Credit to Author: William Tsing| Date: Thu, 31 May 2018 16:00:00 +0000
Thanks to NeeP for contributing significant research. You can check out NeeP’s YouTube channel here.
Malwarebytes has written quite a bit about tech support scammers, typically focusing on new scam techniques as they arise with new threat actor groups. But sometimes our research discovers scammers who persist with the same techniques, the same pitches, and the same IP abuse, no matter how many times we catch them.
We first published on America Geeks (then known as Geeks Technical Support) in 2015, noting their attempts to use Malwarebytes’ intellectual property to pose as us and defraud their customers. After a series of takedowns and abuse complaints, we revisited America Geeks in 2016—still using Malwarebytes image assets, still scamming.
And lastly, in March, Malwarebytes Labs researchers found them again using Malwarebytes to sell their scam, this time targeting French users. We were content to continue publishing on America Geeks indefinitely, but then they decided to open a ticket with the Malwarebytes help desk.
In further social media comments that have since been deleted, this person identified as being associated with America Geeks, and was quite concerned about our 2016 post on the company. We did not follow up.
On May 1, our customer support team got a phone call from “Kevin Nash” at the “Better Business Bureau” who informed us that America Geeks was no more, and our 2016 blog post was causing problems for someone who had bought their infrastructure. (At the time, their website was still up and not at all defunct.)
Why the Better Business Bureau would serve as an intermediary between a defunct business’ CEO in one country and a tech company in another was left unexplained. Why “Kevin Nash” had an Indian cell phone number and a heavy Indian accent was left unexplained. We did not follow up.
“Kevin Nash” then contacted us as the personal attorney of the former America Geeks CEO. He alleged that Kunal Bansal of America Geeks was at risk of physical harm from our 2016 blog post, and needed us to take it down. Further, America Geeks was shut down, and therefore no longer a threat to anyone. Given the seriousness of the claims, we followed up. Here’s the transcript for three calls conducted with Kevin Nash:
America Geeks (AG): Hey, this is Kevin. How you doing buddy?
Malwarebytes (MWB): Oh, is this Kevin…Kevin Nash?
AG: Kevin Nash.
MWB: Okay, I’m sorry. Are you calling—are you from the Better Business bureau? Cause I think thats what the message I had gotten said.
AG: Uh…no…no no. I’m not from Better Business Bureau, I’m with the legal team with the company that the review is about.
MWB: You’re with the legal team? What company is it? Geek? Geeks? Is it…
AG: Yeah. Okay, so the thing is, that Geeks company is closed. Alright?
AG: That geek company is closed. That business doesn’t exist anymore, and no business associated with that article that is, uh, open. Like we have closed that business. My…self called BBB because my friend works there. It could be that he called because I interested him to. And that probably…
MWB: Okay. Who am I speaking with? Is this Kevin Nash?
AG: Yeah, that’s right. My client owns this company, and uh…that company doesn’t exist anymore. So, uh…his personal information is there on that post. And uh, he got critically attacked by someone as well, due to the, you know, the information there on the post. People got to know about him, knows his business, everything related to that business, now he is, uh, concerned regarding his privacy, you know?
MWB: And What is your client’s name?
AG: Kunal Bansal.
MWB: Okay, um, I’m a little confused. If the company is closed, then what—were you planning on reopening the company? Is that why you want to get rid of the post?
AG: No. The problems of getting that post removed is that his personal details are mentioned on that post. Even the photo is there on the post.
MWB: Okay, I’ll tell you what. If you can send me, send me all the information in the email, and what it is you want us to do, I’ll see what I can do for you. Do you have a phone that doesn’t go to voicemail? You’re a lawyer? And in what state are you practicing?
AG: I’m in California. Marina Del Ray?
MWB: Can you send me the information of your law firm? And um, all the information of the client, and I’ll get back to you as soon as I get that information.
AG: Thank you so much.
MWB: Thank you.
AG: [Inaudible] This is Kevin Nash.
MWB: Hey yeah, I can hear you. You’re the lawyer for Mr. Bansal?
AG: Kunal Bansal. Yeah, that’s right.
MWB: Okay, what’s the name of your law firm again?
AG: USA Legal Services
AG: It’s USA Legal Services
MWB: Okay and you’re out of, uh, California?
MWB: Do you have an address there in California?
AG: That would be [REDACTED]
MWB: Do you have an office number?
AG: Yes, I have office number, and this is my office number.
MWB: Your office number is the 323?
AG: Yeah thats my personal, direct line in office.
MWB: Has [Kunal Bansal] made any restitution? On the people that he scammed?
[America Geeks hangs up.]
AG: Yeah, I’m so sorry, I don’t, the line got blank.
MWB: Well, that’s okay. Okay, so was there any restitution made on behalf of your client?
AG: Well, uh, I’ll need to check once with the department there, and I’ll get back to you, certainly. And I’ll have something emailed to you, within minutes. Alright? [NOTE: Mr. Nash never provided any evidence of institution, or explanation of who he was checking with if the company was shut down.]
MWB: Okay. Uh, one other question. Okay, so the address you gave me, [REDACTED]. I can’t find a USA Legal Services at that address. Is that the correct address?AG: That should be [REDACTED SECOND ADDRESS]
MWB: Oh now it’s [REDACTED]?
AG: Talking to me like I’m some criminal or something…
MWB: Listen—I deal with complaints and I’m trying to clarify who you are. I mean, I get a phone call. First of all, the phone call stated that you are Kevin Nash from Better Business Bureau. Now when I call you back you’re Kevin Nash. . .and you’re the lawyer, and then you’re giving me the address for a law firm that doesn’t exist.
MWB: So yes, I have some reservations that I’m not dealing with a legitimate person. Your emails are coming from a different person altogether. They’re not coming from a law office. They’re coming from “Naresh Kumar.”
AG: I got you, I got you. I have a, let me, let me send you an email.
MWB: Can you explain to me why that I’m getting emails from Naresh Kumar, and you’re saying you’re Kevin Nash? And you’re a lawyer?
AG: [pause] That’s right. He’s the person who’s dealing with me through Mr. Kunal Bansal. And the reason why you’re not getting any email from my address is because I was having him do that. Now I do have access to my email and if you’ll give me like two minutes, then…restitution is what you’re asking for? I’ll send it to you through my official email wherein I will have my company phone number, as well as my number, as well as company [inaudible]
MWB: What’s your company phone number?
AG: That will be 844-676-LOAN. L-O-A-N. [NOTE: Searches on this number returned hits for mortgage loans and student debt consolidation. We did not redact the number because we believe it to be associated with multiple fraudulent businesses. All websites with this number are now down.]
AG: There’s an alternate too, it’s [REDACTED.] Law.
MWB: Okay, well, if you can send me the information, Mr. Nash?
AG: I’ll send it to you from a [inaudible] email address this time, alright?
MWB: Okay. Alright, I’ll be waiting for your email address.
Digging into America Geeks ops
After speaking with Mr. Nash, we decided to take a look at how extensive America Geeks operations really were. First and foremost, he provided an Indian cell phone number that popped in Google Cache as a corporate contact on the site https://shopping4kart[.]com.
Passive DNS for that site revealed extensive likely tech support scams.
A survey of historical victim reports using overlapping phone numbers revealed the following business names:
- America Geeks
- Geeks Technical Support
- Mark Software Private Limited, USA
- Technology LLC
- Blue Alpha
- IT Pvt Ltd
- USA Legal Services LLC
Independent researchers provided us with the following list of phone numbers used by the threat actor group:
[NOTE: Numbers are provided for historical purposes only. Scammers change numbers frequently.]
The America Geeks website was in fact down at the time of Mr. Nash’s phone call. But scammers frequently maintain extensive domain holdings to better shift operations when one domain receives too much attention. America Geeks make frequent use of browser lock screens, but also have a fair number of fake corporate sites to attract natural traffic. The domains used over their lifespan include, but are not limited to:
[NOTE: A number of these domains are historical, and may be down or transferred to a legitimate owner since publication.]
Concluding a review of their historical infrastructure, we found tech support scam complaints relating to Kunal Bansal–related properties dating back to 2012. Although America Geeks’ website is down at the time of writing, we find it unlikely that their scamming has ceased entirely. Instead, it has most likely shifted to a new company name. Given that they had resources sufficient to target users in multiple countries, in their own language, America Geeks appears to have been extremely profitable, and we advise users to be wary of any new company name used by the America Geeks proprietors.