Hanjuan EK's 'March Madness' malvertising campaign

The hunt for tech support scammers

Update (05/10/16): The owner of Instant PC Care, Moksh Popli, contacted our legal department for a take down request of this blog post. He also posted several comments here, which were managed via the Disqus moderation plugin. Interestingly, the IP address from where Moksh Popli wrote is the same IP address as the one used by the scammer (collected from the Teamviewer log) who didn’t think twice when he willingly broke our computer after we refused to pay hundreds of dollars for “Malwarebytes support.”


– –

Just when you think you’ve seen everything when it comes to tech support scams, you realize how far the miscreants behind this plague will go to rob innocent people.

A group known as Tech Kangaroos has been impersonating legitimate software companies and charging their victims hundreds, sometimes even over a thousand dollars, for completely bogus software support. In an added twist, the same scammers later call back their customers to offer them a ‘refund’, where they actually steal even more money.

The scammers use search engines and other types of advertising to lure in victims. For example, a query on Bing for certified support for Malwarebytes returns the following top result:


This is a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number:


There are also several more scam pages, all looking very professional:

The next phase of the con consists of taking remote control of people’s computers and performing a fake security scan as a scare tactic.


We called the number and went through the process; it was hard not to notice the constant stream of voices from the boiler room where those so-called technicians operate from. Within minutes, we were presented with a bill for over one thousand dollars.


When asking for the name of the company, the technician lied repeatedly, but there were enough clues left for us to find out exactly who they were. One thing was for sure, they weren’t Malwarebytes tech support and they certainly did not like being questioned about that. Sadly, these scammers can’t handle rejection too well. While still in control of our test computer, the technician quickly managed to disable all the services and force a reboot, in an effort to damage our computer.

Customer complaints

A quick lookup for either the phone number of company name returns dozens of complains. People have been defrauded and insulted time and time again by this particular group of scammers.


Source: 800notes.com


Source: community.norton.com

Collecting evidence and fighting back

Traffic analysis during our interaction with the scammer revealed several domains of interest.

  • Scam sitecertified.support
  • Phone number: 1-800-277-6232
  • Payment pageonlinetech.support/contact.php (Registrant mokshtalk@gmail.com)
  • Official company site: techkangaroos.com (Registrant: reemanath@hotmail.com)

The company appears to be located in Singapore, which seems a bit unusual. However, this is not where the call centre is located. A network trace shows the scammers IP address is actually from New Delhi, India:


(Teamviewer IP lookup from IPligence)

The email address for the payment page, mokshtalk@gmail.com, is tied to an individual called Moksh Popli:


According to his Linkedin profile [profile was deleted, archive here], Moksh Popli is Managing Director at Instant PC Care. Interestingly, Instant PC Care is tied to onlinetech.support (scam payment page mentioned earlier):


We have reported these websites to the appropriate hosting providers and registrars. We are well aware that those scammers will set up shop elsewhere but we can at least disrupt their business model and more importantly raise awareness.

Besides the actual scam aspect, there’s a concerning trend of rogue technicians breaking people’s computers for revenge. Without a doubt, trolls that try to waste the scammers’ time or simply call up for fun have contributed to this phenomenon.

A more productive and long lasting effort is to research, track and document those scams. In many cases, the FTC goes after entire organizations and takes down their infrastructure, including banking assets.

The official Malwarebytes support page can be found here. For more general information about tech support scams, please visit our help page and feel free to share any experience you may have had.