Security researchers, vendors and everyday users usually work together in order to keep their computers safe and thwart cybercriminals. But according to two damning reports, the retail chains Office Depot and OfficeMax may have breached that trust.
Two undercover investigations appear to have caught store employees red-handed at charging exorbitant prices to get rid of malware on machines that were, in fact, totally clean — tech-support scams no different from those conducted by shady call centers in India.
These revelations come from KIRO-TV 7 News in Seattle and its sister Fox affiliate, WFXT-TV Fox25 in Boston. Shane Barnett, a whistle-blower who worked at Office Depot in the Seattle area, let KIRO-TV in on the retail chain's secret: Technicians would scan users' computers, find "malware" and other issues, and then charge up to $200 to "fix" the problems.
This isn't the first time Office Depot has been caught scamming customers. In 2009, our sister site Laptop Magazine revealed that customers who refused to buy extended support plans from the chain were told that the specific machines they wanted weren't in stock — even when those models were sitting in that store's stockroom.
In this year's cases, the Office Depot and OfficeMax technicians would often report malware and other problems even when the computers were perfectly clean. Barnett told KIRO-TV that this was standard policy at Office Depot, and that technicians were given a quota of "PPs" — protection plans — to sell every month.
To test Barnett’s assertion, the news organizations sent undercover investigators into Office Depot stores in Washington state and Oregon, and OfficeMax stores in the Boston area. (Office Depot purchased OfficeMax three years ago.) The investigators went to the "Free PC Tune-Up" counters in the stores, told the technicians that their laptops were running slowly, and asked for evaluations.
What the store techs didn't know was that they were inspecting brand-new computers, fresh out of the box.
Most of the technicians nevertheless told the investigators that their laptops were infected with malware, and that the fixes would cost up to $180 apiece. One technician even appeared to note the presence of malware on a record sheet before his scan registered anything.
(To be fair, one store technician noticed that the laptop he was examining was brand-new, and told the customer he was helping to ignore the results of the "health check" software — software that a third-party security expert said almost always returned a result of malware infection, whether any existed or not.)
The KIRO-TV investigators then brought their six test computers, a mixture of Dell and HP machines, to Will Longman, vice president of IT and security at IOActive, a Seattle-based security firm. Longman found no evidence of malware on any of KIRO-TV's machines. One is inclined to trust his opinion, since his company would long be out of business were he unable to detect malware accurately.
While it's not impossible for a single new machine to come pre-loaded with malware (or something that an antivirus scan would mistake as such), it's highly unlikely to find the same phenomenon across a variety of different models and manufacturers. Furthermore, removing most malware does not cost $180 in any reasonable universe. A scan from a free program like Malwarebytes Anti-Malware will do it just fine; even a yearlong subscription to a basic security suite for the average user should cost less than $50 per year.
Office Depot issued a statement that it "in no way condones any of the conduct that is alleged in this report," and "intend[s] to fully review the assertions and take appropriate action." In the meantime, the company has temporarily stopped offering its PC Health Check service.
U.S. Sen. Maria Cantwell, D-Washington, last week wrote a letter to the Federal Trade Commission asking the agency to investigate the allegations.
Whether the fraud was intentional or accidental (or whether there was any fraud at all, although the evidence is compelling), the days of Office Depot and OfficeMax bilking customers through malware scans may be coming to a close. Still, it’s a good lesson: Never trust a big-box store to monitor the health of your PC when you can do it by yourself much more cheaply and reliably.