Cyber Criminals Just Came A Callin’ At My House

Sunday, July 17, 2011

Rebecca Herold

65be44ae7088566069cc3bef454174a7

I just got off a 30-minute call that came unsolicited from a young-sounding man with a very thick Indian accent who, when I asked him his name, said it was Jason Anderson (doesn’t sound like an authentic name of someone from India). 

He told me he was calling me because there had been a lot of complaints in my area about malicious code damaging operating system software and he wanted to be sure my operating system was not impacted.

I’m sure I made his call a nightmare with all the questions I had for him.  And after he insulted my intelligence (Him: “that little blinking thing; that is where your letters show up when you type.  Look at that please, ma’am.” 

I decided I’d just play dumb and go along with him to see what he would have me do.  Oh, and I asked a lot of questions along the way to gather as much information about him and his organization as possible. 

Here are some key facts about the call:

  • His phone number is 201-338-6170.  I told him I had to go to a different part of the house to get in front of my computer, which is how I got his phone number from him; it does not show up on caller ID.  When I called this number someone else (it sounded like) with a very thick Indian accent answered, and then transferred me to “Jason.”
  • His company is EProtectionz www.eprotectionz.com NOTE:  I advise you to not order anything from this site!
  • When I asked him why he called me in particular, he tried to avoid the question or say he was calling to help me.  I persisted.  Finally I asked him if Microsoft had contracted his company to call me.  He then said, “Yes! My company was subcontracted by Microsoft to call me, and that is how I got your information!”
  • He told me to enter “eventvwr” in the command line.  Well, HE didn’t say “command line”…he walked me through how to get there as though I had never touched a computer before. 
  • NOTE: Be on the look-out for a caller such as this who calls unsolicited and tells you to enter “cmd” and also “assoc”.
  • After going through a few more steps, he had me check my CLSID and said, “Is your CLSID number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062?” 
  • Of course I said, in amazement, “Why yes?  How did you know that?”
  • He said, “See!?  I know because I’m trying to help you!  I was asked by Microsoft to help you!  I wouldn’t have known that information otherwise, would I!  That is specific to your computer.  I wouldn’t have known it unless I was asked to help you specifically!”
  • NOTE: Techie friends, correct me if I’m wrong, but isn’t the CLSID code on all MS OS’s, at least late model ones, the same?
  • When he told me to go to https://secure.logmeinrescue.com/Customer/Code.aspx (NOTE: Don’t go to this site unless you’re an information security expert and know what you’re doing) and said he would be happy to tell me the code so I could log into the site, I asked him why I needed to.  He said so he could download software to my computer to scan and clean my operating system.
  • I then said that I would not download software from a site I knew nothing about.  He then tried for a minute or so to convince me, and then finally said, “Well, then close down that screen.”  Me, “What screen?” Him, “The logmein screen” Me, “No, I think I’ll keep it here for a while,” Him (voice raised), “Close it down now!” Me, “Why are you yelling at me?” Him, “Sorry, I wasn’t yelling, that is just how I talk.” Me, “It sounded like yelling to me.”
  • After a few more minutes of such talk, and yes, he started almost yelling again, I stopped and started telling him about the reasons why I would not do as he asked, and then I started explaining to him about cyber scammers and cybercriminals.
  • Sadly, then, dear “Jason” then hung up. 

Yes, I will report this scam to the FTC as a type of phone fraud: http://www.ftc.gov/bcp/edu/microsites/phonefraud/report.shtml

Please be on the lookout for this scam!  I don’t want you to fall for what is a pretty convincing reason from these crooks for why you should accept their “help,” this guy was pretty good at social engineering.  

If you DO receive a call, please report it http://www.ftc.gov/bcp/edu/microsites/phonefraud/report.shtml so these crooks can be caught.  The more evidence against them, the better.

Cross-posted from Privacy Professor

Possibly Related Articles:
44644
General
Information Security
Support scams Social Engineering Windows Remote Access Cyber Crime EProtectionz
Post Rating I Like this!
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey And now for the other side of the scam. That call wasn't a random dial. Folks in the security business are still looking into this but the bottom line is that victims of these calls merrily input their phone number on a site that needed that "for verification" or to "win prizes."

What happened to you is becoming *very* widespread and that's the one thing all victims so far had in common. Of course triangulating _who_ it is that's harvesting and reselling the numbers is the remaining mystery. But so far in interviewing about fifty people who've reported this, ALL of them remember being asked recently for their phone number but no common denominator has been determined so far.

It would be most interesting if they can be (forgive me here) "backtraced."
1310970900
Default-avatar
madeline sawyer really?? I also placed my number on a certain site where I am very eager to win on a promo.whoa! what can I then do to avoid these cyber criminals?? I hate being bothered by the thought that they might have access on some of my accounts.I guess these problems is also brought by recession we are suffering from. Many criminals tried hard to look for vulnerable victims and I hope that doesn't include me. Anyway just wanna share with you that we can still be able to make a living for those who were in the middle of financial crisis, we all know that foreclosure rates continue to be astronomical as several of us scurry like mice before the lending institution's menacing plow. It is also a fantastic option if you are able to purchase in. Read on and learn the way to finance a foreclosure residence. I found this here: How to finance a foreclosure property
1310974683
Ec9b0ab31140696dd578b354b1054635
Vulcan Mindm3ld @Madeline... are you serious? Are you being facetious or are your simply trying to spam an information security website?
1310980800
99edc1997453f90eb5ac1430fd9a7c61
Javvad Malik Great write-up Rebecca thanks, it's always interesting to hear how these scammers operate from first hand experience.

1310982617
Bdd5942b986a243fd2d84461611aec6a
Anup Shetty Creepy old scamming technique on the rise again...
The guardian reported this a few months back too

http://www.guardian.co.uk/technology/blog/2011/mar/01/microsoft-virus-scam-continues

You might wanna log you complaint here too..
http://www.ic3.gov/complaint/default.aspx

Read the FAQs first
http://www.ic3.gov/faq/default.aspx

About the CLSID..

This should be same on all XP machines..might differ on a Vista or a 7 box....

Windows Object CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

File Extension .zfsendtotarget

Description: Compressed (zipped) Folder SendTo Target

The ZFSENDTOTARGET file type is primarily associated with 'Compressed Folder SendTo Target File' by Microsoft Corporation. Under Windows XP normally there will be a Compressed (zipped) Folder option in the SendTo menu when you right click on a file. This option creates a .ZIP file containing the clicked on file in the same folder.
1310983948
Ec9b0ab31140696dd578b354b1054635
Vulcan Mindm3ld Great article and I've already shared it with several friends. @Anup.. thanks for the additional information.
1310990798
65be44ae7088566069cc3bef454174a7
Rebecca Herold Thanks for the comments, folks!

@Kevin, I anticipate your theory is valid for many situations, however, in this case the land line number used was never used for such purposes (to win "free" stuff). However, it is a number that is listed in the public phone book, so it could have been simply been harvested from the online white pages.
1310996961
Default-avatar
Josh Stemp While surfing the interwebs of the security world, I have found several instances where security professionals have gotten called regarding this type of thing (@Kevin, it very well could be a spouse or child who felt they were just claiming the newest gadget for free, and not a infosec pro who would input such info). When the "Microsoft Rep" contacted them many of them had virtual machines that they attempted to do the system cleanup and "fix" on but that the downloaded software doesn't install in the virtual environment, and/or the rep asks to remote into the system to "clean" it but realizes that he remoted into a VM. Eventhough it's not too hard to identify a typical VM environment, I'll give it to them that some of those criminals are pretty savvy to avoid detection.
1311000339
C643eec6350152c6c3fbd1288578d98a
Terry Perkins Yes -- thanks Rebecca. It is very interesting to see how this all went down.
1311004562
7502248ccd867f13312ea964fecb39eb
Kerry LeBlanc Great article and it sounds like you got to have some great fun,too. I do not like that they do this, but I live for calls like this just to screw with them. It would be fun to go through this, but have them going into the honey-pot instead of a good system. Something running painfully slow.
Great write up, thanks!
1311006834
C787d4daae33f0e155e00c614f07b0ee
Robb Reck Thanks for the info, interesting write-up. I'd also like to have seen what he was actually going to have you do. If you could have had him install on a honeypot system that would have made any case against that company a lot stronger. As is, they can always claim they really were just trying to help you.
1311008888
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey @Rebecca

OK ... the reason why this raised my curiosity is that I follow a number of "end user security forums" and have chatted with quite a few who've received these calls and observed interaction by others and that is one of the paths to this happening. That was why I wanted to ask if your situation fit the pattern. Apparently not in your case ...
1311019527
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey @Josh

A good amount of malware is designed to detect virtual as well as debug hooks from other security software to prevent it from being installed or fully functional in the presence of "monitoring" of it. Amusingly, most malware analysts test malware on VM's.
1311019890
Bdd5942b986a243fd2d84461611aec6a
Anup Shetty Read something that dates back to March last year... Site hosting company Hostgator shut down one of the longest-running sites used for the alleged scam, F1Compstepuk.com, after complaints.
After confirming with Microsoft that the site was not acting for it, Hostgator immediately shut it down. Josh Loe, Hostgator's co-founder, said that following the initial complaint, "we asked for more information regarding this to confirm. We received a message from a Microsoft representative via this particular person who contacted us first about this. At that time it was enough evidence to close the site and it was done so the same day."
But one investigator who has been tracking the growth of the scam says the challenge is that new sites offering the same fake "service" keep popping up "like mushrooms".

Not sure what happened after that...

Like any other scams...the brains behind this seldom get caught

@ Kevin.. I think there was a workaround for this by patching the malware routines that detect VM or modify the VM instance making it tough for the malware to detect it.

1311021979
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey It's been a couple of years since I did malware research now, but the methods involved some hardware tests, looking up registry keys for VM's and a couple of CPU checks in the source codes I saw then.

VM's *do* have signatures that can be determined, and the folks who write the stuff do have their incentives to find them. I'd be curious to see what they're doing lately.
1311022553
Default-avatar
Tom Wood I Also believe that many of these outfits are getting their contacts from legitimate call centers. In a couple of recent incidents I have investigated, they have quoted private information that would only be available to someone with access to that customers account details, and have called a customer not long after they have placed an enquiry or support call. It is known that these scams operate with a degree of immunity from Indian call centers. It is not too far a stretch of the imagination to see data being 'shared'.
1311028763
65be44ae7088566069cc3bef454174a7
Rebecca Herold This post has not only created some great comments here in the public forum, but I've been surprised to have over a dozen individuals contact me directly as a result, with not only similar stories, but to describe some situations that have evolved into much more serious situations for them, and spread to other types of serious crimes.

Cybercriminals, and criminals of all kinds, are becoming more bold. More reason to include risk detection and mitigation as the fourth "R" in education curriculum at all levels, starting with the very youngest.
1311097020
Default-avatar
Tony Patton OK, I am such an ass. I got this call last night and they are very smart (or I am very gullible). I fear the latter. I went all the way and made the money transfer. Now what can I do? Is it just a once off money loss or is there likely to be ongoing problems?

Tony - Johannesburg, South Africa.
1333009315
C787d4daae33f0e155e00c614f07b0ee
Robb Reck Tony,

If you gave them your credit card number I recommend contacting your credit card company and asking for your options. You should operate under the assumption that any company that would follow these practices would not hesitate to use your payment details unethically as well.
1333047410
Default-avatar
Stephen Berry Yeah, they called my house again today. So, I played along to see how far they would get. As it turns out my WiFi is down at my house, so I have to go to Starbucks, Kinkos, the Library, etc. to get online. They gave me the website www.teamviewer.com (which actually is a legitimate application). When I told him that I was using my XP laptop at the time, he still gave me instructions as if it was Windows 7. When I told him that I could not connect to the internet at the moment, he said, "that's OK I can fix that" (really!!! Is he really going to drive out to my house and re-connect my WiFi ???) He (and the others I've spoken with briefly are not vary bright. When I explained that I work with computers every day. Program them, Re-build them, Support them, Re-load them. He did not even miss a beat and just continued to go on the script he was reading from. When, in the past, I called them "Scam Artists" to their ear, they either start swearing, cursing, or simply try to "Deny" that another IT guy caught them red-handed.
1392094917
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked