Scammers!

[Ddrak]

Got a call today from this Indian girl claiming she was from "Windows" and that they had information that my computer had a corruption and wanted me to investigate. Of course, I have about 5 different Windows boxes around and she got very confused when I asked her which one she meant and palmed me off to her "supervisor".

Guy gets on the phone with much better english saying much the same thing but has the presence of mind to tell me to look at the "oldest" machine I have. So, I fire up VMWare and find a blank XP snapshot to toy around with, set the network to NAT so he can't actually get to anything else and start playing around.

He first tells me to go Start, Run, "inf risk" which opens up an explorer window on c:\windows\inf. This is apparently the list of corrupted files on my system.
Next, he makes me right click "My Computer" and choose "Manage". Then in event viewer, all the messages in the Application Log are apparently the stuff that has been sent to them about the corruption on the PC.
Lastly (and this bit was pretty clever), he has me go down to the Index Server part and type in an ad hoc query for "Firewall". It comes back with "Service Not Running" (meaning the index service wasn't running) but he explains that means my firewall has been shut down.

So, next he has me go to "windowsonlineservices.net" and has me click on the link to "Ammyy" which is the plain executable for Ammyy - a remote viewing/control tool. Walks me through giving him access with some bullshit patter about it being my client id for their service contract or something.

Now, he has me go to "cyberastro.com/tssp/3343" which has the hillarious header of "World's only ISO9001:2008 Certified Astrology Company" (seriously, wtf?!?) and choose a service plan so that my computer can be completely managed by them and I don't have to worry about this corruption any more. Sure, why not! I pick the 6 month play and start typing in bullshit personal info. Of course, when the credit card tries to go through it fails. Guy has me try 3 more times, making sure I check it all "carefully".

Next, he gives up on that and has me go to "windowsonlineservices.com", which is apparently an older version of his scam site and has me click through the digitalriver payment link there, but instead of actually submitting the form he tells me to hit "F5" (dunno why because it refreshes and blanks it out). Guessing that the old form showed the CVV2 instead of the current one blocking it out as a password field, and his remote viewing would give him the details that way?

Then, surprisingly, he gets me to go back to the original cyberastro site and try twice more before telling me that my bank must be having issues and could he call me back on Monday? Now, while wasting almost 90 minutes on a Saturday leading this guy in circles is sadistic fun, I've got better things to do on weeknights so I just told him I'd known it was a scam since the beginning, had been feeding him crap, recording the whole thing and would be reporting it to the Feds. Oddly, he just hung up. Man - can't get a laugh out of anyone these days...

Anyway, from there I did report him to the cops but it won't do any good. Sent the info to the ISPs running all the websites he directed me through and crunched my video from 1TB down to about 50MB. Pity there's not much more to be done. Couldn't even get his actual IP because Ammyy goes through a central server and didn't have a good story up my sleeve to trick him into doing something that would give it up.

Thought some of you might be amused.

Dd

[Freecare Spiritwise]

Sweet. That's awesome, Dd. The scammer getting scammed. I've always liked those stories. Like the one guy that managed to scam the Nigerian scammers out of 10 bucks. Creamy, delicious Karma

[Minute]

Good job Dd!

[Harlowe]

Nice work Ddrak!

[Taxious]

crunched my video from 1TB down to about 50MB.

Hahah nice! You going to put the video on youtube or anything for us to watch?

Also, there are a few well known fake card numbers that can act as though they get processed - would have been fun to take it all the way home!

[Freecare Spiritwise]

Also, there are a few well known fake card numbers that can act as though they get processed

Yeah, it's been a while since I worked with CCs, but yeah, there's tons of "test" numbers. Visa and MC have the standard test numbers and so do all the major CC issuers as well as the major banks. Some of them are obvious but some of them look like normal numbers.

Hmmm I wonder if Visa or any of the banks keep any honeypot numbers. Like, use this number and the feds show up at your door lol.

[Ddrak]

I gotta find me some of those numbers!