Malware found in Office Depot malware scans…not really

Office Depot and its tech partner tricked customers into buying unneeded tech support services by offering PC scans that gave fake results, according to the Federal Trade Commission. Consumers paid up to $300 each for unnecessary services.

Office Depot malware scans were rigged
The FTC yesterday announced that Office Depot and its software supplier, Support.com, have agreed to pay a total of $35 million in settlements with the agency. Office Depot agreed to pay $25 million while Support.com will pay the other $10 million. The FTC said it intends to use the money to provide refunds to wronged consumers.

Between 2009 and 2016, Office Depot and OfficeMax offered computer scans inside their stores using a “PC Health Check” software application created and licensed by Support.com.

“Defendants bilked unsuspecting consumers out of tens of millions of dollars from their use of the PC Health Check program to sell costly diagnostic and repair services,” the FTC alleged in a complaint that accuses both companies of violating the FTC Act’s prohibition against deceptive practices. As part of the settlements, neither company admitted or denied the FTC’s allegations.

The FTC filed its complaint against the companies in US District Court for the Southern District of Florida, while at the same time unveiling the settlements with each company.

“Infections” found on brand-new PCs

KIRO 7 in Seattle aired an exposé on the practice in November 2016. The news station found that Office Depot stores claimed to find infections in brand-new computers that had never been connected to the Internet.

The stores offered PC Health Check scans for free, while claiming the value of the scans was between $20 and $60. But PC Health Check was configured to tell consumers their computers were infected regardless of what any scan showed, according to the FTC. At the beginning of each scan, consumers were asked if they experienced PC problems such as repeated crashes or slowness. Any yes answer in that survey guaranteed that the program would flag a problem with the user’s computer.

“[W]hile Office Depot claimed the program detected malware symptoms on consumers’ computers, the actual results presented to consumers were based entirely on whether consumers answered ‘yes’ to four questions they were asked at the beginning of the PC Health Check program,” the FTC said. “These included questions about whether the computer ran slow, received virus warnings, crashed often, or displayed pop-up ads or other problems that prevented the user from browsing the Internet.”

Obviously, a PC user who brings a computer to a store for a malware scan is likely to suspect that there is a problem, and thus likely to check one of those boxes. If a box was checked, the software falsely told customers that PC scans found “malware symptoms” or “infections” even if computers weren’t infected, according to the FTC.

PC Health Check “tricked those consumers into thinking their computers had symptoms of malware or actual ‘infections,’ even though the scan hadn’t found any such issues,” the FTC said in a blog post. “Many consumers who got false scan results bought computer diagnostic and repair services from Office Depot and OfficeMax that cost up to $300. Suppport.com completed the services and got a cut of each purchase.”

 

Screenshot from Office Depot's PC scanning program.

Office Depot and OfficeMax merged in 2013. Even before the merger, both were using Support.com, which provides “cloud-based software and technical support services” directly to consumers and indirectly through clients such as office supply retailers, the FTC said.

Software provided limited “optimizations”

Office Depot “tech experts” told customers that PC Health Check would “optimize” their computers, but in reality the software “did not run complete diagnostics on consumers’ computers,” the FTC said. Some later versions of the software did some “limited optimizations… such as removing junk files and reconfiguring certain settings.”

After displaying fake scan results to consumers who had checked any of the four boxes, PC Health Check “also displayed a ‘view recommendation’ button with a detailed description of the tech services consumers were encouraged to purchase—services that could cost hundreds of dollars—to fix the problems.”

In some cases, store employees checked the boxes themselves, guaranteeing that the software would produce a warning, the FTC complaint said. “Defendants trained Office Depot and OfficeMax store employees on how to utilize the PC Health Check Program and instructed store employees to check any of the Initial Checkbox Statements that applied based on the consumer’s responses,” the complaint said. “Consistent with their training, Office Depot and OfficeMax store employees read each of the Initial Checkbox Statements once the program began and selected the corresponding box based on the consumer’s response.”

FTC: Office Depot disregarded complaints

The companies were aware of complaints for years but kept on using the deceptive software to trick consumers, the FTC said.

“For example, one OfficeMax employee complained to corporate management in 2012, saying ‘I cannot justify lying to a customer or being TRICKED into lying to them for our store to make a few extra dollars,'” the FTC alleged. “Despite this and other internal warnings, Office Depot continued until late 2016 to advertise and use the PC Health Check program and pushed its store managers and employees to generate sales from the program.”

In May 2013, OfficeMax warned its stores not to use the PC Health Check Program after customers received a “repair.” OfficeMax explained to the stores that if “any of the questions at the beginning of the [PC Health Check Program] are checked, it will automatically suggest a Software repair,” because the “tool ‘assumes’ there is an infection based on questions asked,” the FTC complaint said.

The Florida Attorney General’s office informed Office Depot of complaints about its tech support services in 2013. In 2014, an Office Depot store employee suggested that the company reconfigure PC Health Check “so it does not come back with false positives and/or Diag+Repair every time,” and the suggestion was escalated to corporate management. Another employee complaint was escalated to Office Depot management and Support.com in 2015, according to the FTC.

“Despite these complaints and concerns, the Office Depot Companies instructed its store employees to continue to advertise the free tune-up service, continue to run PC Health Check Program on computers brought into the stores, and to convert 50 percent or more of all PC Health Check runs into tech-support service sales,” the FTC alleged.

Stores censured for not meeting sales goals

Employees who pushed the scans got “positive performance reviews” and “extra commissions” if they “met their weekly PC Health Check runs and tech-support service sales goals,” the FTC said. “At the same time, the Office Depot companies censured store managers and store employees who continually failed to meet these company-wide targets.” Stores that failed to meet their targets were subjected to “‘underperforming’ calls with the stores’ managers that reproached their stores’ performances.”

When Office Depot sought additional revenue, “it instructed its stores collectively to raise millions of dollars in profit by increasing the number of PC Health Check services performed and the rate of converting the PC Health Check services into tech-service sales,” the FTC said.

In November 2016, Office Depot suspended its use of PC Health Check after KIRO 7 “aired a series of investigative reports about the tech service divisions of Office Depot stores in Washington and Oregon that were flagging malware or malware symptoms on computers that were, unbeknownst to the stores, brand new and straight out of the box,” the FTC said.

Instead of providing assurances that Office Depot wouldn’t continue the practice, “the senior manager at the Office Depot companies primarily responsible for procuring tech-support vendors testified, under oath, that it would be proper for the company to continue offering the same PC Health Check to consumers even after the KIRO 7 news report,” the FTC said. Office Depot finally severed its relationship with Support.com in 2017, but the office chain bought another tech-support company and is “continuing to offer computer diagnostic services and sell computer repair services.”

The FTC said the settlement prohibits Office Depot “from making misrepresentations about the security or performance of a consumer’s electronic device and requires the company to ensure its existing and future software providers do not engage in such conduct.” The settlement requires Office Depot to submit to compliance monitoring. Support.com faces similar provisions in its settlement with the FTC.

Reposted from https://arstechnica.com/tech-policy/2019/03/office-depot-tricked-people-into-buying-pc-support-with-fake-virus-scans/. Cyber Safety Net – Keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.

Tags: