On Tue, 26 Aug 2014 17:15:29 +0000 (UTC), Ned Turnbull
>Today, I got the second of my "official" Windows Support Calls,
>from an Indian-accented guy wanting me to download software because
>my machine has been 'sending them messages'.
>So, I went onto Linux (for safety), and did everything he asked.
>I kept him going for 33 minutes, until he finally started swearing
You are a very bad man and a cruel, cruel person.
And thank you for occupying the shit so he could not during that time
waste the time of any other person. Your devotion to your fellow
creatures is both appreciated and inspiring.
>at me (actually using the f word and saying he was going to f my
>mother, daughter, etc.).
Personally, I would have encouraged him. And my wife. Maybe my female
One is ashes floating down a river, one is ashes buried, and two are
slowly becoming soil. If an arsewipe wants to do any or all of them,
he is very welcome to drown, suffocate or whatever while doing so.
>On Android, I recorded the entire call, from when he asked my
>name and address (yes, it was correct, so, we need to find out
>*where* they are getting that info) down to the names of the
>machines and files.
Face/Twit? Online registration of your boxes for continued support?
Online purchases? There are many, many ways some of which involve
crooked employees sending the BadGuys a few million files for the
price of a beer.
Find out where your details have *EVER* been stored by a third party
and see if they have been hacked.
>Unfortunately, I recorded on a smartphone, using Android Voice
>Recorder, so, all I want to know is what's the best way to upload
>that file so that others can benefit.
whocallsme.co.uk might be useful for a first look if you have his
telephone number. Other sites like this are available.
This CNet article may help:
>Mainly, we want to:
>a) Warn others
>b) Come up with valid answers so that we waste their time
Try the archives of the USENet newsgroup alt.callahans for inventive
and amusing anecdotes about this fun activity. Also the "whocallsme"
pages. And the Mac newsgroups. Some of them are wonderful.
>For example, they had me go to the web site:
> www (dot) windowscare (dot) us
>Which brought me to:
> http:// www (dot) windowscare (dot) us/microsoft.com/
>And download a file, which actually came from:
> www (dot) ammyy (dot) com
>Which downloaded the 764KB file, named:
> 764184 Aug 26 09:28 AA_v3.exe
>Which, a "file" command on Linux says is:
> AA_v3.exe: PE32 executable (GUI) Intel 80386, for MS Windows
>I was supposed to click on that file and then hit Run,
>and then give him the 8-digit number starting with 39
>that comes out of it.
>Of course, I did everything on Linux, so, nothing happened,
>but, I gave him a false number for a few times, and he caught
>that. At first, he didn't get mad, and he had me close down
>and start up Windows in safe mode (which I had to find a Windows
>machine to do that so that it made the right noises).
>Hint to self: Remind me to record windows noises on Linux for
>the next call that comes in.
You could just record them on your phone using the article provided
>In safe mode, he had me go to the logmeinrescue web site:
>https://secure (dot) logmeinrescue (dot) com/Customer/Code.aspx
>Where he told me to type in this 6-digit code 106536.
>https://secure (dot) logmeinrescue (dot) com/Customer/TrialWarning.aspx?code=106536
>Interestingly, the site said specifically *not* go enter a
>number given by an unsolicited technical support person, but,
>of course, I was running on Linux so I didn't worry (but I did
>mention that to the guy, and he glossed over it, heh heh).
>That downloaded the file:
> 1529152 Aug 26 09:51 Support-LogMeInRescue.exe
>Which the Linux "file" command reports as:
> Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS Windows
>At this point, there was another tirade with the f word, as
>he had invested nearly a half hour in me, and I couldn't
>tell him what I saw.
>He was looking for a client window session of some sort.
>Anyway, I have a few questions:
>1. What are they after? (yes, I know it's a scam, but, what?)
Control of your box. He had a Logmein session running and was waiting
for you to use yours to "invite" him into your machine. Then he could
rummage around, plant ransomware, steal stuff and leave a zombie.
He would have control of your box *forever* pretty much.
From it, he could possibly beaver away at sucking in anything else
you have on a home network.
But the best instant prize would be your banking details if you use a
browser to do online banking. Prising open your bank accounts would be
nice, especially if his BadGuys created a new-account transfer to be
run as soon as you were paid and left everything else pretty much
alone until then.
Oh, dear, I can think like a crook ...
>2. What's a "valid" 8-digit number starting with 39?
Their "I'm-inviting-you-in" code from the original program. It's
specific to that program and is otherwise nonsense.
Like the Logmein code needed for a remote control session to work.
>3. What "should" I have seen (so I can get more info from them)?
Your cursor moving about for a while. Event Viewer opening and loads
of red error messages to terrify you into compliance. The red messages
slowly being "worked on" so you trust the evil little bastard.
Further "cleaning" of temporary files, caches and other crap that
truly has no effect on your machine but he would show you before and
after free-space numbers to explain how much space he had saved.
General housekeeping that a fucking *pigeon* could do but that isn't
worth bothering with most of the time.
Then he would freeze your side of the session on a good view and hack
away for a while.
>4. Is this illegal enough to call the police?
Yes but only if you think there's a chance of annoying the verminous
shite and his bosses. Especially the bosses.
>5. How best do I upload that file, so you can hear it?
Dropbox would probably work for most.
4Shared.com or other online sites are available.
Use a favoured search engine for "online storage", "file upload" or
If it's in any recognisable *nixxy format VLC for Windows will
probably play it for us.
might be worthwhile posting the linkie to the dropboxeed file on
there. And here.
Don't send the file itself to USENet. Not unless you send it to
alt.binaries.soundfiles or some other binaries group and send us a
linkie to the message-id.