Tech support scammers are generally not the best and brightest. As such, they will occasionally post ads for their fake companies in the comment sections here or on the Malwarebytes forums. Last week, however, scammers struggled with configuring their spambots, resulting in spam bombs on the forum lasting roughly 72 hours, with a slow taper down for two more days.
Over six days, 246 spam accounts associated with this activity were banned. We wondered what threat actor group would exercise such phenomenally poor judgment, so we drilled down a bit into who these people are.
As it turns out, the majority of the spam was posted for a threat actor we were already familiar with: Boomerang Tech Solutions. Boomerang scams using an AV theme, so they need to use the Malwarebytes brand to appear properly comprehensive to victims. They will also look to legitimate AV customers for scam targeting. Over the past year, Boomerang has:
- Posted ads to our forums
- Posted ads to blog comment sections
- Maintained Twitter accounts to direct traffic to their domains
- Monitored the Facebook pages of various AV companies to find customers requesting tech support. They then targeted those customers with linked phone numbers, claiming to be the company in question.
- Made outbound calls to victims as Malwarebytes, then subsequently deleted MBAM from victim systems
As you can imagine, this behavior has not endeared them to US-based merchant processors, leaving them with pay by check as the primary payment option. (More on why alternative payment options tend to be bad here.)
Our counterfraud team has observed the following Indicators of Compromise (IOCs) related to Boomerang activity:
How Boomerang rips us off
When Boomerang first came on our radar about a year ago, we called them up to see precisely how victims are being targeted. As you can see in the video of our call below, there’s nothing at all original here. Boomerang tells us that we are bedeviled by “illegal connections” sending our data overseas. The only slightly unusual parts are the relatively high quality of their website (most of these guys struggle with HTML), and the phone rep who told us that Malwarebytes does not protect from “viruses coming from the Internet.” Check out the video to see the standard Boomerang pitch.
How to stay safe
First and foremost, be a little extra suspicious of any company that is resistant to accept payment with a credit card. If they can't process credit payments easily, there's probably a good (bad) reason why. If you've had a run-in with these or any other tech support scammer (on our site, forum, or anywhere else), you can find information on what to do next here.
Have you been contacted by someone claiming to be us or our representative? See how to evaluate those claims here. Lastly, if you've dealt with anyone from Boomerang yourself, post to the comments below to let others know your experience. Stay suspicious and stay safe.