You may be familiar with cold calls where someone pretending to be from Microsoft is telling you that your computer is infected and needs to be repaired ASAP.
In most cases, if you said you were running a Mac instead of Windows, the scammers would hang up and move on to the next victim.
This might change soon.
We came across a company called Speak Support that advertised its Mac technical support on Bing:
Their website states that they have an “elite band of tech support experts” and that “Apple Consultants are online” waiting for your call:
We decided to pick up the phone to see what level of service they did provide:
As is the case with most online support, the technician requested that we install TeamViewer so he could remotely connect to our Mac and perform the health check:
He then said he was going to check if we had antivirus protection installed on our Mac. We were kind of surprised when he pulled the Terminal and started typing a… ping command to a website called protection.com:
According to Wikipedia the ping utility is “used to test the reachability of a host on an Internet Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer.“
The ping command has absolutely nothing to do with a computer being protected with an antivirus. So why use it?
Simple. By ‘pinging’ a website conveniently named protection.com and returning something that looks like an error message (Request timeout for icmp_seq 0), it drives the point of “you don’t have any protection on your Mac, you are in trouble!”
The website protection.com does actually exist though, so why does it look like it’s down? One explanation for the failed response is that the admins may have disallowed the ping request. It’s not uncommon for web servers to do so because it is a known attack vector (denial of service with ping of death, ICMP flood or ICMP packet magnification).
To clear things up, I did call protection.com and confirmed that they are not involved with this tech support company.
You can’t seriously call yourselves ‘experts’ or ‘elite’ if you are going to use these kinds of dirty tricks. However, most people have no clue what a ping command is and they might simply believe what the technician did was accurate.
A little more information about Speak Support
While their website states that they are located in the US, they are most certainly based in India as you can see in the registrant records for both speaksupport.com and 121usa.com:
Speak Support’s billing process is a bit strange. “Technical Support Payment” is priced at $1.00 per item for which they added a quantity of 200:
When confronted, the individuals vehemently denied doing anything wrong and even came up with all sorts of ‘good reasons’ to back up the legitimacy of the ping command.
You can watch the full interaction with Speak Support in this video we recorded (for quality-assurance purposes, as they say).
It’s quite possible the next time cold call scammers phone you up, they’ll already have a script made for Mac users as well, just in case.
Speak Support is currently working on tech support for your Android phone and tablet, so it looks like they’re going to have all platforms covered soon.
While remote tech support has its place, there are way too many companies that abuse it. For this reason, we have decided to create a resource page with all the information you need to make a decision before going ahead and giving your credit card information away.
Visit our Tech Support Scams – Help & Resource Page!
This includes all the common techniques used by scammers to ‘force’ a sale when there aren’t any issues to be found. If you recognize any technique from the list that was performed on your computer, you should seriously think twice before going ahead.
If you were already scammed, feel free to use our “Getting help” section to know what to do next.
As always, feel free to share your own experiences with us. We do appreciate your comments and feedback.
Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.