Indian Scammers



  • So I get several calls a day from Indian scammers (it's the new 419 scam). I usually ignore it, sometimes I mess with them. Unfortunately verizon wireless doesn't support ringing multiple phones at the same time, so I can't use a service to disconnect their calls. Works great on the home line though. Truecaller works pretty decent on the cell phone.

    So today, my nanny tells me she got a virus. At first I ignored it, since wasn't much I could do for her remotely. Then she described to me what really happened and I understood.

    She went to her bank site, but mistyped it, clicked on some random link, etc. A popup went up and said not to close the window and to call a # in 5 minutes or her whole hard drive will be wiped. You know the ones. Obvious scam to most of us, but not so obvious to regular people.

    So she called them, did a remote session and paid $170 using her debit card.

    I, of course, immediately told her that it was a scam, that she needs to call the bank, dispute the charge and report the card as stolen. Hopefully she will get at least most of the $170 back. My bigger worry is that they have now stolen her card and will proceed to empty out the account. They also likely used the remote session to install some sort of malware, maybe even a cryptovirus. I told her to shut down her laptop ASAP and that I would take a look at it when I get a chance.

    Have you guys had any experience with these scams? I always wanted to mess with them and give them a VM to play with so I could analyze what they do, but I'm afraid to set one up without a VLAN, and too lazy to mess with VLANS.

    Do you guys know what they usually do? Is it limited to just the $170 or are my worst fears correct - they are draining her checking account and encrypting her files as we speak?



  • Also what are the tools of choice these days for cleanup. I'm thinking of taking the drive out first and cloning it. Then use Spybot S&D and some kind of AV. Any recommendations?





  • @TimeBandit said in Indian Scammers:

    @dangeRuss https://www.malwarebytes.com

    I know better then to click some random links on some forum... :trolleybus:

    I've heard of these guys before. Are they better than Spybot?


  • Impossible Mission Players - A

    @dangeRuss I know the computer shop I worked at converted from using Spybot S&D to MBAM about 2 years ago, and I haven't heard anything since then to indicate that MBAM had lost its edge for post-disaster cleanup.

    Obviously, the exact correct tool / steps are going to depend on what MBAM shows on the initial pass. I would expect they didn't do much beyond installing a dropper / rootkit or such, but I don't have enough experience with the results of taking the hook to definitely say what to expect.


  • area_pol

    @dangeRuss Maybe mount the drive (but not boot from it), copy your files, erase the disk, reinstall OS.




  • SockDev

    @dangeRuss said in Indian Scammers:

    Do you guys know what they usually do? Is it limited to just the $170 or are my worst fears correct - they are draining her checking account and encrypting her files as we speak?

    honestly the 170$ is probably the worst of it, but..... that's not necessarily the case, so better safe than sorry and dispute the charge, get the bank to do their thing to protect or change the account and nuke the PC

    if you're extra special paranoid actually destroy teh PC, there are malwares that had in EFI BIOSes and HDD controller chips these days that survive simple reinstalls



  • @dangeRuss said in Indian Scammers:

    I always wanted to mess with them and give them a VM to play with so I could analyze what they do, but I'm afraid to set one up without a VLAN, and too lazy to mess with VLANS.

    The ones I've messed with wanted to install team viewer or something like that so they could remotely take over my computer. Once I tried to run it with WINE but it didn't do anything. They always get really confused and upset when I tell them that :fa_windows: R doesn't do anything. It's funny, because they're really careful to make sure you have that "C, T, R, L" key and not an Apple key, but the idea that anyone could be not running Windows just blows their minds, even when I flat out tell them that I run Linux and not Windows.

    Classic.


  • area_pol

    @boomzilla said in Indian Scammers:

    Once I tried to run it with WINE

    There is TeamViewer for Linux.
    Let him connect, then open vim and see if he can quit it :)



  • @Adynathos Or ed:

    golem$ ed
    
    ?
    help
    ?
    ?
    ?
    quit
    ?
    exit
    ?
    bye
    ?
    hello?
    ?
    eat flaming death
    ?
    ^C
    ?
    ^C
    ?
    ^D
    ?
    

  • area_pol

    @boomzilla said in Indian Scammers:

    ed

    Wow, whatever i try it always says ?.
    Oh, if I enter h, it says Invalid address, did I win?
    EOF kills it, though I doubt the scammer would know how to write EOF on Linux.



  • @Adynathos

    Note the consistent user interface and error reportage. Ed is generous enough to flag errors, yet prudent enough not to overwhelm the novice with verbosity.



  • Yeah, those Windows scammers are weird. The first one I had flat out refused to believe I wasn't running Windows on the computer. He didn't even suggest I must be using OS X, he just kept his position that I was running Windows and he would not budge no matter how many times I told him no.

    My friend who also got called by them gave them access to his freshly installed Ubuntu, where they proceeded to click around completely confused trying to find their way around and getting more and more frustrated by how none of the Windows stuff were working at all. Finally, they said that "Your computer is completely broken." and ended the call.



  • @dangeRuss said in Indian Scammers:

    Are they better than Spybot?

    Yes, in my experience.

    I've also used a Linux live CD and scanned the machine with ClamAV

    With the advantage that the infected OS is not running.



  • @TimeBandit said in Indian Scammers:

    @dangeRuss said in Indian Scammers:

    Are they better than Spybot?

    Yes, in my experience.

    I've also used a Linux live CD and scanned the machine with ClamAV

    With the advantage that the infected OS is not running.

    Thanks, I finally got a livecd to load, making a drive image now. Should I then mount the image in linux and run the virus scan?

    BTW I booted up to windows and looks like they installed some stuff like an older version (probably cracked) of malwarebytes. Now they either installed an older version because

    a. that's the only one they could crack.
    or
    b. they installed an older version that could not detect the malware they installed.

    I immediately installed the latest and started a scan, and it didn't find anything, but i never let it finish, instead opting to try to get live CD booting again (which I've now done).



  • @dangeRuss said in Indian Scammers:

    Thanks, I finally got a livecd to load, making a drive image now. Should I then mount the image in linux and run the virus scan?

    First, update ClamAV's database, then mount the Windows HD and do a full scan.

    BTW I booted up to windows and looks like they installed some stuff like an older version (probably cracked) of malwarebytes. Now they either installed an older version because

    a. that's the only one they could crack.
    or
    b. they installed an older version that could not detect the malware they installed.

    Probably b

    I immediately installed the latest and started a scan, and it didn't find anything, but i never let it finish, instead opting to try to get live CD booting again (which I've now done).

    I've got great success with Malwarebytes. If you let it do a full scan, it will most probably find whatever backdoor/Trojan/virus they installed.

    Between that and ClamAV, you can be 99% confident that your machine is clean IMO.



  • I played dumb with one scammer that called me. I told him that I didn't have any viruses, and he insisted that I did, so I allowed him to give me directions to show me the "viruses" on my computer. He had me open up the Windows Event Viewer and find the log of (totally normal) application warnings and errors. At this point I actually laughed out loud, to which he simply replied, "F*** YOU!!" and hung up.

    Then there was the scammer who insisted that their servers had detected that I had viruses, even on a computer that had never been connected to the Internet (and couldn't, because it had no network card).

    Claiming to have a Linux or Mac usually confuses them. I've had some insist that I actually had a Windows computer, while others simply ended the call because I got them off their script.



  • @boomzilla said in Indian Scammers:

    It's funny, because they're really careful to make sure you have that "C, T, R, L" key and not an Apple key

    Their check is that you have a Ctrl key on your keyboard and not an Apple key? I wish them good luck weeding out Mac users that way:

    0_1489311288427_MB110N.jpeg



  • @Gurth said in Indian Scammers:

    Their check is that you have a Ctrl key on your keyboard and not an Apple key?

    Or it might be what's next to it. I just remember them spelling it out.



  • @boomzilla Even that’s funny if they do it in North America, since the Ctrl key on Apple keyboards there has the full word “control” on it.

    And it makes me think of a friend of mine who, a long time ago, momentarily confused several of us when he talked about pressing “sutterul-alt-del.”



  • So I scanned the laptop from linux with clamav which found a few trojans, but upon checking viruscount they turned out to be false positives.

    Did a full scan with malware bytes.

    Did a full scan with kaspersky.

    Found nothing.

    They did have the attached PDF on there as well a custom version of gotomypc that had their #.

    0_1489371739524_New York Computer Repair.pdf

    In case you don't want to open the PDF (which theoretically can have a virus on it, which none of the scans found), here is the text.

    TECHNICAL SUPPORT
    Our Toll Free Numbers:- 1-844-712-5371 1-800-801-3129
    Agent support – 1-361-402-0561 1-361-402-8306
    Hours of operation – 5 Days a week 10:00 AM to 7:00 PM Eastern Time
    Support Website – www.newyorkcomputer.services
    Support Email – info@newyorkcomputer.services
    Billing Email – electronicssolutionsonline@gmail.com
    Fax – 1-361-451-5789
    Merchant Name appears on your bank statement as "Online Electronic Solutions"
    Important Note:
    1. Please call us back at least once in a 3 months so we can do a regular maintenance on the computer.
    2. Never give control of your computer to anybody else. In case you need help then call our toll free
    number only.
    3. Online Electronics Solutions will not be held responsible for any damages done by any other technical
    support.
    Be Aware Of Scammers:
    1. Since there are lot of scams going on these days so please be aware that in case you receive calls from
    people claiming from Microsoft, Dell, Lenovo, Sony, HP, Apple etc. or they can even say some company
    name. Please do not entertain their request and make sure not give control of your computer at any
    cost.
    2. Never entertain any computer related calls to you. You should only call us on our toll free number
    when you need help.
    3. We will never cold call you saying "something is wrong with computer or we need to check computer".
    Only you should call us when you need any help.
    With your support and understanding we will be able to make a difference - Charge one. 
    

    So I guess it's a halfway honest company (i guess they got to be to not get their merchant account cancelled). It's just their advertising that's scammy. Maybe the advertising is not even being done by them, but by a bad affiliate. Reminds me of the way drugdealers work, one guy takes the money, another guy gives the drugs.



  • @dangeRuss said in Indian Scammers:

    So I guess it's a halfway honest company

    Not given the way you described them in the OP, though I might accept that they do some legitimate business in addition to this scam. They seem to have a presence on facebook and the web. Or maybe the scammers are just claiming to be those guys.



  • @boomzilla said in Indian Scammers:

    @dangeRuss said in Indian Scammers:

    So I guess it's a halfway honest company

    Not given the way you described them in the OP, though I might accept that they do some legitimate business in addition to this scam. They seem to have a presence on facebook and the web. Or maybe the scammers are just claiming to be those guys.

    Well they probably do a legitimate business, but business might be slow, so they are using some unethical methods to "advertise". Or maybe they hired some blackhat SEO company, or an affiliate.

    I also like how they ask you to call them back every 3 months. I wonder how much they charge for this "regular maintenance".



  • @dangeRuss said in Indian Scammers:

    people claiming from Microsoft, Dell, Lenovo, Sony, HP, Apple etc. or they can even say some company name.

    Unlike Microsoft, Dell, Lenovo, Sony, HP, Apple...



  • @dangeRuss said in Indian Scammers:

    Agent support – 1-361-402-0561 1-361-402-8306

    I like how a company called New York Computer supposedly located in White Plains, NY has a texas area code. I mean I know it's all VOIP and routes to India anyway, but how hard is it to get a phone # where you claim you are?

    I wonder if this is just another layer in the shell. There's one main company that provides tech support, and people resell their services however they want. So these guys put up a "marketing site" www.newyorkcomputer.services, bought some blackhat SEO advertising, meanwhile all billing issues and actual service is handled by the main corp.

    Wonder how much they make on this. Must be nice margins with $170 per call...



  • Actually what's interesting is that none of the #'s on the website match the #'s that they give in the PDF.

    I wonder if they are just pretending that that's their website...



  • So interestingly enough, wired ran a related article today:

    Also nice to know wired is using wordpress...



  • Their research offers new measurements of the scope of those scams, which count revenue in the tens of millions of dollars. It provides methods for identifying the largest scam call centers. And it hints that the best way to attack the problem may be preventing scammers from generating new phone lines.

    Wouldn't preventing them from being able to obtain merchant accounts be better?

    To find as many of the scam sites as possible, the researchers built a software tool they called “ROBOVIC” (or “robotic victim”) to automatically visit millions of websites in search of tech-support scam pages.

    ROBOVIC, meet Jolly Roger:

    If only someone put the two of them together, we can really put a dent in this scam problem.





  • @dangeRuss said in Indian Scammers:

    So I guess it's a halfway honest company

    Anyone that pay that is almost guaranteed to really have some malware anyway



  • @fbmac said in Indian Scammers:

    @dangeRuss said in Indian Scammers:

    So I guess it's a halfway honest company

    Anyone that pay that is almost guaranteed to really have some malware anyway

    I don't know. I think a lot of people haven't been exposed to this before because they don't go to "those kinds of sites". Then once they hit a typosquated domain, they get tricked. So these people probably don't download a lot of software, but believe that you can get a virus from a webpage (which to be fair you can sometimes, especially with older version of IE, or unpatched flash, java, etc)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.