Hello Scam Baiting Community!
Linda here coming to you with another full report.
The popup came from this link:
[Popup page appears to be dead now]
Phone number is as follows: 888-664-9624
The popup was a typical one that claimed to be a notification from Microsoft Security Warning claiming that your computer was infected by the “Zepto” virus.
The scammer on the other end did his typical script and connected to my computer. He proceeded to performing NETSTAT and claimed that my IP address was corrupt and that my computer needed to be fixed right away. After telling the scammer that I would purchase a 3 year plan, he proceeded to taking my payment.
First he tried running my fake details through Paypal:
This is where I see the fake address associated with said company. I’ll be reporting this account to Paypal’s fraud department.
After Paypal failed, the scammer tried processing my fake details again from another payment gateway.
The name of the second website is most likely another website that these scammers registered under a second name/brand.
After some research, it is revealed that payment gateway used in attempt to process my fake details for the second time is associated to a payment gateway company in China.
So after the payment attempts obviously failing I assumed it would be time for me to call them out and start the usual yelling match. No surprisingly though, the scammer advised that I would need to purchase Google play cards from my nearest department store. I decided to continue following through so I told them that yes, I’ll go buy them. Of course they went through the typical speech of telling me that I can’t tell the cashier why I need to purchase so many Google Play cards. I told the scammer that I would need approx 45 mins and he said that he would call me back.
As soon as I hung up, the scammer proceed to type “What is my IP?” into google in an attempt to find my location! LOL. After that, he proceed to use the black screen tool on my VM. I did some research while I waited for them to call me back.
In around 40 mins the “billing manager” promptly called me back. I provided him with some made up numbers and letters for the 3 $100 Google Play cards. Apparently he didn’t try redeeming them right away, so he went ahead and created my so called “customer profile” and advised that a technician would begin work on my computer.
So the technician who calls himself John Peterson starts working on my VM. The first thing he did was open up a Mega cloud drive acct to download a folder onto my VM. Here is what he downloaded:
During the process, the billing manager finally calls me back to tell me that the Google Play Card codes don’t work. I once again though that it would be time to call them out but to my surprise, he advised that the technician can provide a temporary fix for my VM. I said that Walmart was already closed so he said that he’ll call me back the next day so I can figure out what to do about paying them. LOL!
So John Peterson the tech continues to go through his entire folder until hes installed them all. He also deletes Malware Bytes as well as SuperAntiSpyware from my VM! HAHA!
Before he disconnects from my VM, he leaves me with the following information on my desktop:
After John Peterson disconnects from my VM I decided to use Virus Total to see if any of his applications that he put on my VM contains any malware / trojans/ viruses. Here are the results:
Everything else appears to be clean, but 2 of the items in the folder he downloaded onto my VM contained Trojans. One of the items included in his folder which contained 2 trojans were inside a zip file. This leads me to believe that it is possible that the files inside may have been crypted to avoid antivirus detection.
Here are the descriptions of the trojans from Microsoft and anti-virus websites:
As of right now, I’ll be waiting for the “billing manager” to call me back tomorrow. I’ll be updating this post if I have any more information. Anyways, hope you’ve enjoyed this long read and if you have any additional suggestions for how to troll with them tomorrow feel free to leave them in the comments down below.