of their website in the run command box so I then started having a bit of a debate with him. (The website is www.s o c 321.com, [without spaces, if anyone's interested. ) Having told him that I'd typed the name "Support on click" into Google and that it showed up as a scam, he then started arguing with me that if I typed in Microsoft or IBM into Google, that no doubt that would show up as a scam! unfortunately I then got another call, so had to hang up on him.

As I'm a cynical old sod, I suspected from the beginning that this was some type of scam call. Unfortunately those with less than my limited knowledge of the workings of the PCs may find it all quite plausible and sign up for something or even worse, install a Trojan.

[asbokid]

Quote:

Originally Posted by devils advocate

He then wanted me to type the name of their website in the run command box so I then started having a bit of a debate with him. (The website is www.s o c 321.com, [without spaces, if anyone's interested. ) Having told him that I'd typed the name "Support on click" into Google and that it showed up as a scam, he then started arguing with me that if I typed in Microsoft or IBM into Google, that no doubt that would show up as a scam! unfortunately I then got another call, so had to hang up on him.

As I'm a cynical old sod, I suspected from the beginning that this was some type of scam call. Unfortunately those with less than my limited knowledge of the workings of the PCs may find it all quite plausible and sign up for something or even worse, install a Trojan.

I expect you are spot on with your cynicism over what he had planned for you!

At the same time as he was instructing you to visit that website, he would have been monitoring the access log file for the webserver hosting that website he told you to visit.

His webserver (121.244.209.135) is in Bombay. It is a Fedora Linux machine running Apache/2.2.6.

From those Apache access logs, he will harvest the IP address of your machine.. This is what an Apache log entry looks like..

Code:

66.249.71.214 - - [09/Jun/2009:23:25:49 +0100] "GET /pap2/codebaseGPL/?C=S;O=D HTTP/1.1" 200 1727 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

That log entry is the fingerprint left by the harmless "Googlebot" which just visited one of our sites. It shows the IP address of Google's machine (66.249.71.214) and it shows the software that the Google bot is running.

But from his Apache logs, your friend in Calcutta now knows the IP address of your machine. He also know the browser software you are running. From an "nmap scan" of your IP address, he will fingerprint your machine's TCP/IP response. From this he will discover the exact version of operating system that you are running.

He will invariably use all of this information in some nefarious way. A common technique is to perform a "port scan" to discover any open services on your machine. Perhaps you have left an ftp or irc server running that is vulnerable to a "globbing" attack or a buffer-overflow attack. From a second type of port scan, a "nessus scan", he will learn exactly which network services "listening" on your machine are vulnerable to attack.

Exploiting one of the vulnerabilities he unearths from these scans, your Indian friend will then install a back door into your machine.

That back door will allow him to gain access at any time to your machine. He will be able to read your emails, recover your online banking passwords and your paypal, ebay and hotmail passwords. He can plant child pornography on your drive. He can send spam from your machine that bears your name. Or he can use your machine as a zombie from which to launch attacks on other machines, and so on..

One very famous piece of backdoor software is called "Back Orifice". It's probably obsolete now, but in its day, while very simple, it was also very powerful... All it did was "bind a shell to a port".

Once the backdoor is installed, the attacker simply telnets to some arbitrary TCP port on your machine where he has bound the Back Orifice shell. He is then presented with an MSDOS prompt..... C:/>

At that prompt, he can issue any command he wishes on your machine. He can open sockets to other machines, and he can download new software on to it. In essence he can use your machine just as if it is his own.

Has anybody expressed their concerns over this operation to the National Hi-Tech Crime Unit at the Serious Organised Crime Agency?


.

[gaming_guy]

Quote:

Originally Posted by asbokid

But from his Apache logs, your friend in Calcutta now knows the IP address of your machine. He also know the browser software you are running. From an "nmap scan" of your IP address, he will fingerprint your machine's TCP/IP response. From this he will discover the exact version of operating system that you are running.

i thought most routers blocked port scans??

also, wouldn't the fingerprinting be done against the router?

[bowensy]

i had a phone call from them two weeks ago and the man said my computer is infected he wanted me to enter some letters and numbers and run this, i kept asking him where he got my number from and what company he was from. i hung up the first time but he was persistant and kept calling and telling me to do what he said, i kept questioning him and got quite nasty with me.
since then i have had two more calls from them, using different tactics, i just put the phone down now, although they do keep ringing back and asking for my husband or the owner of the property.
two of my friends have also been contacted and we are all with talktalk.
talktalk have been contacted and they say they are nothing to do with them and to hang up on them

[juliamarsh]

I received a phonecall from them this afternoon and I am wondering if it is no coincidence that several of the people who have posted comments on here are with talktalk. I am with onetel which is now part of talktalk. Who knows, maybe a talktalk employee has accepted a backhander to provide this company with a list of names and phone nos of its customers, it would explain how they have got hold of our names and phone nos which I must admit did cause me some concern. Are any other people who have been contacted by this company talktalk customers?