Tech support scammers are generally not the best and brightest. As such, they will occasionally post ads for their fake companies in the comment sections here or on the Malwarebytes forums. Last week, however, scammers struggled with configuring their spambots, resulting in spam bombs on the forum lasting roughly 72 hours, with a slow taper down for two more days.
Over six days, 246 spam accounts associated with this activity were banned. We wondered what threat actor group would exercise such phenomenally poor judgment, so we drilled down a bit into who these people are.
As it turns out, the majority of the spam was posted for a threat actor we were already familiar with: Boomerang Tech Solutions. Boomerang scams using an AV theme, so they need to use the Malwarebytes brand to appear properly comprehensive to victims. They will also look to legitimate AV customers for scam targeting. Over the past year, Boomerang has:
- Posted ads to our forums
- Posted ads to blog comment sections
- Maintained Twitter accounts to direct traffic to their domains
- Monitored the Facebook pages of various AV companies to find customers requesting tech support. They then targeted those customers with linked phone numbers, claiming to be the company in question.
- Made outbound calls to victims as Malwarebytes, then subsequently deleted MBAM from victim systems
As you can imagine, this behavior has not endeared them to US-based merchant processors, leaving them with pay by check as the primary payment option. (More on why alternative payment options tend to be bad
here.)
