Discussion:
Recorded India Support Call Scam (how do I upload it from Android)
(too old to reply)
Ned Turnbull
2014-08-26 17:15:29 UTC
Permalink
Today, I got the second of my "official" Windows Support Calls,
from an Indian-accented guy wanting me to download software because
my machine has been 'sending them messages'.

So, I went onto Linux (for safety), and did everything he asked.
I kept him going for 33 minutes, until he finally started swearing
at me (actually using the f word and saying he was going to f my
mother, daughter, etc.).

On Android, I recorded the entire call, from when he asked my
name and address (yes, it was correct, so, we need to find out
*where* they are getting that info) down to the names of the
machines and files.

Unfortunately, I recorded on a smartphone, using Android Voice
Recorder, so, all I want to know is what's the best way to upload
that file so that others can benefit.

Mainly, we want to:
a) Warn others
b) Come up with valid answers so that we waste their time

For example, they had me go to the web site:
www (dot) windowscare (dot) us
Which brought me to:
http:// www (dot) windowscare (dot) us/microsoft.com/

And download a file, which actually came from:
www (dot) ammyy (dot) com

Which downloaded the 764KB file, named:
764184 Aug 26 09:28 AA_v3.exe

Which, a "file" command on Linux says is:
AA_v3.exe: PE32 executable (GUI) Intel 80386, for MS Windows

I was supposed to click on that file and then hit Run,
and then give him the 8-digit number starting with 39
that comes out of it.

Of course, I did everything on Linux, so, nothing happened,
but, I gave him a false number for a few times, and he caught
that. At first, he didn't get mad, and he had me close down
and start up Windows in safe mode (which I had to find a Windows
machine to do that so that it made the right noises).

Hint to self: Remind me to record windows noises on Linux for
the next call that comes in.

In safe mode, he had me go to the logmeinrescue web site:
https://secure (dot) logmeinrescue (dot) com/Customer/Code.aspx

Where he told me to type in this 6-digit code 106536.
https://secure (dot) logmeinrescue (dot) com/Customer/TrialWarning.aspx?code=106536

Interestingly, the site said specifically *not* go enter a
number given by an unsolicited technical support person, but,
of course, I was running on Linux so I didn't worry (but I did
mention that to the guy, and he glossed over it, heh heh).

That downloaded the file:
1529152 Aug 26 09:51 Support-LogMeInRescue.exe
Which the Linux "file" command reports as:
Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS Windows

At this point, there was another tirade with the f word, as
he had invested nearly a half hour in me, and I couldn't
tell him what I saw.

He was looking for a client window session of some sort.

Anyway, I have a few questions:
1. What are they after? (yes, I know it's a scam, but, what?)
2. What's a "valid" 8-digit number starting with 39?
3. What "should" I have seen (so I can get more info from them)?
4. Is this illegal enough to call the police?

Lastly:
5. How best do I upload that file, so you can hear it?
Roger Mills
2014-08-26 18:17:40 UTC
Permalink
On 26/08/2014 18:15, Ned Turnbull wrote:
> Today, I got the second of my "official" Windows Support Calls,
> from an Indian-accented guy wanting me to download software because
> my machine has been 'sending them messages'.
>
> So, I went onto Linux (for safety), and did everything he asked.
> I kept him going for 33 minutes, until he finally started swearing
> at me (actually using the f word and saying he was going to f my
> mother, daughter, etc.).
>
> On Android, I recorded the entire call, from when he asked my
> name and address (yes, it was correct, so, we need to find out
> *where* they are getting that info) down to the names of the
> machines and files.
>
> Unfortunately, I recorded on a smartphone, using Android Voice
> Recorder, so, all I want to know is what's the best way to upload
> that file so that others can benefit.
>

I don't know whether this will work for you but, on my Nexus-10 Android
tablet, I installed an App called ES File Explorer - which is a bit like
Windows Explorer on a PC, and enables you to browse the file structure
and find files. I use an App called SmartVoiceRecorder, which has its
own folder in /local/sdcard [1] containing files named Record_xxxx.wav
for each recording (where xxxx is a sequential number). Android Voice
Recorder probably does something similar.

I can connect my tablet to a computer using USB, such that the tablet
appears to the computer as an external storage device. Using Windows
Explorer (or a better equivalent) I can then copy files to and fro - so
it is easy to copy one of these .WAV files to a PC.

YMMV but perhaps you can do something similar?

[1] There's no physical SD card, but the internal storage is described
thus for some reason best known to the designers of Android!
--
Cheers,
Roger
____________
Please reply to Newsgroup. Whilst email address is valid, it is seldom
checked.
Steve Hayes
2014-08-26 19:05:37 UTC
Permalink
On Tue, 26 Aug 2014 19:17:40 +0100, Roger Mills <***@gmail.com> wrote:

>I can connect my tablet to a computer using USB, such that the tablet
>appears to the computer as an external storage device. Using Windows
>Explorer (or a better equivalent) I can then copy files to and fro - so
>it is easy to copy one of these .WAV files to a PC.

I can also do this from my phone to Windows. I use it for copying photos, but
also for backing up apps and other data, so it should work for sound files
too.

I get about three calls a week from those people, but I'm usually too busy
doing something else to be bothered with them.

I thought what they did was instal key trackers so they can get your
p[asswords for bank accounts etc, but that's just hearsay. They usually
announce themselves as "the Windows technical department".



--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk
Chris Uppal
2014-08-26 19:18:33 UTC
Permalink
Steve Hayes wrote:

> I get about three calls a week from those people,

!!! Ouch.

Phone phishing has become much more intense than I had realised.

(My phone does ring about once a week, but since I don't answer it I don't know
what /particular/ kind of malevolent entity is on the other end)

-- chris
Ned Turnbull
2014-08-26 19:28:06 UTC
Permalink
On Tue, 26 Aug 2014 20:18:33 +0100, Chris Uppal wrote:

> Phone phishing has become much more intense than I had realised.

They wasted a half hour with me.
If everyone kept them on the line, they'd stop.

Anyway, this is more of a technical question as we all know
it's a scam. I want to upload the file, so that you guys can
hear it.

It's an AMR file of 3MB size.

The only edit I want to make is I want to beep out my name
and address from near the beginning.

Googling for how to beep out a few seconds of AMR audio, I
find that I can DELETE those few seconds with Audacity, but
is there a specific (easy to use) Linux beeping program which
will beep it out for me?

I can also go to Windows, if there is a Windows program that
beeps out my name and address.
Rod Speed
2014-08-26 19:58:14 UTC
Permalink
Ned Turnbull <***@example.com> wrote
> Chris Uppal wrote

>> Phone phishing has become much more intense than I had realised.

> They wasted a half hour with me.
> If everyone kept them on the line, they'd stop.

Most don’t have the time to do that, and
even if they did, they still wouldn’t stop.

> Anyway, this is more of a technical question
> as we all know it's a scam. I want to upload
> the file, so that you guys can hear it.

> It's an AMR file of 3MB size.

> The only edit I want to make is I want to beep out
> my name and address from near the beginning.

> Googling for how to beep out a few seconds of AMR audio,
> I find that I can DELETE those few seconds with Audacity,
> but is there a specific (easy to use) Linux beeping program
> which will beep it out for me?

> I can also go to Windows, if there is a Windows
> program that beeps out my name and address.

So why not just use Audacity ?
Ned Turnbull
2014-08-26 20:17:41 UTC
Permalink
On Wed, 27 Aug 2014 05:58:14 +1000, Rod Speed wrote:

> So why not just use Audacity ?

I have the 3MB AMR file loaded into Audacity where I've
exported it to a 16MB MP3, and a 7MB OGG, and a 3MB M4a.

So, the format I upload it to isn't going to be a problem.

The problem right now is figuring out how to beep a
two or three second selection, to beep out my name
and address.

Audacity is pretty powerful (but complex) stuff.

Once I select the section, do you know what to press
to get it to be beeped out?
Iain
2014-08-26 21:33:40 UTC
Permalink
Ned Turnbull wrote:
> Once I select the section, do you know what to press
> to get it to be beeped out?

In the version that I have, you select Generate from the menu at the top,
and decide what it is you want to generate - that is once you have selected
the section to cover over. You will probably want to generate a 'Tone'.

--
Iain
Paul
2014-08-26 21:57:12 UTC
Permalink
Ned Turnbull wrote:
> On Wed, 27 Aug 2014 05:58:14 +1000, Rod Speed wrote:
>
>> So why not just use Audacity ?
>
> I have the 3MB AMR file loaded into Audacity where I've
> exported it to a 16MB MP3, and a 7MB OGG, and a 3MB M4a.
>
> So, the format I upload it to isn't going to be a problem.
>
> The problem right now is figuring out how to beep a
> two or three second selection, to beep out my name
> and address.
>
> Audacity is pretty powerful (but complex) stuff.
>
> Once I select the section, do you know what to press
> to get it to be beeped out?
>

In my copy:

1) Load file.
2) Play a portion if you wish, but remember to press the
square "Stop" button. The player must be stopped, before
all edit functions are available.
3) Use the cursor to wipe over the area to be beeped.
4) Use "Generate : Tone", specify frequency, amplitude.
This will overwrite the area with a Tone with no noise in the background.
5) You can leave the selection in place (or write down the time
coordinates), and use the Amplify function to make the beep
louder. For example, I set the amplitude to 0.01 when applying
the Beep, then did a 10dB Amplify to bring up the level a bit.
This is so you can get the balance right on the Beep, not too loud
or too soft.

I ran into trouble, by not pressing Stop. After I figured that out,
it was clear sailing.

Most prevalent problem with Audacity, is getting the I/O to work when
recording from microphone or line in, or playback to some output device.
I'm not sure I even got that running in Windows 8, even with
Compatibility mode selected.

And as I was starting the program today, Audacity was rendering off
screen. I had to go to the Task Bar, highlight the icon, select Maximize,
to see a window to work in. So there are a few bugs here and there.

HTH,
Paul
Rod Speed
2014-08-26 21:56:00 UTC
Permalink
Ned Turnbull <***@example.com> wrote
> Rod Speed wrote

>> So why not just use Audacity ?

> I have the 3MB AMR file loaded into Audacity where I've
> exported it to a 16MB MP3, and a 7MB OGG, and a 3MB M4a.

> So, the format I upload it to isn't going to be a problem.

> The problem right now is figuring out how to beep a
> two or three second selection, to beep out my name
> and address.

> Audacity is pretty powerful (but complex) stuff.

> Once I select the section, do you know what to press
> to get it to be beeped out?

No, I don’t use it myself.
http://www.youtube.com/watch?v=lly1WugKL6g
John
2014-08-26 22:04:38 UTC
Permalink
On Tue, 26 Aug 2014 20:17:41 +0000 (UTC), Ned Turnbull
<***@example.com> wrote:

>On Wed, 27 Aug 2014 05:58:14 +1000, Rod Speed wrote:
>
>> So why not just use Audacity ?
>
>I have the 3MB AMR file loaded into Audacity where I've
>exported it to a 16MB MP3, and a 7MB OGG, and a 3MB M4a.
>
>So, the format I upload it to isn't going to be a problem.
>
>The problem right now is figuring out how to beep a
>two or three second selection, to beep out my name
>and address.
>
>Audacity is pretty powerful (but complex) stuff.
>
>Once I select the section, do you know what to press
>to get it to be beeped out?

You say you have a Windows machine, can you suck it into
a Windows version of Audacity? Or use something like this inside
WinMediaPlayer:

http://www.solveigmm.com/en/howto/how-to-edit-your-video-and-audio-within-windows-media-player/
hth,
J.
Jasen Betts
2014-08-26 21:01:53 UTC
Permalink
On 2014-08-26, Ned Turnbull <***@example.com> wrote:
> On Tue, 26 Aug 2014 20:18:33 +0100, Chris Uppal wrote:

> Googling for how to beep out a few seconds of AMR audio, I
> find that I can DELETE those few seconds with Audacity, but
> is there a specific (easy to use) Linux beeping program which
> will beep it out for me?

audacity it probably the easiest.
select the bad bits, and change the amplitude to zero
then put a tone in there.


--
umop apisdn


--- news://freenews.netfront.net/ - complaints: ***@netfront.net ---
Ned Turnbull
2014-08-27 01:19:13 UTC
Permalink
On Tue, 26 Aug 2014 21:01:53 +0000, Jasen Betts wrote:

> audacity it probably the easiest.
> select the bad bits, and change the amplitude to zero
> then put a tone in there.

I was able to do it with Audacity freeware, but, the problem
is that Audacity has a very unintuitive selection mechanism.

Once you have figured out how to select the section you want,
mostly by trial and error, then generating a chirp or tone is
easy.

But, you have to be in exactly the right "condition" for a
selection to work (e.g., you can't be "paused", you have to
hit the square "stop" button).

It's easy to select an inaccurate section, but it's *very*
difficult to select a pinpoint selection because you have to
play, stop, zoom, play, stop, zoom, etc., and if you're not
in the right mode, it deletes all the wrong things, so you
have to start all over again.

But, once you have the mechanics figured out, then it's
trivially easy. So, if you already *know* the magic sequence,
it's really easy.

Now I know it.
Thanks.

I also made a 5-minute version, with just the swear words
and threats against my family. I tried mailing it to Marek,
but the mail bounced.

So, I'm trying again, asking Marek to look in his email and
to respond to mine, so that he's in my address book. Then I
will try again.

Meanwhile, if there is a safe way to upload a file using Tor,
I'll do that. But most sites know the Tor exit nodes (like
Gmail) and they make life absolutely miserable for Tor users.

Ned
Aaron2
2014-08-27 03:38:56 UTC
Permalink
Ned Turnbull <***@example.com> wrote:

>They wasted a half hour with me.
>If everyone kept them on the line, they'd stop.

You wasted *your* half hour with the scammer. And absolutely nothing
was gained. I 'm sure he's made many many calls since.

>Anyway, this is more of a technical question as we all know
>it's a scam.

It appears that you are enjoying yourself so continue on.

However, there are technical things you can do. I use a local landline
phone blocking device. I can block complete area codes where most of
the junk calls come from so that even changing numbers, as they often
do, won't help. I also can block 2500 individual numbers. I also use
an Android blocking app on my phone. Verizon allows me 5 free blocks.
Cox my local phone company also provides blocking though I don't use
it. I block anonymous calls, though I have a white list for known
callers. My life has been much improved with this technology.
Ned Turnbull
2014-08-27 03:46:32 UTC
Permalink
On Tue, 26 Aug 2014 20:38:56 -0700, Aaron2 wrote:

> You wasted *your* half hour with the scammer.
> And absolutely nothing was
> gained. I 'm sure he's made many many calls since.

I did finally get a hold of LogMeInRescue at 1-877-337-2102,
who thanked me profusely for giving them the 6-digit number (106536).

They said most people don't bother to call them, so, the
scammers get away with it.

Even the BBB has a web site, apparently, saying the scammers are
winning because people, like you, don't *do* anything about it.
http://www.bbb.org/blog/2013/01/new-twist-on-scam-tech-support-calls-installs-viruses-on-victims-computers/

Maybe *you* don't mind people threatening you and your family,
but I don't like it, so, I will try to figure out what I can
do about it.

I thank Marek for his kind help, and I hope someone out there
is a lawyer who knows what we can do to prevent this from
happening to a little old lady.
Rod Speed
2014-08-27 03:59:49 UTC
Permalink
"Ned Turnbull" <***@example.com> wrote in message
news:ltjkao$7cb$***@news.mixmin.net...
> On Tue, 26 Aug 2014 20:38:56 -0700, Aaron2 wrote:
>
>> You wasted *your* half hour with the scammer.
>> And absolutely nothing was
>> gained. I 'm sure he's made many many calls since.
>
> I did finally get a hold of LogMeInRescue at 1-877-337-2102,
> who thanked me profusely for giving them the 6-digit number (106536).
>
> They said most people don't bother to call them, so, the
> scammers get away with it.
>
> Even the BBB has a web site, apparently, saying the scammers are
> winning because people, like you, don't *do* anything about it.
> http://www.bbb.org/blog/2013/01/new-twist-on-scam-tech-support-calls-installs-viruses-on-victims-computers/
>
> Maybe *you* don't mind people threatening you and your family,
> but I don't like it, so, I will try to figure out what I can
> do about it.
>
> I thank Marek for his kind help, and I hope someone out there
> is a lawyer who knows what we can do to prevent this from
> happening to a little old lady.

If that was possible, it would have happened by now.

And I do know a surprising large old lady, quite a bit
larger than me, who was conned into paying them
money and who I told had been scammed and got
a chargeback to her credit card when she told the
credit card operation about the scam.
Aaron2
2014-08-27 06:30:55 UTC
Permalink
Ned Turnbull <***@example.com> wrote:

>On Tue, 26 Aug 2014 20:38:56 -0700, Aaron2 wrote:
>
>> You wasted *your* half hour with the scammer.
>> And absolutely nothing was
>> gained. I 'm sure he's made many many calls since.
>
>I did finally get a hold of LogMeInRescue at 1-877-337-2102,
>who thanked me profusely for giving them the 6-digit number (106536).
>
>They said most people don't bother to call them, so, the
>scammers get away with it.

What exactly are they going to do? Get help from the Indian or
Nigerian governments?? Get real.

>Even the BBB has a web site, apparently, saying the scammers are
>winning because people, like you, don't *do* anything about it.
>http://www.bbb.org/blog/2013/01/new-twist-on-scam-tech-support-calls-installs-viruses-on-victims-computers/

Report it to your local authorities?? What are they going to do??
Probably be polite and then laugh about your naivety when you hang up.

>Maybe *you* don't mind people threatening you and your family,
>but I don't like it, so, I will try to figure out what I can
>do about it.

Nobody has ever threatened my family because I don't provoke unknown
callers who know who I am but not visa versa. That's not wise. Keep
that up and Darwin will have his way. And in my case the phone never
rings in the first place (blocked).

>I thank Marek for his kind help, and I hope someone out there
>is a lawyer who knows what we can do to prevent this from
>happening to a little old lady.

If you're willing to pay $500 an hour I'm sure some lawyer will be
happy to sit an listen to you. Course you'll just be dropping one rung
on the scammer ladder... ;)
Ned Turnbull
2014-08-26 18:23:08 UTC
Permalink
On Tue, 26 Aug 2014 19:17:40 +0100, Roger Mills wrote:

> I can connect my tablet to a computer using USB, such that the tablet
> appears to the computer as an external storage device. Using Windows
> Explorer (or a better equivalent) I can then copy files to and fro - so
> it is easy to copy one of these .WAV files to a PC.

I should have been clearer.
I can get the file from Android to Linux.
But, how do I get it to the net so YOU can hear it?
I don't want to give away who I am so I can't use "my" IP address.
Especially after the f threats the guy gave me (remember he knew
my name and address and said he'd f' up my family).

While I don't think he'd go so far, I wouldn't want to be
so cocky that I don't do a bit of protection.

So, the question is mostly:
a) How do I get it from Linux to the net,
b) Without using "my" IP address.

Does Youtube take audio files (it's not a video)?
John Hasler
2014-08-26 18:46:31 UTC
Permalink
Ned Turnbull writes:
> Especially after the f threats the guy gave me (remember he knew my
> name and address and said he'd f' up my family).

When he says that respond that you are a security expert running
a honeypot, you've already traced him, you know where he is, and now
that he's making threats you are coming for him. And hang up.
--
John Hasler
***@newsguy.com
Dancing Horse Hill
Elmwood, WI USA
Rod Speed
2014-08-26 19:51:34 UTC
Permalink
Ned Turnbull <***@example.com> wrote
> Roger Mills wrote

>> I can connect my tablet to a computer using USB, such that the
>> tablet appears to the computer as an external storage device.
>> Using Windows Explorer (or a better equivalent) I can then copy
>> files to and fro - so it is easy to copy one of these .WAV files to a PC.

> I should have been clearer.
> I can get the file from Android to Linux.
> But, how do I get it to the net so YOU can hear it?

Just put it on dropbox or whatever is convenient to you.

> I don't want to give away who I am so I can't use "my" IP address.

He already knows that and its useless to him anyway.

> Especially after the f threats the guy gave me (remember he
> knew my name and address and said he'd f' up my family).

So he already knows what you are attempting to stop him knowing.

The threat is pure bluff because he knows that if he ever
did anything, he'd be shafting himself in the process.

> While I don't think he'd go so far, I wouldn't want
> to be so cocky that I don't do a bit of protection.

He already knows your name and address and ip.

> So, the question is mostly:
> a) How do I get it from Linux to the net,
> b) Without using "my" IP address.

> Does Youtube take audio files (it's not a video)?

Nothing to stop you adding an irrelevant video
using the webcam and have it point at the wall etc.

Its not clear to me whether youtube deletes uploads
like that, unlikely if explain why you did that.

And dropbox will work fine anyway.

If you want to be ultra paranoid even tho he already
knows your name, address and ip, just upload it to
a new dropbox account using free wifi.
Rod Speed
2014-08-26 20:07:09 UTC
Permalink
"Rod Speed" <***@gmail.com> wrote in message
news:***@mid.individual.net...
> Ned Turnbull <***@example.com> wrote
>> Roger Mills wrote
>
>>> I can connect my tablet to a computer using USB, such that the
>>> tablet appears to the computer as an external storage device.
>>> Using Windows Explorer (or a better equivalent) I can then copy
>>> files to and fro - so it is easy to copy one of these .WAV files to a
>>> PC.
>
>> I should have been clearer.
>> I can get the file from Android to Linux.
>> But, how do I get it to the net so YOU can hear it?
>
> Just put it on dropbox or whatever is convenient to you.
>
>> I don't want to give away who I am so I can't use "my" IP address.
>
> He already knows that and its useless to him anyway.
>
>> Especially after the f threats the guy gave me (remember he
>> knew my name and address and said he'd f' up my family).
>
> So he already knows what you are attempting to stop him knowing.
>
> The threat is pure bluff because he knows that if he ever
> did anything, he'd be shafting himself in the process.
>
>> While I don't think he'd go so far, I wouldn't want
>> to be so cocky that I don't do a bit of protection.

> He already knows your name and address and ip.

But you may not want those on the recording
you are uploading so the world can't see them.

>> So, the question is mostly:
>> a) How do I get it from Linux to the net,
>> b) Without using "my" IP address.
>
>> Does Youtube take audio files (it's not a video)?
>
> Nothing to stop you adding an irrelevant video
> using the webcam and have it point at the wall etc.
>
> Its not clear to me whether youtube deletes uploads
> like that, unlikely if explain why you did that.
>
> And dropbox will work fine anyway.
>
> If you want to be ultra paranoid even tho he already
> knows your name, address and ip, just upload it to
> a new dropbox account using free wifi.
Recliner
2014-08-26 20:12:44 UTC
Permalink
"Rod Speed" <***@gmail.com> wrote:
>
> If you want to be ultra paranoid even tho he already
> knows your name, address and ip, just upload it to
> a new dropbox account using free wifi.

Would the scammer have the IP address? Last time I had one if these
scammers on the phone (I don't normally answer unknown callers) I wasted a
few minutes of his time by asking him to tell me which of my several
computers' IP address was infected. He kept giving my phone number, which
he obviously knew as he'd just called me, but I don't know if he even knew
what an IP address was.

I also got the angry swearing and threatening response when he eventually
realised I'd been wasting his time (for maybe 10-15 mins), so I suspect
they get knowledgable would-be victims who waste their time quite often.
One observation is that, fluent sweating apart, his accent and English
knowledge were much worse than usual Indian call centres, so they must be
some low quality outfit that can't get legitimate survey, etc business.
Rod Speed
2014-08-26 21:52:41 UTC
Permalink
Recliner <recliner2-***@yahoo.co.uk> wrote
> Rod Speed <***@gmail.com> wrote

>> If you want to be ultra paranoid even tho he already
>> knows your name, address and ip, just upload it to
>> a new dropbox account using free wifi.

> Would the scammer have the IP address?

Yes, because Ned did run what he was asked to run and
the thief did see something from his end as a result.

> Last time I had one if these scammers on the
> phone (I don't normally answer unknown callers)

I have had a number of those who I am glad I did answer.

Everything from the cops telling me that some of the locals
had quite literally been wandering around at night with a
wheelbarrow that they filled with whatever they could get
from cars that they could get into and were telling me that
I was welcome to come and get what they had of mine, to
someone who had had their valuables stolen while out of
the country and wanted me to chase up the numbers of the
operations they needed to call to cancel the cards etc to
one of my neighbours who I normally talk to in person who
rang me to say that they could see smoke coming out of
the eaves of my house. That last turned out to be steam
from the very wide gutters after a summer shower.

> I wasted a few minutes of his time by asking him to tell me
> which of my several computers' IP address was infected. He
> kept giving my phone number, which he obviously knew as
> he'd just called me, but I don't know if he even knew
> what an IP address was.

Sure, but Ned had ran something he was asked to after
going to the site he had been told to get it from. Both
of those would allow the thief to work out the ip.

> I also got the angry swearing and threatening response when he eventually
> realised I'd been wasting his time (for maybe 10-15 mins), so I suspect
> they get knowledgable would-be victims who waste their time quite often.

Yeah, they must get plenty doing that.

> One observation is that, fluent sweating apart, his accent and English
> knowledge were much worse than usual Indian call centres, so they must
> be some low quality outfit that can't get legitimate survey, etc business.

Most of the ones I have got are obviously foreign but otherwise good.
Better than some of the local call centers that can sometimes employ
recent immigrants that can be very hard to understand even when
they come from places like Ireland etc.
Recliner
2014-08-26 22:05:56 UTC
Permalink
"Rod Speed" <***@gmail.com> wrote:
> Recliner <recliner2-***@yahoo.co.uk> wrote
>> Rod Speed <***@gmail.com> wrote
>
>>> If you want to be ultra paranoid even tho he already
>>> knows your name, address and ip, just upload it to
>>> a new dropbox account using free wifi.
>
>> Would the scammer have the IP address?
>
> Yes, because Ned did run what he was asked to run and
> the thief did see something from his end as a result.

I don't think he actually ran the programs he downloaded, did he?
>
>> Last time I had one if these scammers on the
>> phone (I don't normally answer unknown callers)
>
> I have had a number of those who I am glad I did answer.
>
> Everything from the cops telling me that some of the locals
> had quite literally been wandering around at night with a
> wheelbarrow that they filled with whatever they could get
> from cars that they could get into and were telling me that
> I was welcome to come and get what they had of mine, to
> someone who had had their valuables stolen while out of
> the country and wanted me to chase up the numbers of the
> operations they needed to call to cancel the cards etc to
> one of my neighbours who I normally talk to in person who
> rang me to say that they could see smoke coming out of
> the eaves of my house. That last turned out to be steam
> from the very wide gutters after a summer shower.

Any one of those legit callers would start to leave a message, and you can
then pick up the phone.
>
>> I wasted a few minutes of his time by asking him to tell me
>> which of my several computers' IP address was infected. He
>> kept giving my phone number, which he obviously knew as
>> he'd just called me, but I don't know if he even knew
>> what an IP address was.
>
> Sure, but Ned had ran something he was asked to after
> going to the site he had been told to get it from. Both
> of those would allow the thief to work out the ip.

I don't think he did actually run any programs, did he?
>
>> I also got the angry swearing and threatening response when he eventually
>> realised I'd been wasting his time (for maybe 10-15 mins), so I suspect
>> they get knowledgable would-be victims who waste their time quite often.
>
> Yeah, they must get plenty doing that.
>
>> One observation is that, fluent sweating apart, his accent and English
>> knowledge were much worse than usual Indian call centres, so they must
>> be some low quality outfit that can't get legitimate survey, etc business.
>
> Most of the ones I have got are obviously foreign but otherwise good.
> Better than some of the local call centers that can sometimes employ
> recent immigrants that can be very hard to understand even when
> they come from places like Ireland etc.

Luckily my sample size is no longer growing.
Rod Speed
2014-08-26 22:18:43 UTC
Permalink
Recliner <recliner2-***@yahoo.co.uk> wrote
> Rod Speed <***@gmail.com> wrote
>> Recliner <recliner2-***@yahoo.co.uk> wrote
>>> Rod Speed <***@gmail.com> wrote

>>>> If you want to be ultra paranoid even tho he already
>>>> knows your name, address and ip, just upload it to
>>>> a new dropbox account using free wifi.

>>> Would the scammer have the IP address?

>> Yes, because Ned did run what he was asked to run and
>> the thief did see something from his end as a result.

> I don't think he actually ran the programs he downloaded, did he?

Even if he didn’t, he did visit the web sites he was
told to and the web site logs will show his ip.

>>> Last time I had one if these scammers on the
>>> phone (I don't normally answer unknown callers)

>> I have had a number of those who I am glad I did answer.

>> Everything from the cops telling me that some of the locals
>> had quite literally been wandering around at night with a
>> wheelbarrow that they filled with whatever they could get
>> from cars that they could get into and were telling me that
>> I was welcome to come and get what they had of mine, to
>> someone who had had their valuables stolen while out of
>> the country and wanted me to chase up the numbers of the
>> operations they needed to call to cancel the cards etc to
>> one of my neighbours who I normally talk to in person who
>> rang me to say that they could see smoke coming out of
>> the eaves of my house. That last turned out to be steam
>> from the very wide gutters after a summer shower.

> Any one of those legit callers would start to leave a message,

Plenty don’t bother to leave a message. I usually don’t myself,
because I normally want to try one of their other numbers first
and then try calling them on skype or facebook etc.

> and you can then pick up the phone.

>>> I wasted a few minutes of his time by asking him to tell me
>>> which of my several computers' IP address was infected. He
>>> kept giving my phone number, which he obviously knew as
>>> he'd just called me, but I don't know if he even knew
>>> what an IP address was.

>> Sure, but Ned had ran something he was asked to after
>> going to the site he had been told to get it from. Both
>> of those would allow the thief to work out the ip.

> I don't think he did actually run any programs, did he?

Just visiting the sites he was told to visit would be enough.

I can see the ip of those who visit my sites.

>>> I also got the angry swearing and threatening response when he
>>> eventually
>>> realised I'd been wasting his time (for maybe 10-15 mins), so I suspect
>>> they get knowledgable would-be victims who waste their time quite often.

>> Yeah, they must get plenty doing that.

>>> One observation is that, fluent sweating apart, his accent and English
>>> knowledge were much worse than usual Indian call centres, so they must
>>> be some low quality outfit that can't get legitimate survey, etc
>>> business.

>> Most of the ones I have got are obviously foreign but otherwise good.
>> Better than some of the local call centers that can sometimes employ
>> recent immigrants that can be very hard to understand even when
>> they come from places like Ireland etc.

> Luckily my sample size is no longer growing.

Mine is, essentially because I normally do use the best
value services I can find and most of them do have call
centers in places like the Philippines and India etc.
Recliner
2014-08-26 22:35:45 UTC
Permalink
"Rod Speed" <***@gmail.com> wrote:
> Recliner <recliner2-***@yahoo.co.uk> wrote
>> Rod Speed <***@gmail.com> wrote
>>> Recliner <recliner2-***@yahoo.co.uk> wrote
>>>> Rod Speed <***@gmail.com> wrote
>
>>>>> If you want to be ultra paranoid even tho he already
>>>>> knows your name, address and ip, just upload it to
>>>>> a new dropbox account using free wifi.
>
>>>> Would the scammer have the IP address?
>
>>> Yes, because Ned did run what he was asked to run and
>>> the thief did see something from his end as a result.
>
>> I don't think he actually ran the programs he downloaded, did he?
>
> Even if he didn’t, he did visit the web sites he was
> told to and the web site logs will show his ip.

Yes, but I doubt that the scammer has access to those logs.
Rod Speed
2014-08-26 22:38:55 UTC
Permalink
Recliner <recliner2-***@yahoo.co.uk> wrote
> Rod Speed <***@gmail.com> wrote
>> Recliner <recliner2-***@yahoo.co.uk> wrote
>>> Rod Speed <***@gmail.com> wrote
>>>> Recliner <recliner2-***@yahoo.co.uk> wrote
>>>>> Rod Speed <***@gmail.com> wrote

>>>>>> If you want to be ultra paranoid even tho he already
>>>>>> knows your name, address and ip, just upload it to
>>>>>> a new dropbox account using free wifi.

>>>>> Would the scammer have the IP address?

>>>> Yes, because Ned did run what he was asked to run and
>>>> the thief did see something from his end as a result.

>>> I don't think he actually ran the programs he downloaded, did he?

>> Even if he didn’t, he did visit the web sites he was
>> told to and the web site logs will show his ip.

> Yes, but I doubt that the scammer has access to those logs.

Of course he does with the file he got Ned to download.
Ned Turnbull
2014-08-26 22:50:07 UTC
Permalink
On Tue, 26 Aug 2014 17:05:56 -0500, Recliner wrote:

> I don't think he actually ran the programs he downloaded, did he?

I had to go to a meeting, but, I'm back now, and will try
to get the *selection* mechanism of audacity to select the
snippet in the middle I need removed.

It's easy to do a gross select with the mouse, but, I need
a finer select, so, that's what is holding up the email to
Marek.

As for visiting the sites, downloading stuff, and running it,
I did the following:

a. On Linux, I visited the sites they told me to (so, it they
had wanted to correlate time and date, they could, but, I
doubt they would).

b. I downloaded the software they told me to, so, again, they
"could" correlate the time and date with the phone call
(but I doubt they would). Again, this was on Linux.

c. I never executed the two files downloaded, and, even if I
had, I don't have Wine, so, nothing would have happened
(since a "file" command showed them to be Windows executables).
Rod Speed
2014-08-26 23:14:19 UTC
Permalink
Ned Turnbull <***@example.com> wrote
> Recliner wrote

>> I don't think he actually ran the programs he downloaded, did he?

> I had to go to a meeting, but, I'm back now, and
> will try to get the *selection* mechanism of audacity
> to select the snippet in the middle I need removed.

> It's easy to do a gross select with the mouse,
> but, I need a finer select, so, that's what is
> holding up the email to Marek.

> As for visiting the sites, downloading stuff,
> and running it, I did the following:

> a. On Linux, I visited the sites they told me to (so, it they
> had wanted to correlate time and date, they could,

Yep.

> but, I doubt they would).

You have no basis for that doubt.

> b. I downloaded the software they told me to, so, again, they
> "could" correlate the time and date with the phone call

Yes.

> (but I doubt they would).

You have no basis for that doubt.

> Again, this was on Linux.

> c. I never executed the two files downloaded, and, even if I had,
> I don't have Wine, so, nothing would have happened (since
> a "file" command showed them to be Windows executables).

OK, your original was a bit unclear on that. You said he couldn’t
see what he wanted to see which I read as you ran what he
wanted you to run on Linux and that’s why what he saw wasn’t
what he wanted to see. But he could still see something, and
so could get the ip from what the file was sending to him to view.

All he needs to get the ip is the web site logs.
Rod Speed
2014-08-26 23:38:50 UTC
Permalink
Ned Turnbull <***@example.com> wrote
> Recliner wrote

> It's easy to do a gross select with the mouse,
> but, I need a finer select,

http://manual.audacityteam.org/o/man/audacity_selection.html#mouse
Ned Turnbull
2014-08-27 03:56:12 UTC
Permalink
On Wed, 27 Aug 2014 08:18:43 +1000, Rod Speed wrote:

> Even if he didn’t, he did visit the web sites he was
> told to and the web site logs will show his ip.

I have to agree with Rod Speed on that.

I should have used Tor, or a public VPN service, but I didn't
have time to set it up.

So, at most, what they know is:
a. My name and address and phone number, and,
b. My IP address

I'm more worried about (a) than (b) above, since the caller
explicitly threatened me at time point 21:30 and again at
time point 32:24 in the file Marek kindly uploaded for us:
https://app.box.com/s/0yluyszg1qj2l83ynbm2

I guess my question now is how do I properly report the
threat, so that they don't threaten some little old lady?
Rod Speed
2014-08-27 06:06:17 UTC
Permalink
"Ned Turnbull" <***@example.com> wrote in message
news:ltjkss$7cb$***@news.mixmin.net...
> On Wed, 27 Aug 2014 08:18:43 +1000, Rod Speed wrote:
>
>> Even if he didn’t, he did visit the web sites he was
>> told to and the web site logs will show his ip.
>
> I have to agree with Rod Speed on that.
>
> I should have used Tor, or a public VPN service, but I didn't
> have time to set it up.
>
> So, at most, what they know is:
> a. My name and address and phone number, and,
> b. My IP address
>
> I'm more worried about (a) than (b) above, since the caller
> explicitly threatened me at time point 21:30 and again at
> time point 32:24 in the file Marek kindly uploaded for us:
> https://app.box.com/s/0yluyszg1qj2l83ynbm2

You should also make sure that you do have your firewall etc
turned on just in case he does attempt to attack your systems.

Not very likely to be a problem with your linux
systems, but could be with your win systems.

> I guess my question now is how do I properly report the threat,

The only way to do that is to tell the
cops, but I don’t they will be interested.

> so that they don't threaten some little old lady?

What have you got against rather large old ladys ? |-)
Ned Turnbull
2014-08-26 20:20:09 UTC
Permalink
On Wed, 27 Aug 2014 05:51:34 +1000, Rod Speed wrote:

>> I don't want to give away who I am so I can't use "my" IP address.
>
> He already knows that and its useless to him anyway.

Huh?

He (the India windows technical support scammer) knows my
home address and phone number and name; but he does not
know my IP address (AFAIK).

I want to upload the file (I'll probably just email it to
Marek to upload), but I need to blank out my name and
address from the file first, using Audacity (somehow?).

Once I do that, Marek can upload it, or, I can upload
it if I think I can hide my IP address (Tor or something).

VPN would probably be too much trouble to set up for just
one file upload, but I tried vpnoneclick, and it failed to
run (Kubuntu).
Rod Speed
2014-08-26 21:58:44 UTC
Permalink
Ned Turnbull <***@example.com> wrote
> Rod Speed wrote

>>> I don't want to give away who I am so I can't use "my" IP address.

>> He already knows that and its useless to him anyway.

> Huh?

> He (the India windows technical support scammer) knows my
> home address and phone number and name; but he does not
> know my IP address (AFAIK).

He does actually, because he told you to go to a specific web
site and get the file he told you to get and that will show what ip
did that, and you ran that and that told him what ip ran that too.

> I want to upload the file (I'll probably just email it to
> Marek to upload), but I need to blank out my name and
> address from the file first, using Audacity (somehow?).

> Once I do that, Marek can upload it, or, I can upload
> it if I think I can hide my IP address (Tor or something).

Or just use a free wifi. Not that there is any point in hiding your ip now.

> VPN would probably be too much trouble to set up for just
> one file upload, but I tried vpnoneclick, and it failed to
> run (Kubuntu).
John
2014-08-26 22:16:01 UTC
Permalink
On Tue, 26 Aug 2014 20:20:09 +0000 (UTC), Ned Turnbull
<***@example.com> wrote:

>On Wed, 27 Aug 2014 05:51:34 +1000, Rod Speed wrote:
>
>>> I don't want to give away who I am so I can't use "my" IP address.
>>
>> He already knows that and its useless to him anyway.
>
>Huh?
>
>He (the India windows technical support scammer) knows my
>home address and phone number and name; but he does not
>know my IP address (AFAIK).

He would have done had you had a valid logmein or other remote
connection number for him. *His* session would show it to him. That
and a whole lot more.
J

>
>I want to upload the file (I'll probably just email it to
>Marek to upload), but I need to blank out my name and
>address from the file first, using Audacity (somehow?).
>
>Once I do that, Marek can upload it, or, I can upload
>it if I think I can hide my IP address (Tor or something).
>
>VPN would probably be too much trouble to set up for just
>one file upload, but I tried vpnoneclick, and it failed to
>run (Kubuntu).
Ned Turnbull
2014-08-27 07:15:32 UTC
Permalink
On Tue, 26 Aug 2014 23:16:01 +0100, John wrote:

> He would have done had you had a valid logmein or other remote
> connection number for him. *His* session would show it to him. That and
> a whole lot more.

That's interesting.
What kind of information would the logmein session have shown him?

I had thought he did that so he could get control of the machine in
order to run the downloaded file that I wasn't running.
John
2014-08-27 13:59:09 UTC
Permalink
On Wed, 27 Aug 2014 07:15:32 +0000 (UTC), Ned Turnbull
<***@example.com> wrote:

>On Tue, 26 Aug 2014 23:16:01 +0100, John wrote:
>
>> He would have done had you had a valid logmein or other remote
>> connection number for him. *His* session would show it to him. That and
>> a whole lot more.
>
>That's interesting.
>What kind of information would the logmein session have shown him?
>
>I had thought he did that so he could get control of the machine in
>order to run the downloaded file that I wasn't running.

True but the session has statistical data that can be shown, like the
IP of the machinery at each end and other technical stuff. Probably
your machine's "name" and suchlike.
Try it and see. They have free trials and you can use it to log into
machines inside your own home system. Or to a sister's system if you
want to see what that looks like.
It's fairly easy, fairly safe and fairly easy to bin when you've
played with it.

Once he's connected he would of course want to use your box but he
would probably try to impress you with his bona fides first so you'll
be relatively happy with him fiddling.
I know that's how I gentled down my sister.
J.
John
2014-08-26 22:14:10 UTC
Permalink
On Wed, 27 Aug 2014 05:51:34 +1000, "Rod Speed"
<***@gmail.com> wrote:

>Ned Turnbull <***@example.com> wrote
>> Roger Mills wrote
>
>>> I can connect my tablet to a computer using USB, such that the
>>> tablet appears to the computer as an external storage device.
>>> Using Windows Explorer (or a better equivalent) I can then copy
>>> files to and fro - so it is easy to copy one of these .WAV files to a PC.
>
>> I should have been clearer.
>> I can get the file from Android to Linux.
>> But, how do I get it to the net so YOU can hear it?
>
>Just put it on dropbox or whatever is convenient to you.
>
>> I don't want to give away who I am so I can't use "my" IP address.
>
>He already knows that and its useless to him anyway.
>
>> Especially after the f threats the guy gave me (remember he
>> knew my name and address and said he'd f' up my family).
>
>So he already knows what you are attempting to stop him knowing.
>
>The threat is pure bluff because he knows that if he ever
>did anything, he'd be shafting himself in the process.
>
>> While I don't think he'd go so far, I wouldn't want
>> to be so cocky that I don't do a bit of protection.
>
>He already knows your name and address and ip.
>
>> So, the question is mostly:
>> a) How do I get it from Linux to the net,
>> b) Without using "my" IP address.
>
>> Does Youtube take audio files (it's not a video)?
>
>Nothing to stop you adding an irrelevant video
>using the webcam and have it point at the wall etc.
>
>Its not clear to me whether youtube deletes uploads
>like that, unlikely if explain why you did that.

Put the "lyrics" in the video as text for the hard-of-hearing. That
way the video is as valid as any of the songs uploaded.
Use "F$%*" where the crook uses a real bad word to avoid the YouTube
nanny brigade.
Add a warning about foul language before the file begins.


>
>And dropbox will work fine anyway.
>
>If you want to be ultra paranoid even tho he already
>knows your name, address and ip, just upload it to
>a new dropbox account using free wifi.

The shitebag in India has *millions* of addresses, he is unlikely
ever to know which one ratted him out and if Ned does go to the Feds
or FCC or cops or all three then the crook has more issues than Ned to
worry about.
Like finding a new job.
These companies *do* get shut down even though the phone companies
love them.
J.
Ned Turnbull
2014-08-26 20:22:13 UTC
Permalink
On Tue, 26 Aug 2014 15:12:44 -0500, Recliner wrote:

> Would the scammer have the IP address?

I doubt it.

This scammer expected me to download the file, and run it,
but, of course, I downloaded it onto Linux so it wouldn't
run even if I accidentally hit it.

So, I only visited the three sites he had mentioned (which
are in the OP), but that's it for my connection to the net.

Of course, I did download the second file, from logmeinrescue,
which seemed like a legit site.

What was the scammer trying to get me to do with the
logmeinrescue site? Is that a legit site?
Recliner
2014-08-26 20:28:05 UTC
Permalink
Ned Turnbull <***@example.com> wrote:
> On Tue, 26 Aug 2014 15:12:44 -0500, Recliner wrote:
>
>> Would the scammer have the IP address?
>
> I doubt it.
>
> This scammer expected me to download the file, and run it,
> but, of course, I downloaded it onto Linux so it wouldn't
> run even if I accidentally hit it.
>
> So, I only visited the three sites he had mentioned (which
> are in the OP), but that's it for my connection to the net.
>
> Of course, I did download the second file, from logmeinrescue,
> which seemed like a legit site.
>
> What was the scammer trying to get me to do with the
> logmeinrescue site? Is that a legit site?

I think so. It's a way of getting remote access to your desktop, obviously
with your permission, normally used by help desks. From that he could
install malware, copy files, etc.
Rod Speed
2014-08-26 22:06:06 UTC
Permalink
Ned Turnbull <***@example.com> wrote
> Recliner wrote

>> Would the scammer have the IP address?

> I doubt it.

He does.

> This scammer expected me to download the file,
> and run it, but, of course, I downloaded it onto Linux

And the site logs will show you doing that, and your ip.

> so it wouldn't run even if I accidentally hit it.

> So, I only visited the three sites he
> had mentioned (which are in the OP),

And every one of those will have a record of your ip.

> but that's it for my connection to the net.

That's all he needs.

> Of course, I did download the second file, from
> logmeinrescue, which seemed like a legit site.

> What was the scammer trying to get me to do
> with the logmeinrescue site? Is that a legit site?
Recliner
2014-08-26 22:15:04 UTC
Permalink
"Rod Speed" <***@gmail.com> wrote:
> Ned Turnbull <***@example.com> wrote > Recliner wrote
>
>>> Would the scammer have the IP address?
>
>> I doubt it.
>
> He does.

No, I really doubt that. In any case, for most DSL users, the IP address is
dynamic and shared.

>> This scammer expected me to download the file, > and run it, but, of
>> course, I downloaded it onto Linux
> And the site logs will show you doing that, and your ip.
>> so it wouldn't run even if I accidentally hit it.
>
>> So, I only visited the three sites he > had mentioned (which are in the OP),
> And every one of those will have a record of your ip.

I don't think those sites are owned by the scammer company -- it's smarter
for them to distance themselves. That's why they need the victim to give
them the number the program produces so that they can link. If you don't
run the program, they don't know your IP address.

>> but that's it for my connection to the net.
>
> That's all he needs.
>> Of course, I did download the second file, from > logmeinrescue, which
>> seemed like a legit site.

It is.
Rod Speed
2014-08-26 22:34:43 UTC
Permalink
Recliner <recliner2-***@yahoo.co.uk> wrote
> Rod Speed <***@gmail.com> wrote
>> Ned Turnbull <***@example.com> wrote
>>> Recliner wrote

>>>> Would the scammer have the IP address?

>>> I doubt it.

>> He does.

> No, I really doubt that.

I know he does, because Ned did visit the sites
he was told to and downloaded that file he listed.

That provides the owner of the web site the ip that did that.

> In any case, for most DSL users, the
> IP address is dynamic and shared.

It isnt with plenty, including mine.

>>> This scammer expected me to download the file,
>>> and run it, but, of course, I downloaded it onto Linux

>> And the site logs will show you doing that, and your ip.

>>> so it wouldn't run even if I accidentally hit it.

>>> So, I only visited the three sites he > had mentioned (which are in the
>>> OP),

>> And every one of those will have a record of your ip.

> I don't think those sites are owned by the scammer company --

They don’t need to own it, just be able to view the logs.

> it's smarter for them to distance themselves.

Its trivially easy to own a site anonymously.

> That's why they need the victim to give them the
> number the program produces so that they can link. If you
> don't run the program, they don't know your IP address.

That is just plain wrong with web sites visited.

>>> but that's it for my connection to the net.

>> That's all he needs.

>>> Of course, I did download the second file, from
>>> logmeinrescue, which seemed like a legit site.

> It is.
Recliner
2014-08-26 22:44:45 UTC
Permalink
"Rod Speed" <***@gmail.com> wrote:
> Recliner <recliner2-***@yahoo.co.uk> wrote
>> Rod Speed <***@gmail.com> wrote
>>> Ned Turnbull <***@example.com> wrote
>>>> Recliner wrote
>
>>>>> Would the scammer have the IP address?
>
>>>> I doubt it.
>
>>> He does.
>
>> No, I really doubt that.
>
> I know he does, because Ned did visit the sites
> he was told to and downloaded that file he listed.
>
> That provides the owner of the web site the ip that did that.

Yes, but that's a standard file, and unlikely to be on a server that the
scammer has any access to.
>
>> In any case, for most DSL users, the
>> IP address is dynamic and shared.
>
> It isnt with plenty, including mine.
>
OK

>>>> This scammer expected me to download the file,
>>>> and run it, but, of course, I downloaded it onto Linux
>
>>> And the site logs will show you doing that, and your ip.
>
>>>> so it wouldn't run even if I accidentally hit it.
>
>>>> So, I only visited the three sites he > had mentioned (which are in the >>> OP),
>
>>> And every one of those will have a record of your ip.
>
>> I don't think those sites are owned by the scammer company --
> They don’t need to own it, just be able to view the logs.

Yes, but I doubt that the scammer has that ability. And the second site is
legit, anyway.
>
>> it's smarter for them to distance themselves.
>
> Its trivially easy to own a site anonymously.
>
>> That's why they need the victim to give them the
>> number the program produces so that they can link. If you
>> don't run the program, they don't know your IP address.
>
> That is just plain wrong with web sites visited.

Really?
"Which downloaded the 764KB file, named:
764184 Aug 26 09:28 AA_v3.exe

Which, a "file" command on Linux says is: AA_v3.exe: PE32 executable (GUI)
Intel 80386, for MS Windows

I was supposed to click on that file and then hit Run, and then give him
the 8-digit number starting with 39 that comes out of it.."
Rod Speed
2014-08-26 23:08:39 UTC
Permalink
Recliner <recliner2-***@yahoo.co.uk> wrote
> Rod Speed <***@gmail.com> wrote
>> Recliner <recliner2-***@yahoo.co.uk> wrote
>>> Rod Speed <***@gmail.com> wrote
>>>> Ned Turnbull <***@example.com> wrote
>>>>> Recliner wrote

>>>>>> Would the scammer have the IP address?

>>>>> I doubt it.

>>>> He does.

>>> No, I really doubt that.

>> I know he does, because Ned did visit the sites
>> he was told to and downloaded that file he listed.

>> That provides the owner of the web site the ip that did that.

> Yes, but that's a standard file,
> and unlikely to be on a server that
> the scammer has any access to.

That last is just plain wrong.

>>> In any case, for most DSL users, the
>>> IP address is dynamic and shared.

>> It isnt with plenty, including mine.

> OK

>>>>> This scammer expected me to download the file,
>>>>> and run it, but, of course, I downloaded it onto Linux

>>>> And the site logs will show you doing that, and your ip.

>>>>> so it wouldn't run even if I accidentally hit it.

>>>>> So, I only visited the three sites he
>>>>> had mentioned (which are in the OP),

>>>> And every one of those will have a record of your ip.

>>> I don't think those sites are owned by the scammer company --
>> They don’t need to own it, just be able to view the logs.

> Yes, but I doubt that the scammer has that ability.

I bet he does.

> And the second site is legit, anyway.

Sure, but you only need one.

>>> it's smarter for them to distance themselves.

>> Its trivially easy to own a site anonymously.

>>> That's why they need the victim to give them the
>>> number the program produces so that they can link. If you
>>> don't run the program, they don't know your IP address.

>> That is just plain wrong with web sites visited.

> Really?

Yep.

> "Which downloaded the 764KB file, named:
> 764184 Aug 26 09:28 AA_v3.exe

> Which, a "file" command on Linux says is: AA_v3.exe:
> PE32 executable (GUI) Intel 80386, for MS Windows

> I was supposed to click on that file and then hit Run, and then give
> him the 8-digit number starting with 39 that comes out of it.."

What matters is where it came from, not the file itself.
John
2014-08-26 22:22:26 UTC
Permalink
On Tue, 26 Aug 2014 20:22:13 +0000 (UTC), Ned Turnbull
<***@example.com> wrote:

>On Tue, 26 Aug 2014 15:12:44 -0500, Recliner wrote:
>
>> Would the scammer have the IP address?
>
>I doubt it.
>
>This scammer expected me to download the file, and run it,
>but, of course, I downloaded it onto Linux so it wouldn't
>run even if I accidentally hit it.
>
>So, I only visited the three sites he had mentioned (which
>are in the OP), but that's it for my connection to the net.
>
>Of course, I did download the second file, from logmeinrescue,
>which seemed like a legit site.

It is, I used it to support a sister. It works with all major OSes.
To and from. All you need is a browser and their remote desktop log-in
file thingy.
>
>What was the scammer trying to get me to do with the
>logmeinrescue site?

Remote hack into your box.
It's a support service for people like me to help sisters, aunts and
dozy buggers.

> Is that a legit site?

Very much so.
It has competitors.
Teamviewer is one. "Join.me" is another, as is "pcAnywhere".
They are all good.
I used LMI because I go a free year with something I bought. It never
caused any issues with any machine I used it on. It even works between
machines in the same house.
But many people vastly prefer TeamViewer.
Or the Remote Desktop installed in Windows. Or Citrix.
J.
Ned Turnbull
2014-08-26 22:50:59 UTC
Permalink
On Tue, 26 Aug 2014 17:15:04 -0500, Recliner wrote:

> No, I really doubt that. In any case, for most DSL users, the IP address is
> dynamic and shared.

Mine is static.
Recliner
2014-08-26 23:00:56 UTC
Permalink
Ned Turnbull <***@example.com> wrote:
> On Tue, 26 Aug 2014 17:15:04 -0500, Recliner wrote:
>
>> No, I really doubt that. In any case, for most DSL users, the IP address is
>> dynamic and shared.
>
> Mine is static.

OK, mine changes each time I reboot the modem or when the line occasionally
stutters and reconnects. So it may be static for a few weeks, but not
long-term. I was going to suggest that you trigger that yourself, but in
any case, they know your name and address, which is more valuable to them.

But as they probably get rebuffed quite often (hence the swearing and angry
threats), I don't suppose they bear you any special grudge.
John
2014-08-26 22:08:54 UTC
Permalink
On Tue, 26 Aug 2014 18:23:08 +0000 (UTC), Ned Turnbull
<***@example.com> wrote:

>On Tue, 26 Aug 2014 19:17:40 +0100, Roger Mills wrote:
>
>> I can connect my tablet to a computer using USB, such that the tablet
>> appears to the computer as an external storage device. Using Windows
>> Explorer (or a better equivalent) I can then copy files to and fro - so
>> it is easy to copy one of these .WAV files to a PC.
>
>I should have been clearer.
>I can get the file from Android to Linux.
>But, how do I get it to the net so YOU can hear it?
>I don't want to give away who I am so I can't use "my" IP address.
>Especially after the f threats the guy gave me (remember he knew
>my name and address and said he'd f' up my family).

He's in India. Chances are he can't *get* to USAlia. If he could he
probably would have already.

>
>While I don't think he'd go so far, I wouldn't want to be
>so cocky that I don't do a bit of protection.

Very wise.

>
>So, the question is mostly:
>a) How do I get it from Linux to the net,

Dropbox like thing. Browser. Upload.

>b) Without using "my" IP address.

I have never typed this, I have nothing to do with it and I know
nothing about it but you could try a proxyfier like HideMyAss (yes, I
know it's about donkeys but trust me it works, not that *I* would ever
use it).
Other services, like TOR and many, many others are available.
Though *I* never suggested them.
J.

>
>Does Youtube take audio files (it's not a video)?
Ned Turnbull
2014-08-26 18:41:07 UTC
Permalink
On Tue, 26 Aug 2014 19:17:40 +0100, Roger Mills wrote:

> I don't know whether this will work for you but, on my
> Nexus-10 Android tablet, I installed an App called
> ES File Explorer

I have ES File Explorer, but on Linux, I just plug in the
Android phone to a USB port, and I can access all the
phone folders, where I find the file under "Sounds"
and it's titled "Voice 001.amr".

On Linux, when I click on the AMR, up comes the audio
in my default video player.

I just need to remove my name and address (I'll try audacity),
and then I need to upload the file so you guys can hear it.

Two basic questions:
a. What FORMAT do you suggest I convert to (handbrake?)
b. How do I upload to the net so you can hear it?
c. I want to do that anonymously (of course).

Then I can post the URL in this thread.
Ned Turnbull
2014-08-26 19:22:43 UTC
Permalink
On Tue, 26 Aug 2014 18:41:07 +0000, Ned Turnbull wrote:

> a. What FORMAT do you suggest I convert to (handbrake?)

Unfortunately, Handbrake wouldn't convert the 3MB AMR file
from Android's Voice Recorder.

Handbrake kept thinking it was a video file.

What converter would you use and what format would
you convert it to before uploading?

BTW, how do I find the maker of "Voice Recorder"?
I can't seem to find the same icon on Google Play to
tell you exactly *which* voice recorder it is.
http://oi57.tinypic.com/n6u7o6.jpg

Is there a way to find the voice recorder maker and
version somehow in Android?

When I go to the application manager, App Info,
all it says is "Voice Recorder" "Version 0.1".

How do I tell you what the brand name is for this
voice recorder (which creates those AMR files)?
John Hasler
2014-08-26 18:40:26 UTC
Permalink
Ned Turnbull writes:
> 1. What are they after? (yes, I know it's a scam, but, what?)

They want to install malware on your computer. It would add your
machine to a botnet and also search it for anything they might be able
to use such as passwords, bank account numbers, personal information
that they can use to open credit accounts with, etc. There is probably
a keylogger. They would also try to get you to give them credit card
numbers over the phone if they ever got that far. The malware would
also cripple your Windows installation and pop up crap urging you to
call them for more "help".

Yes, of course it's illegal. It's an attempt at criminal fraud, a
felony.
--
John Hasler
***@newsguy.com
Dancing Horse Hill
Elmwood, WI USA
Aaron2
2014-08-26 19:07:34 UTC
Permalink
Ned Turnbull <***@example.com> wrote:

>Today, I got the second of my "official" Windows Support Calls,
>from an Indian-accented guy wanting me to download software because
>my machine has been 'sending them messages'.
>
>...and did everything he asked.
>I kept him going for 33 minutes, until he finally started swearing
>at me (actually using the f word and saying he was going to f my
>mother, daughter, etc.).

Unless you enjoy messing with unknown people you would be wise to just
hang up. While he probably lives in India as you suggest, he may not.
And he might just be a kook that makes you his project. He knows your
phone number and you have no idea who he is. And I'll bet you're not
as anonymous on the net as you might think. I doubt you will save many
others from the scam with your recording since it is already pretty
well known.
Java Jive
2014-08-26 19:10:16 UTC
Permalink
Complain to your phone provider, demand that they trace the call and
block the numbers from that source. Send them a copy of the recording
as proof. If you don't get satisfaction, complain to Ofcom, again
including a copy of the transcript.

5 or so years ago, I emailed my mobile number to a friend. About 4
hours later I started to get porn text spams on it, and, since I knew
that I could trust my friend as he was a technical guy, I concluded
that someone was trawling emails as they crossed the web. I
complained to my phone provider, explaining my grounds for my
suspicions and demanding that they stop the spams, which they did
pretty quickly. There was also a regulatory support system that you
could complain to, and I followed it up there as well. I'm afraid I
can't remember the organisation, it may have been Ofcom, or it may
have been some intermediate authority or trade organisation, but there
definitely exists a method of complaint for things like this, which
you should be able find, as I originally did, by searching for it.

Nowadays, whenever I send anything like a password or phone number in
an email, I always mung it by putting dud characters in between the
meaningful characters, which seems to be enough to prevent the trawls
finding them.

On Tue, 26 Aug 2014 17:15:29 +0000 (UTC), Ned Turnbull
<***@example.com> wrote:
>
> On Android, I recorded the entire call, from when he asked my
> name and address (yes, it was correct, so, we need to find out
> *where* they are getting that info) down to the names of the
> machines and files.
>
> Unfortunately, I recorded on a smartphone, using Android Voice
> Recorder, so, all I want to know is what's the best way to upload
> that file so that others can benefit.
--
=========================================================
Please always reply to ng as the email in this post's
header does not exist. Or use a contact address at:
http://www.macfh.co.uk/JavaJive/JavaJive.html
http://www.macfh.co.uk/Macfarlane/Macfarlane.html
. . .winston
2014-08-26 19:44:44 UTC
Permalink
Ned Turnbull wrote:

> 4. Is this illegal enough to call the police?
>
> Lastly:
> 5. How best do I upload that file, so you can hear it?
>

4. That would assume your local police have the ability to do something
about a person/outfit in another country.

5. Waste of time.


--
...winston
msft mvp consumer apps
Paul
2014-08-26 19:58:36 UTC
Permalink
. . .winston wrote:
> Ned Turnbull wrote:
>
>> 4. Is this illegal enough to call the police?
>>
>> Lastly:
>> 5. How best do I upload that file, so you can hear it?
>>
>
> 4. That would assume your local police have the ability to do something
> about a person/outfit in another country.
>
> 5. Waste of time.

If they were to insert malware on the computer,
a different set of statues is involved, the end result
includes "reaching over and yanking domains". The Microsoft
hit squad would go after them.

These computer criminals know this, and limit
themselves to "Event Viewer" scams and
"give me your credit card number and I'll fix it".
This is fraud, and we can't touch the perps from here.
Only a policeman in the country in question could help.
And the policeman probably gets a cut of the action.

The scam would not have lasted this long, if there was
effective leverage one way or another.

Paul
Rod Speed
2014-08-26 20:09:28 UTC
Permalink
"Paul" <***@needed.com> wrote in message
news:ltiotd$fh5$***@dont-email.me...
> . . .winston wrote:
>> Ned Turnbull wrote:
>>
>>> 4. Is this illegal enough to call the police?
>>>
>>> Lastly:
>>> 5. How best do I upload that file, so you can hear it?
>>>
>>
>> 4. That would assume your local police have the ability to do something
>> about a person/outfit in another country.
>>
>> 5. Waste of time.
>
> If they were to insert malware on the computer,
> a different set of statues is involved, the end result
> includes "reaching over and yanking domains".

Nope.

> The Microsoft hit squad would go after them.

Microsoft already knows about them and
clearly can't do anything useful about them.

> These computer criminals know this, and limit
> themselves to "Event Viewer" scams and
> "give me your credit card number and I'll fix it".
> This is fraud, and we can't touch the perps from here.
> Only a policeman in the country in question could help.
> And the policeman probably gets a cut of the action.

> The scam would not have lasted this long, if there was effective leverage
> one way or another.

Precisely.
Justin
2014-08-26 22:41:21 UTC
Permalink
On 8/26/14, 4:09 PM, Rod Speed wrote:
>
>
> "Paul" <***@needed.com> wrote in message
>> The Microsoft hit squad would go after them.
>
> Microsoft already knows about them and
> clearly can't do anything useful about them.

Yes they can; sue in whatever country they wish. All those billion$ and
they choose to ignore the problem.
It is not in Microsoft's best interests to have a secure OS, nor is it
cost effective. Software developers are one of the only companies that
aren't responsible for design flaws in their product. If somebody
remotely takes control of your car and turns off the brakes - one can
sue the manufacturer. If somebody hacks into that new Windows Server
2012 and sets up their own little cache of bullshit... nope. The EULA
states MSFT is not responsible.
Rod Speed
2014-08-26 23:01:20 UTC
Permalink
Justin <***@ireallyhatespam.edu> wrote
> Rod Speed wrote
>> Paul <***@needed.com> wrote

>>> The Microsoft hit squad would go after them.

>> Microsoft already knows about them and
>> clearly can't do anything useful about them.

> Yes they can; sue in whatever country they wish.

You clearly don’t have a clue how the Indian legal system works.

> All those billion$ and they choose to ignore the problem.

Because there is nothing useful they can do about it.

> It is not in Microsoft's best interests to have a secure OS,

Bullshit. And we arent talking about a secure OS anyway.

> nor is it cost effective.

Even sillier than you usually manage. It
clearly is cost effective for Apple with iOS.

> Software developers are one of the only companies that aren't responsible
> for design flaws in their product.

Even sillier than you usually manage.

Try telling that to Airbus and watch them
point at you and piss themselves laughing.

> If somebody remotely takes control of your car and turns off the brakes -
> one can sue the manufacturer.

And you can do that if it’s a software problem that allows that too.

> If somebody hacks into that new Windows Server 2012 and sets up their own
> little cache of bullshit... nope.

Even sillier than you usually manage. Not only
doing that illegal, it can be and is prosecuted
routinely when they do something that matters.

> The EULA states MSFT is not responsible.

Doesn’t matter a damn what the EULA says, MS is anyway.
Justin
2014-08-27 01:50:18 UTC
Permalink
On 8/26/14, 7:01 PM, Rod Speed wrote:
> Justin <***@ireallyhatespam.edu> wrote
>> Rod Speed wrote
>>> Paul <***@needed.com> wrote
>
>>>> The Microsoft hit squad would go after them.
>
>>> Microsoft already knows about them and
>>> clearly can't do anything useful about them.
>
>> Yes they can; sue in whatever country they wish.
>
> You clearly don’t have a clue how the Indian legal system works.

Correct, I don't know how the Indian legal system works. I imagine the
Dalits don't have any rights. But if he's American, that's where the
crime occurred, and that's the legal system that applies. If he's in
the UK, then that legal system applies.
I know it's hard for a techie to understand real world issues but give
it a whirl, it doesn't take much effort.
Rod Speed
2014-08-27 03:50:16 UTC
Permalink
Justin <***@ireallyhatespam.edu> wrote
> Rod Speed wrote
>> Justin <***@ireallyhatespam.edu> wrote
>>> Rod Speed wrote
>>>> Paul <***@needed.com> wrote

>>>>> The Microsoft hit squad would go after them.

>>>> Microsoft already knows about them and
>>>> clearly can't do anything useful about them.

>>> Yes they can; sue in whatever country they wish.

>> You clearly don’t have a clue how the Indian legal system works.

> Correct, I don't know how the Indian legal system works. I imagine the
> Dalits don't have any rights.

You're wrong.

> But if he's American, that's where the crime occurred, and that's the
> legal system that applies.

But isnt the legal system that will be dealing with the crime.

> If he's in the UK, then that legal system applies.

But isnt the legal system that will be dealing with the crime.

> I know it's hard for a techie to understand real world issues but give it
> a whirl, it doesn't take much effort.

You failed miserably at that.
Robert Newson
2014-08-27 11:29:19 UTC
Permalink
On 27/08/14 02:50, Justin wrote:
...
>> You clearly don’t have a clue how the Indian legal system works.
>
> Correct, I don't know how the Indian legal system works. I imagine the
> Dalits don't have any rights. But if he's American, that's where the
> crime occurred, and that's the legal system that applies. If he's in
> the UK, then that legal system applies.

Actually yes...and no.

If the scam originates outside the UK then you enter the murky world of
cross-border enforcement. I had a problem with "foreign" scammers going
after my deceased mother; in complaining to the authorities it was
eventually "dropped" as it went cross-border and the cross-border
authority couldn't be bothered (reading between the lines).

I say "foreign" in quotes as it is possible that the trail could lead
back to UK scammers using a foreign address to muddy the trail.
Ned Turnbull
2014-08-27 02:05:16 UTC
Permalink
On Tue, 26 Aug 2014 21:50:18 -0400, Justin wrote:

> I know it's hard for a techie to understand real world issues but give
> it a whirl, it doesn't take much effort.

I'm in California.
Marek has the file.
He will take it from here on the upload.
John Hasler
2014-08-26 22:00:24 UTC
Permalink
Paul writes:
> The scam would not have lasted this long, if there was effective
> leverage one way or another.

Don't assume that there is only one set of perps. There may be many of
them competing, as with the "Credit Card Services" racket. There may
also be somebody out there marketing a support call scam package. The
suckers who buy it may end up going bust or getting busted but in the
criminal world as elsewhere there's one born every minute.
--
John Hasler
***@newsguy.com
Dancing Horse Hill
Elmwood, WI USA
Rod Speed
2014-08-26 19:44:27 UTC
Permalink
Ned Turnbull <***@example.com> wrote

> Today, I got the second of my "official" Windows Support Calls,

I've had dozens of them.

> from an Indian-accented guy wanting me to download software
> because my machine has been 'sending them messages'.

> So, I went onto Linux (for safety), and did everything he asked.
> I kept him going for 33 minutes, until he finally started swearing
> at me (actually using the f word and saying he was going to f my
> mother, daughter, etc.).

> On Android, I recorded the entire call, from when he asked my
> name and address (yes, it was correct, so, we need to find out
> *where* they are getting that info) down to the names of the
> machines and files.

> Unfortunately, I recorded on a smartphone, using Android Voice
> Recorder, so, all I want to know is what's the best way to upload
> that file so that others can benefit.

> Mainly, we want to:
> a) Warn others
> b) Come up with valid answers so that we waste their time

> For example, they had me go to the web site:
> www (dot) windowscare (dot) us
> Which brought me to:
> http:// www (dot) windowscare (dot) us/microsoft.com/

> And download a file, which actually came from:
> www (dot) ammyy (dot) com

> Which downloaded the 764KB file, named:
> 764184 Aug 26 09:28 AA_v3.exe

> Which, a "file" command on Linux says is:
> AA_v3.exe: PE32 executable (GUI) Intel 80386, for MS Windows

> I was supposed to click on that file and then hit Run,
> and then give him the 8-digit number starting with 39
> that comes out of it.

> Of course, I did everything on Linux, so, nothing happened,
> but, I gave him a false number for a few times, and he caught
> that. At first, he didn't get mad, and he had me close down
> and start up Windows in safe mode (which I had to find a
> Windows machine to do that so that it made the right noises).

> Hint to self: Remind me to record windows noises on Linux for
> the next call that comes in.

> In safe mode, he had me go to the logmeinrescue web site:
> https://secure (dot) logmeinrescue (dot) com/Customer/Code.aspx

> Where he told me to type in this 6-digit code 106536.
> https://secure (dot) logmeinrescue (dot)
> com/Customer/TrialWarning.aspx?code=106536

> Interestingly, the site said specifically *not* go enter a
> number given by an unsolicited technical support person, but,
> of course, I was running on Linux so I didn't worry (but I did
> mention that to the guy, and he glossed over it, heh heh).

> That downloaded the file:
> 1529152 Aug 26 09:51 Support-LogMeInRescue.exe
> Which the Linux "file" command reports as:
> Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS
> Windows

> At this point, there was another tirade with the f word, as
> he had invested nearly a half hour in me, and I couldn't
> tell him what I saw.

> He was looking for a client window session of some sort.

> Anyway, I have a few questions:
> 1. What are they after? (yes, I know it's a scam, but, what?)

Money. A mate of mine has just gone even further than
you did and eventually got an address to send money
to using Western Union.

> 2. What's a "valid" 8-digit number starting with 39?
> 3. What "should" I have seen (so I can get more info from them)?
> 4. Is this illegal enough to call the police?

That varys with the jurisdiction, but yes, usually.

Not that they will take any action in yours or my mates case
tho, they have better things to do with their time and they
know about these operations already.

> Lastly:
> 5. How best do I upload that file, so you can hear it?

Just put it on dropbox or wherever is convenient for you.
Ken Blake
2014-08-26 20:20:16 UTC
Permalink
On Wed, 27 Aug 2014 05:44:27 +1000, "Rod Speed"
<***@gmail.com> wrote:

> Ned Turnbull <***@example.com> wrote
>
> > Today, I got the second of my "official" Windows Support Calls,
>
> I've had dozens of them.

It's interesting that you, and lots of others, have had many calls,
but I've never had a single one.

I guess I'm just lucky. <g>
Recliner
2014-08-26 20:24:21 UTC
Permalink
Ken Blake <***@kb.invalid> wrote:
> On Wed, 27 Aug 2014 05:44:27 +1000, "Rod Speed"
> <***@gmail.com> wrote:
>
>> Ned Turnbull <***@example.com> wrote
>>
>>> Today, I got the second of my "official" Windows Support Calls,
>>
>> I've had dozens of them.
>
> It's interesting that you, and lots of others, have had many calls,
> but I've never had a single one.
>
> I guess I'm just lucky. <g>

I don't get them any more as I use call screening. If someone hides his
caller ID and isn't prepared to leave a message, I assume it's a call I
don't want to take.
Rod Speed
2014-08-26 22:01:57 UTC
Permalink
Ken Blake <***@kb.invalid> wrote
> Rod Speed <***@gmail.com> wrote
>> Ned Turnbull <***@example.com> wrote

>> > Today, I got the second of my "official" Windows Support Calls,

>> I've had dozens of them.

> It's interesting that you, and lots of others, have
> had many calls, but I've never had a single one.

> I guess I'm just lucky. <g>

Or you do things differently than I do. I still have a
landline and get most of my calls on that and do
answer most incoming calls, even when they do
not present their caller id, essentially because
I have got a number of calls that I have been
glad I got because I have answered them.

I am on my country's do no call register, and that
has stopped the absolute vast bulk of spam calls,
but obviously not the worst of the criminals.
Recliner
2014-08-26 22:09:46 UTC
Permalink
"Rod Speed" <***@gmail.com> wrote:
> Ken Blake <***@kb.invalid> wrote > Rod Speed <***@gmail.com> wrote
>>> Ned Turnbull <***@example.com> wrote
>
>>>> Today, I got the second of my "official" Windows Support Calls,
>
>>> I've had dozens of them.
>
>> It's interesting that you, and lots of others, have > had many calls,
>> but I've never had a single one.
>
>> I guess I'm just lucky. <g>
>
> Or you do things differently than I do. I still have a
> landline and get most of my calls on that and do answer most incoming
> calls, even when they do
> not present their caller id, essentially because I have got a number of
> calls that I have been
> glad I got because I have answered them.
> I am on my country's do no call register, and that has stopped the
> absolute vast bulk of spam calls, but obviously not the worst of the criminals.

Wouldn't any of those legit callers have started to leave a message, and
you then just pick up the phone? Your message could even make clear that
they have to do that to get you to pick up. That's what call screening is
for.
Rod Speed
2014-08-26 22:30:32 UTC
Permalink
Recliner <recliner2-***@yahoo.co.uk> wrote
> Rod Speed <***@gmail.com> wrote
>> Ken Blake <***@kb.invalid> wrote
>>> Rod Speed <***@gmail.com> wrote
>>>> Ned Turnbull <***@example.com> wrote

>>>>> Today, I got the second of my "official" Windows Support Calls,

>>>> I've had dozens of them.

>>> It's interesting that you, and lots of others, have
>>> had many calls, but I've never had a single one.

>>> I guess I'm just lucky. <g>

>> Or you do things differently than I do. I still have
>> a landline and get most of my calls on that and
>> do answer most incoming calls, even when they
>> do not present their caller id, essentially because
>> I have got a number of calls that I have been
>> glad I got because I have answered them.

>> I am on my country's do no call register, and that has stopped the
>> absolute vast bulk of spam calls, but obviously not the worst of the
>> criminals.

> Wouldn't any of those legit callers have started to
> leave a message, and you then just pick up the phone?

Many of them wouldn’t have and I don’t usually leave
a message myself, essentially because most of those
who I do call don’t actually have voicemail, particularly
on their landline, and plenty of them move around a
lot so they may well not even get the message very
quickly and its better to try what other numbers I have
for them. One bugger has quite literally a landline,
FIVE voip numbers, THREE cellphone/mobile numbers,
a skype and facebook accounts, all of which can do
voice calls. I get close to that myself and I do disable
the ringer on my landline and voip line and facebook
when I sleep during the day. And turn my mobile/cellphone
off when I'm not actually using it so I don’t have to
charge it so often. And one of the garage/yardsale
regulars is such a technoklutz that she is quite incapable
of getting it thru her head that she should be calling
me on my landline and not my mobile number
except during the garage/yard sale run and is
quite capable of accidentally calling me on her
HTC mobile accidentally and I get to hear her
raving on to someone else that she is talking
to and has accidentally included me in a
conference call with that dog of an HTC UI wise.

> Your message could even make clear that
> they have to do that to get you to pick up.

That doesn’t work when I have turned the
ringer off when I want to sleep during the
day which I do every single day.

> That's what call screening is for.

But as I say plenty don’t bother to leave
a message, for very good reasons and
I prefer not to jerk people around like that.

Plenty still can't present their caller ID,
particularly with voip services that so
many have moved to today, and our
mobile system suppresses the caller ID
by default because that’s the way the
stupid legislators have legislated.
Ken Blake
2014-08-26 23:23:04 UTC
Permalink
On Wed, 27 Aug 2014 08:01:57 +1000, "Rod Speed"
<***@gmail.com> wrote:

> Ken Blake <***@kb.invalid> wrote
> > Rod Speed <***@gmail.com> wrote
> >> Ned Turnbull <***@example.com> wrote
>
> >> > Today, I got the second of my "official" Windows Support Calls,
>
> >> I've had dozens of them.
>
> > It's interesting that you, and lots of others, have
> > had many calls, but I've never had a single one.
>
> > I guess I'm just lucky. <g>
>
> Or you do things differently than I do. I still have a
> landline


You probably don't call what I have a "landline"; it's a VoIP line.
That's likely to be a good part of the reason I don't get them.


> and get most of my calls on that and do
> answer most incoming calls, even when they do
> not present their caller id, essentially because
> I have got a number of calls that I have been
> glad I got because I have answered them.


The phone on my desk has caller ID, but it doesn't work. So I also
answer all the calls I get (but I get very few).
Rod Speed
2014-08-26 23:48:40 UTC
Permalink
Ken Blake <***@kb.invalid> wrote
> Rod Speed <***@gmail.com> wrote
>> Ken Blake <***@kb.invalid> wrote
>>> Rod Speed <***@gmail.com> wrote
>>>> Ned Turnbull <***@example.com> wrote

>>>>> Today, I got the second of my "official" Windows Support Calls,

>>>> I've had dozens of them.

>>> It's interesting that you, and lots of others, have
>>> had many calls, but I've never had a single one.

>>> I guess I'm just lucky. <g>

>> Or you do things differently than I do. I still have a landline

> You probably don't call what I have a "landline"; it's a VoIP line.

Yes, that's a voip line. The main problem with not having a
proper landline is that people can't find you using the phone
book and I have had some people who I want to communicate
with call me that way, either because I have not communicated
with them for years or decades, or because the shit has hit the
fan at their end and they know they can use the phone book
to get my number if they need to when the shit has hit the fan.

> That's likely to be a good part of the reason I don't get them.

Yes, I don't get any on my voip lines, essentially because
those don't have indial numbers and only other customers
of that VSP can actually call me on those lines.

>> and get most of my calls on that and do
>> answer most incoming calls, even when they do
>> not present their caller id, essentially because
>> I have got a number of calls that I have been
>> glad I got because I have answered them.

> The phone on my desk has caller ID, but it doesn't work.

Both the landline cordless and the voip cordless do and they both work.

> So I also answer all the calls I get (but I get very few).

I get heaps on my mobile/cellphone, but that's because
we coordinate the garage/yard sale opening times that
way now instead of wasting petrol tearing around in
convoy a full hour before the advertised opening time.

Get almost no spam calls on my mobile/cellphones because
it costs significantly more to call them in our system.

Plenty of those I know only have a mobile/cellphone now.
dadiOH
2014-08-27 10:12:10 UTC
Permalink
"Ken Blake" <***@kb.invalid> wrote in message
news:***@4ax.com
> On Wed, 27 Aug 2014 05:44:27 +1000, "Rod Speed"
> <***@gmail.com> wrote:
>
> > Ned Turnbull <***@example.com> wrote
> >
> > > Today, I got the second of my "official" Windows Support Calls,
> >
> > I've had dozens of them.
>
> It's interesting that you, and lots of others, have had many calls,
> but I've never had a single one.
>
> I guess I'm just lucky. <g>

No, your machine is just not sending them messages :)

--

dadiOH
____________________________

Winters getting colder? Tired of the rat race?
Taxes out of hand? Maybe just ready for a change?
Check it out... http://www.floridaloghouse.net
Ned Turnbull
2014-08-26 20:36:14 UTC
Permalink
On Tue, 26 Aug 2014 13:40:26 -0500, John Hasler wrote:

> They want to install malware on your computer.

I think the first web site was that attempt, and the
second web site was an attempt to log into my computer
directly, since I wasn't seeing what he expected me to
see.

Anyway, the problem now is only how to blank out my
name and address from the recording, before I email it
to Marek to upload (or someone gives me an anonymous
way to upload a 3MB audio file).

Anyway, I have the name selected in Audacity:
http://oi62.tinypic.com/30bgrd4.jpg

But, how do I beep it out?
Ned Turnbull
2014-08-26 20:48:44 UTC
Permalink
On Wed, 27 Aug 2014 05:44:27 +1000, Rod Speed wrote:

> Just put it on dropbox or wherever is convenient for you.

I'm going to email it to Marek, but first I am trying
to beep out my name and address.

I have done the following so far in Audacity:
0. File->Open->windows_technical_support_phone_scam.amr
1. I hit the "Play" button.
2. I hit the pause button at point a (my name is mentioned there)
3. Edit->Select->Left at Playback Position
4. I hit the "Play" button.
5. I hit the pause button at point b (where I say "yes").
6. ????

Now what do I do in Audacity to beep out the selected area?
Ned Turnbull
2014-08-26 21:31:42 UTC
Permalink
On Tue, 26 Aug 2014 20:48:44 +0000, Ned Turnbull wrote:

> I have done the following so far in Audacity:
> 0. File->Open->windows_technical_support_phone_scam.amr
> 1. I hit the "Play" button.
> 2. I hit the pause button at point a (my name is mentioned there)
> 3. Edit->Select->Left at Playback Position
> 4. I hit the "Play" button.
> 5. I hit the pause button at point b (where I say "yes").
> 6. ????

Audacity must have the absolute least intuitive *selection*
mechanism of any free software on the planet!

I can easily select with the mouse, but, that is a gross
selection. You can't even get close.

Everything I try deletes all the stuff I didn't select!

What is the simple trick, in audacity, to select an area
within a half second or so, and then just remove the audio?

I think I can remove the audio. But Audacity must have the
least intuitive *selection* mechanism on the entire planet!
Gene E. Bloch
2014-08-26 23:08:09 UTC
Permalink
On Tue, 26 Aug 2014 21:31:42 +0000 (UTC), Ned Turnbull wrote:

> On Tue, 26 Aug 2014 20:48:44 +0000, Ned Turnbull wrote:
>
>> I have done the following so far in Audacity:
>> 0. File->Open->windows_technical_support_phone_scam.amr
>> 1. I hit the "Play" button.
>> 2. I hit the pause button at point a (my name is mentioned there)
>> 3. Edit->Select->Left at Playback Position
>> 4. I hit the "Play" button.
>> 5. I hit the pause button at point b (where I say "yes").
>> 6. ????
>
> Audacity must have the absolute least intuitive *selection*
> mechanism of any free software on the planet!
>
> I can easily select with the mouse, but, that is a gross
> selection. You can't even get close.
>
> Everything I try deletes all the stuff I didn't select!
>
> What is the simple trick, in audacity, to select an area
> within a half second or so, and then just remove the audio?
>
> I think I can remove the audio. But Audacity must have the
> least intuitive *selection* mechanism on the entire planet!

If you expand your selection, the job becomes easy.

In Audacity you can select down to the millisecond.

At the moment, I don't have it on my screen, so I'll let you research
it.

--
Gene E. Bloch (Stumbling Bloch)
Aleksandar Kuktin
2014-08-26 21:52:15 UTC
Permalink
On Tue, 26 Aug 2014 17:15:29 +0000, Ned Turnbull wrote:

> Today, I got the second of my "official" Windows Support Calls,
> from an Indian-accented guy wanting me to download software because my
> machine has been 'sending them messages'.
>
> So, I went onto Linux (for safety), and did everything he asked.
> I kept him going for 33 minutes, until he finally started swearing at me
> (actually using the f word and saying he was going to f my mother,
> daughter, etc.).

I'd ask if you have a daughter, but the odds of you having one are
probably somewhere north of 70%, as they are for all people with at least
two children (assuming you have at least two).

> On Android, I recorded the entire call, from when he asked my name and
> address (yes, it was correct, so, we need to find out *where* they are
> getting that info) down to the names of the machines and files.

Do you have an account on any one of the myriad Web-2.0 sites that got
cracked in the last few years? That's a rhetorical question, if you have
any account anywhere, data on you has been pilfered at least once. These
things are then cross-referenced, compiled, cut up into chunks and sold
on the market.

As an illustration, my e-mail was on one of those lists and I have been
getting spam for years. Then one day, the spammers closed shop, but
before they went into the night, they sent one last spam message
advertising the sale of their spam list. To the people they were spamming.
Sure enough, a little while later, several new and different types of spam
messages began ariving - a clear signal at least one sale had been closed
and cleared.

> [snip]
>
> Mainly, we want to:
> a) Warn others b) Come up with valid answers so that we waste their time

*WE* want to? I thought you were in this alone.

> [snip]
>
> Which downloaded the 764KB file, named:
> 764184 Aug 26 09:28 AA_v3.exe

You should really post three things with these names: (1) the size in
bytes, (2) MD5 checksum and (3) SHA1 checksum. With those three
datapoints, the file can be quickly and easily identified.

> [snip]
>
> He was looking for a client window session of some sort.
>
> Anyway, I have a few questions:
> 1. What are they after? (yes, I know it's a scam, but, what?)

The most difficult question to answer. I principle, it depends on what
you have and they may want.

The usual answers boil down to money access, usually via credit cards.
Other than that, there exist options for direct monetary gain using other
methods. For example, extortion. They film you doing something private
and ask for money in return for not publishing it.

The most interesting option revolves around your work. Maybe you work in
a high-profile business? Maybe you are some kind of a manager or exec or
have access (and store on your computer) managerial or exec-ial
documents? Of paticular interest are various top secret documents like
the *ACTUAL* balance sheet and not the crap spoonfed to shareholders.
Failing that, maybe you work with non-public technology? Are you a
developer who uses the same laptop for work and leisure?

Maybe they just want to install a "presence" software, to be used at same
later date, if the circumstances call for it. Maybe they market
themselves as "intel-brokers", maybe an industrial espionage business.
Then, if they get a request for your company, they activate the software
to snatch up the target stuff, and deliver the goods to the customer.

It's really hard to tell, there are just too many options.

> 2. What's a "valid" 8-digit number starting with 39?

Maybe 39 is a country code of some kind? Maybe the number is a serial
number, or some kind of an identifier? BIOS version? Who knows, the
modern PC is a network of many, many computers and any one of those may
be a target.

> 3. What "should" I have seen (so I can get more info from them)?

If you really want to know, run the program and see for yourself. Just
make sure you do it properly (virtual machines and all that). The only
way someone here would know is if they themselves ran the program and
somehow remember what the output looked like.

Also, are you *expecting* a third call from them? Are you a honeypot? :)

> 4. Is this illegal enough to call the police?

Always worry about your own ass first. What you should really be asking
yourself is if what YOU are doing is illegal enough in your jurisdiction
that your own police would rather deal with you that with the actual
criminals. Remember, this is not your fathers police anymore (see:
Ferguson. Doesn't matter if you are not living is USA, its similar in
other parts of the world as well).

What they are doing is enough to get them in trouble but (IANAL) not
enough trouble that they would end up in jail. Remember - they didn't get
anything out from you which means they never actually scammed you which
means they never committed a crime. They only tried to. ;)

> [snip]
Ned Turnbull
2014-08-27 01:46:59 UTC
Permalink
On Tue, 26 Aug 2014 21:52:15 +0000, Aleksandar Kuktin wrote:

> You should really post three things with these names: (1) the size in
> bytes, (2) MD5 checksum and (3) SHA1 checksum. With those three
> datapoints, the file can be quickly and easily identified.

I'd be glad to.
I'll have to google how to get that information.
I'm on Kubuntu.

If someone tells me how to get that information for you,
I'll be glad to post it.
Paul
2014-08-27 02:13:15 UTC
Permalink
Ned Turnbull wrote:
> On Tue, 26 Aug 2014 21:52:15 +0000, Aleksandar Kuktin wrote:
>
>> You should really post three things with these names: (1) the size in
>> bytes, (2) MD5 checksum and (3) SHA1 checksum. With those three
>> datapoints, the file can be quickly and easily identified.
>
> I'd be glad to.
> I'll have to google how to get that information.
> I'm on Kubuntu.
>
> If someone tells me how to get that information for you,
> I'll be glad to post it.
>

Go to a Terminal, type in "md5sum <return>" and
"sha1sum <return>" and see how the package manager
or the command line respond. If the programs
are present, then they can speak for themselves.
If the programs are absent, some subsystem speaks
on behalf of the package manager, and tells you
what package the programs are in. It might
tell you "sudo apt-get install somepackage". That
sort of thing. You can also go to Synaptic and
look for "somepackage" if a package is named and
do it from there.

I got one of my Windows ones, here.

ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe

And Microsoft made a combo app called fciv.exe,
that does both computations at the same time.

http://support.microsoft.com/kb/841290

fciv -both somefile.ext

On Windows, the GNU versions may not run on a Windows 64
bit OS. The ancient md5sum.exe I have for example (source:unknown),
is a 16 bit program, and only runs on 32 bit Windows. Whereas
FCIV is 32 bit and runs on any Windows (within reason).

There are also separate packages that do many more
algorithms, so you don't have to get the single purpose
programs I've mentioned. It's just I would expect those
programs (md5sum and sha1sum) to be included on the distro.
But in some cases, you have to use package manager to
add them, as they're not present by default.

Paul
Ned Turnbull
2014-08-27 03:51:31 UTC
Permalink
On Tue, 26 Aug 2014 22:13:15 -0400, Paul wrote:

> Go to a Terminal, type in "md5sum <return>" and
> "sha1sum <return>"

I deleted the files, so I just went back just now to
download them again. The first file was still there,
but the second file came up with an expired 6-digit
code, so, I could only run the commands on the first
file.

Regarding this audio file, kindly uploaded by Marek:
- https://app.box.com/s/0yluyszg1qj2l83ynbm2

This is the web site they had me go to first:
- http:// www (dot) windowscare (dot) us
Which brought me to:
- http:// www (dot) windowscare (dot) us/microsoft.com/
(Calling their number, +1-845-241-1234, just allows a message.)

The caller directed me to click on the green "Get Support" button,
which downloaded a file, which actually came from:
- http:// www (dot) ammyy (dot) com

Which turned out to be the 764KB file, named:
- 764184 Aug 26 09:28 AA_v3.exe

$ md5sum AA_v3.exe
- f8cd52b70a11a1fb3f29c6f89ff971ec AA_v3.exe

$ sha1sum AA_v3.exe
- 6a0c46818a6a10c2c5a98a0cce65fbaf95caa344 AA_v3.exe

I understand that the checksums are unique numbers per file,
but, what will those two checksums actually tell us?
Rod Speed
2014-08-27 06:02:52 UTC
Permalink
"Ned Turnbull" <***@example.com> wrote in message
news:ltjkk3$7cb$***@news.mixmin.net...
> On Tue, 26 Aug 2014 22:13:15 -0400, Paul wrote:
>
>> Go to a Terminal, type in "md5sum <return>" and
>> "sha1sum <return>"
>
> I deleted the files, so I just went back just now to
> download them again. The first file was still there,
> but the second file came up with an expired 6-digit
> code, so, I could only run the commands on the first
> file.
>
> Regarding this audio file, kindly uploaded by Marek:
> - https://app.box.com/s/0yluyszg1qj2l83ynbm2
>
> This is the web site they had me go to first:
> - http:// www (dot) windowscare (dot) us
> Which brought me to:
> - http:// www (dot) windowscare (dot) us/microsoft.com/
> (Calling their number, +1-845-241-1234, just allows a message.)
>
> The caller directed me to click on the green "Get Support" button,
> which downloaded a file, which actually came from:
> - http:// www (dot) ammyy (dot) com
>
> Which turned out to be the 764KB file, named:
> - 764184 Aug 26 09:28 AA_v3.exe
>
> $ md5sum AA_v3.exe
> - f8cd52b70a11a1fb3f29c6f89ff971ec AA_v3.exe
>
> $ sha1sum AA_v3.exe
> - 6a0c46818a6a10c2c5a98a0cce65fbaf95caa344 AA_v3.exe
>
> I understand that the checksums are unique numbers per file,
> but, what will those two checksums actually tell us?

That it is the same file as another that gets the same checksums.
Paul
2014-08-27 07:18:39 UTC
Permalink
Ned Turnbull wrote:
> On Tue, 26 Aug 2014 22:13:15 -0400, Paul wrote:
>
>> Go to a Terminal, type in "md5sum <return>" and
>> "sha1sum <return>"
>
> I deleted the files, so I just went back just now to
> download them again. The first file was still there,
> but the second file came up with an expired 6-digit
> code, so, I could only run the commands on the first
> file.
>
> Regarding this audio file, kindly uploaded by Marek:
> - https://app.box.com/s/0yluyszg1qj2l83ynbm2
>
> This is the web site they had me go to first:
> - http:// www (dot) windowscare (dot) us
> Which brought me to:
> - http:// www (dot) windowscare (dot) us/microsoft.com/
> (Calling their number, +1-845-241-1234, just allows a message.)
>
> The caller directed me to click on the green "Get Support" button,
> which downloaded a file, which actually came from:
> - http:// www (dot) ammyy (dot) com
>
> Which turned out to be the 764KB file, named:
> - 764184 Aug 26 09:28 AA_v3.exe
>
> $ md5sum AA_v3.exe
> - f8cd52b70a11a1fb3f29c6f89ff971ec AA_v3.exe
>
> $ sha1sum AA_v3.exe
> - 6a0c46818a6a10c2c5a98a0cce65fbaf95caa344 AA_v3.exe
>
> I understand that the checksums are unique numbers per file,
> but, what will those two checksums actually tell us?
>

Visit virustotal.com . It has more uses than purely
checking for viruses. You can upload files. But
using the "Search" function, you can enter your SHA1
sum and see if they have a matching file. Here is the result.

https://www.virustotal.com/en/file/6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20/analysis/

File name: Ammyy Admin
Detection ratio: 7 / 53

AhnLab-V3 Unwanted/Win32.RemoteAdmin 20140826
Antiy-AVL RiskWare[RemoteAdmin:not-a-virus]/Win32.Ammyy 20140826
ESET-NOD32 a variant of Win32/RemoteAdmin.Ammyy.B 20140826
F-Prot W32/RemoteAdmin.Ammyy 20140826
Kaspersky not-a-virus:RemoteAdmin.Win32.Ammyy.ch 20140826
Kingsoft Win32.Troj.Ammyy.ch.(kcloud) 20140827
NANO-Antivirus Riskware.Win32.RemoteAdmin.dbybgd 20140826

It's for taking remote control of a PC, viewing
the screen at the other end of the link, and so on.
Like TeamViewer.

This is a typical web page on the subject. This site
specializes in giving roughly the same recipe for
each piece of unwanted software.

http://malwaretips.com/blogs/ammyy-virus-removal/

The experience to date seems to be (small sample size),
that they just want your credit card number. The machine
may have the remote control application, but they're
really not interested in going crazy with that. They
just want their $200, from anyone silly enough to not
reverse the charges.

A question would be, what kind of credit card processing
company, considers those jackels a legit business ? You
would think causing a lot of credit card reversals
would get noticed. And the processor or company would
get cut off.

You can also load checksums into Google, and search there.
For example, if there is an ISO you need, pumping in the
known checksum, helps you locate download sites.

Those are examples of what I use them for. Doing this
is also handy for detecting duplicate files. Such as
two files with different names, which have the same
content. If they have the same checksum, you know
they're the same file (with a relatively small
probability of error). MD5SUM and SHA1SUM don't cause
collisions too often, so are suited to finding
duplicates. A collision, is where two files have the
same checksum but the file contents are different.
While it is possible to use a plain arithmetic checksum,
these are a bit better than that. If you
used SHA256, the probability of making a mistake
while comparing files, would be even lower. It's
better than comparing a file, against all other
files, byte by byte. Once you identify duplicate
files, you still have the option of verifying by
doing a byte by byte comparison.

At one time, people used checksums for detecting
intrusions on computers. You would check each file,
and see if the checksum was different than it was
previously. That would help warn you that
the file was modified by someone. You keep a
manifest from Monday, then on Tuesday, recompute
all the checksums and compare them to the ones from
Monday. Some you will have changed yourself, but
some will be suspicious and warrant further checking.

Paul
Ned Turnbull
2014-08-27 13:24:02 UTC
Permalink
On Wed, 27 Aug 2014 03:18:39 -0400, Paul wrote:

> The experience to date seems to be (small sample size),
> that they just want your credit card number.

Thank you Paul for the explanation.

I now realize that the checksums are very good to know, because,
they are a great search term, in case the file name changes or
is common.

I googled the checksum, and found *many* hits, most of which
are, as you noted, early reports of the "malware" in the wild.

It's apparently something that either changes over time (this
one was version 3), or, that is a new'ish scam.
Aleksandar Kuktin
2014-08-27 07:36:20 UTC
Permalink
On Wed, 27 Aug 2014 03:51:31 +0000, Ned Turnbull wrote:

> [snip]
>
> Which turned out to be the 764KB file, named:
> - 764184 Aug 26 09:28 AA_v3.exe
>
> $ md5sum AA_v3.exe - f8cd52b70a11a1fb3f29c6f89ff971ec AA_v3.exe
>
> $ sha1sum AA_v3.exe - 6a0c46818a6a10c2c5a98a0cce65fbaf95caa344
> AA_v3.exe
>
> I understand that the checksums are unique numbers per file,
> but, what will those two checksums actually tell us?

Paul explained. With this information, if two people look at a file, they
can make sure they are looking at the same file. The probability of two
different files colliding on all three parameters is so low it can be
ignored.
Ned Turnbull
2014-08-27 13:19:25 UTC
Permalink
On Wed, 27 Aug 2014 07:36:20 +0000, Aleksandar Kuktin wrote:

>> I understand that the checksums are unique numbers per file,
>> but, what will those two checksums actually tell us?
>
> Paul explained. With this information, if two people look at a file,
> they can make sure they are looking at the same file. The probability of
> two different files colliding on all three parameters is so low it can
> be ignored.

I understand why the checksum is important now.

Thank you for explaining.

In fact, I googled the checksum, and found that *most* virusscanners
don't actually flag the file, but, that the file has been listed as
suspicious.

So, now I see *why* the checksum is useful!
John
2014-08-26 21:58:22 UTC
Permalink
On Tue, 26 Aug 2014 17:15:29 +0000 (UTC), Ned Turnbull
<***@example.com> wrote:

>Today, I got the second of my "official" Windows Support Calls,
>from an Indian-accented guy wanting me to download software because
>my machine has been 'sending them messages'.
>
>So, I went onto Linux (for safety), and did everything he asked.
>I kept him going for 33 minutes, until he finally started swearing

You are a very bad man and a cruel, cruel person.
And thank you for occupying the shit so he could not during that time
waste the time of any other person. Your devotion to your fellow
creatures is both appreciated and inspiring.

>at me (actually using the f word and saying he was going to f my
>mother, daughter, etc.).

Personally, I would have encouraged him. And my wife. Maybe my female
dog, too.
One is ashes floating down a river, one is ashes buried, and two are
slowly becoming soil. If an arsewipe wants to do any or all of them,
he is very welcome to drown, suffocate or whatever while doing so.


>
>On Android, I recorded the entire call, from when he asked my
>name and address (yes, it was correct, so, we need to find out
>*where* they are getting that info) down to the names of the
>machines and files.

Face/Twit? Online registration of your boxes for continued support?
Online purchases? There are many, many ways some of which involve
crooked employees sending the BadGuys a few million files for the
price of a beer.
Find out where your details have *EVER* been stored by a third party
and see if they have been hacked.


>
>Unfortunately, I recorded on a smartphone, using Android Voice
>Recorder, so, all I want to know is what's the best way to upload
>that file so that others can benefit.

whocallsme.co.uk might be useful for a first look if you have his
telephone number. Other sites like this are available.

This CNet article may help:

http://www.cnet.com/how-to/how-to-record-phone-calls/?tag=nl.e497&s_cid=e497&ttag=e497&ftag=CAD5920658


>
>Mainly, we want to:
>a) Warn others
>b) Come up with valid answers so that we waste their time

Try the archives of the USENet newsgroup alt.callahans for inventive
and amusing anecdotes about this fun activity. Also the "whocallsme"
pages. And the Mac newsgroups. Some of them are wonderful.


>
>For example, they had me go to the web site:
> www (dot) windowscare (dot) us
>Which brought me to:
> http:// www (dot) windowscare (dot) us/microsoft.com/
>
>And download a file, which actually came from:
> www (dot) ammyy (dot) com
>
>Which downloaded the 764KB file, named:
> 764184 Aug 26 09:28 AA_v3.exe
>
>Which, a "file" command on Linux says is:
> AA_v3.exe: PE32 executable (GUI) Intel 80386, for MS Windows
>
>I was supposed to click on that file and then hit Run,
>and then give him the 8-digit number starting with 39
>that comes out of it.
>
>Of course, I did everything on Linux, so, nothing happened,
>but, I gave him a false number for a few times, and he caught
>that. At first, he didn't get mad, and he had me close down
>and start up Windows in safe mode (which I had to find a Windows
>machine to do that so that it made the right noises).
>
>Hint to self: Remind me to record windows noises on Linux for
>the next call that comes in.

You could just record them on your phone using the article provided
above.

>
>In safe mode, he had me go to the logmeinrescue web site:
>https://secure (dot) logmeinrescue (dot) com/Customer/Code.aspx
>
>Where he told me to type in this 6-digit code 106536.
>https://secure (dot) logmeinrescue (dot) com/Customer/TrialWarning.aspx?code=106536
>
>Interestingly, the site said specifically *not* go enter a
>number given by an unsolicited technical support person, but,
>of course, I was running on Linux so I didn't worry (but I did
>mention that to the guy, and he glossed over it, heh heh).
>
>That downloaded the file:
> 1529152 Aug 26 09:51 Support-LogMeInRescue.exe
>Which the Linux "file" command reports as:
> Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS Windows
>
>At this point, there was another tirade with the f word, as
>he had invested nearly a half hour in me, and I couldn't
>tell him what I saw.
>
>He was looking for a client window session of some sort.
>
>Anyway, I have a few questions:
>1. What are they after? (yes, I know it's a scam, but, what?)

Control of your box. He had a Logmein session running and was waiting
for you to use yours to "invite" him into your machine. Then he could
rummage around, plant ransomware, steal stuff and leave a zombie.
He would have control of your box *forever* pretty much.
From it, he could possibly beaver away at sucking in anything else
you have on a home network.
But the best instant prize would be your banking details if you use a
browser to do online banking. Prising open your bank accounts would be
nice, especially if his BadGuys created a new-account transfer to be
run as soon as you were paid and left everything else pretty much
alone until then.
Oh, dear, I can think like a crook ...


>2. What's a "valid" 8-digit number starting with 39?

Their "I'm-inviting-you-in" code from the original program. It's
specific to that program and is otherwise nonsense.
Like the Logmein code needed for a remote control session to work.


>3. What "should" I have seen (so I can get more info from them)?

Your cursor moving about for a while. Event Viewer opening and loads
of red error messages to terrify you into compliance. The red messages
slowly being "worked on" so you trust the evil little bastard.
Further "cleaning" of temporary files, caches and other crap that
truly has no effect on your machine but he would show you before and
after free-space numbers to explain how much space he had saved.
General housekeeping that a fucking *pigeon* could do but that isn't
worth bothering with most of the time.
Then he would freeze your side of the session on a good view and hack
away for a while.


>4. Is this illegal enough to call the police?

Yes but only if you think there's a chance of annoying the verminous
shite and his bosses. Especially the bosses.

>
>Lastly:
>5. How best do I upload that file, so you can hear it?

Dropbox would probably work for most.
4Shared.com or other online sites are available.
Use a favoured search engine for "online storage", "file upload" or
"share file".
If it's in any recognisable *nixxy format VLC for Windows will
probably play it for us.

http://forums.cnet.com/7723-6122_102-625394/computer-consultant-fraud-phoned-my-mom/?tag=nl.e497&s_cid=e497&ttag=e497&ftag=CAD5920658
might be worthwhile posting the linkie to the dropboxeed file on
there. And here.
Don't send the file itself to USENet. Not unless you send it to
alt.binaries.soundfiles or some other binaries group and send us a
linkie to the message-id.
hth,
J.
Justin
2014-08-26 22:34:11 UTC
Permalink
On 8/26/14, 1:15 PM, Ned Turnbull wrote:
> Today, I got the second of my "official" Windows Support Calls,
> from an Indian-accented guy wanting me to download software because
> my machine has been 'sending them messages'.
>
> So, I went onto Linux (for safety), and did everything he asked.
> I kept him going for 33 minutes, until he finally started swearing
> at me (actually using the f word and saying he was going to f my
> mother, daughter, etc.).
>
>
> Of course, I did everything on Linux, so, nothing happened,
> but, I gave him a false number for a few times, and he caught
> that. At first, he didn't get mad, and he had me close down
> and start up Windows in safe mode (which I had to find a Windows
> machine to do that so that it made the right noises).

Download VirtualBox. I can make you an image of a basic Windows 7
installation if you want.

>
> Anyway, I have a few questions:
> 1. What are they after? (yes, I know it's a scam, but, what?)
> 2. What's a "valid" 8-digit number starting with 39?
> 3. What "should" I have seen (so I can get more info from them)?
> 4. Is this illegal enough to call the police?

I don't know if you're in the US, but in my state it is illegal to
record phone calls, even if one party knows the call is being recorded.
I shit you not. Even if it is legal in one state, it falls under
federal wiretapping laws - this is what got Linda Tripp in trouble.

>
> Lastly:
> 5. How best do I upload that file, so you can hear it?
>

I'm very interested in hearing the conversation, BUT...
Make sure you edit out your name - even your first name. Maybe upload
to a public proxy - nothing that can link you to what may be a federal
crime - wiretapping (see above).
These laws are stupid, outdated and get plenty of innocent people in
major trouble.
nospam
2014-08-27 00:43:43 UTC
Permalink
In article <ltj215$itn$***@dont-email.me>, Justin
<***@ireallyhatespam.edu> wrote:

> I don't know if you're in the US, but in my state it is illegal to
> record phone calls, even if one party knows the call is being recorded.
> I shit you not. Even if it is legal in one state, it falls under
> federal wiretapping laws - this is what got Linda Tripp in trouble.

federal law requires at least one party knows they're being recorded.

some states require both parties knowing.

no state prohibits all recording.

banks, phone companies, insurance companies, cable tv companies, etc.,
routinely record all calls and disclose it up front, which is legal in
every state.
Justin
2014-08-27 01:52:06 UTC
Permalink
On 8/26/14, 8:43 PM, nospam wrote:
> In article <ltj215$itn$***@dont-email.me>, Justin
> <***@ireallyhatespam.edu> wrote:
>
>> I don't know if you're in the US, but in my state it is illegal to
>> record phone calls, even if one party knows the call is being recorded.
>> I shit you not. Even if it is legal in one state, it falls under
>> federal wiretapping laws - this is what got Linda Tripp in trouble.
>
> federal law requires at least one party knows they're being recorded.

Correct.

>
> some states require both parties knowing.

Yes, I'm in one of them.

>
> no state prohibits all recording.
>
> banks, phone companies, insurance companies, cable tv companies, etc.,
> routinely record all calls and disclose it up front, which is legal in
> every state.
>

For "quality assurance purposes." That's what the warning generally
says and in some jurisdictions it limits those recordings from being
used in criminal or civil proceedings.
Rod Speed
2014-08-27 03:53:26 UTC
Permalink
Justin <***@ireallyhatespam.edu> wrote
> nospam wrote
>> Justin <***@ireallyhatespam.edu> wrote

>>> I don't know if you're in the US, but in my state it is illegal to
>>> record phone calls, even if one party knows the call is being recorded.
>>> I shit you not. Even if it is legal in one state, it falls under
>>> federal wiretapping laws - this is what got Linda Tripp in trouble.

>> federal law requires at least one party knows they're being recorded.

> Correct.

>> some states require both parties knowing.

> Yes, I'm in one of them.

>> no state prohibits all recording.

>> banks, phone companies, insurance companies, cable tv companies, etc.,
>> routinely record all calls and disclose it up front, which is legal in
>> every state.

> For "quality assurance purposes." That's what the warning generally says

But isnt the reason they do that.

> and in some jurisdictions it limits those recordings from being used in
> criminal or civil proceedings.

That's isnt the reason Ned recorded it, legally.
Ned Turnbull
2014-08-27 01:55:55 UTC
Permalink
On Tue, 26 Aug 2014 18:34:11 -0400, Justin wrote:

> I'm very interested in hearing the conversation, BUT...
> Make sure you edit out your name - even your first name. Maybe upload
> to a public proxy - nothing that can link you to what may be a federal
> crime - wiretapping (see above).
> These laws are stupid, outdated and get plenty of innocent people in
> major trouble.

Yikes.
Anyway, Marek has responded to my email, and we're communicating
by email.

I sent the original file (with my name and address bleeped out), and
a 5-minute version with just all the threats to me and my family.

As long as I'm not identifiable in the posting, he can put it on
the net, so others can know what to expect when they get the call.

I knew it was a scam from the very first second, but, they must
be getting *some* people to execute the file on Windows, otherwise,
they wouldn't be talking to me for 30 minutes.

BTW, when I listened to the recording, I noticed that the scammer
hesitated a few seconds after I said the fake number. I suspect
that he was looking for a response from the program. The fake
number I gave him, I think, wasn't at all what got him mad.

I think he realized I wasn't executing the file, since he always
hesitated about five or ten seconds before getting mad at me.

So, executing the file, almost certainly, communicates with him.
Ned Turnbull
2014-08-27 02:00:29 UTC
Permalink
On Tue, 26 Aug 2014 20:43:43 -0400, nospam wrote:

> no state prohibits all recording.

Marek has the 30-minute file now.

Marek doesn't have editing experience, so, if, when the
file is posted to the net, someone here who can edit
audio files, can volunteer to strip it down to the
essentials, that would be nice.

It's hard to listen to a 30-minute file (although my
family did, and they were worried).

It would be nice if, when Marek posts it, that someone
can strip it to a 3 minute or so file, of just the starting
point (where the scammer idenfifies himself as Microsoft IT,
and then, after my apparently inept response (heh heh), then
he begins to threaten me.

Also, if someone who knows Indian languages can listen, it
would be nice to know what he said when, near the 32-minute
mark, he's so frustrated that he says something in a foreign
language, before cursing me out again and threatening me, in
English.

Anyway, at this point, Marek will take the ball to post the
URL ...
dadiOH
2014-08-27 10:42:55 UTC
Permalink
"Ned Turnbull" <***@example.com> wrote in message
news:ltje3t$49t$***@news.mixmin.net

> Marek doesn't have editing experience, so, if, when the
> file is posted to the net, someone here who can edit
> audio files, can volunteer to strip it down to the
> essentials, that would be nice.

Only you know what the essentials are and - since you now have some wave
editing experience - there is no reason you can't do it yourself.
Basically...

1. start audacity or any other wave editor

2. load the file

3. select the area you want to delete (you can zoom in)

4. delete it (Been a long while since I used Audacity but Ctrl+ X
probably deletes, the DEL key may, certainly the edit menu will have an
option),

5. repeat #3 & #4 as necessary

6. save the file (use a new name so as to not overwrite the original)

A brief look at the "help" may be useful.


--

dadiOH
____________________________

Winters getting colder? Tired of the rat race?
Taxes out of hand? Maybe just ready for a change?
Check it out... http://www.floridaloghouse.net
Ned Turnbull
2014-08-27 13:22:04 UTC
Permalink
On Wed, 27 Aug 2014 06:42:55 -0400, dadiOH wrote:

> Only you know what the essentials are and - since you now have some wave
> editing experience - there is no reason you can't do it yourself.

Actually, I *did* do it, and the result was this 5-minute file:
https://app.box.com/s/czwpmr905zxqfk92rgxx
n***@_INVALID_.GOV
2014-08-26 23:08:15 UTC
Permalink
If offshore, then hitting these cockroaches is next to impossible but
the criminal could also be your next door neighbour. I've had a few of
these very calls in the last few months, when I threw a curve at one of
them the halflife was audibly consulting with a supervisor before
abruptly hanging up. I now have a prepaid bank card that is worth only
what I put on it the night before via the bank web site, they got my
'credit' for $4000 and then another $800 last year, barely got out of
that one. Change your card to prepaid, or leave the bank.
Ned Turnbull
2014-08-27 00:08:32 UTC
Permalink
On Tue, 26 Aug 2014 15:48:30 -0500, Marek Novotny wrote:

> Sure, my email address is shown in the header, but I rarely check it.
> Let me know if you send it. And yes, I will keep your email address
> private.

Hi Marek,
I have emailed you the 33-minute 3GB file in M4a format (aka MP4).
The only edits were to tone out my name and address near the beginning.

Of course, please do keep my email address private, but I do
thank you for volunteering to post the file for others to observe.

The threats against me and my entire family (individually and collectively)
start at about time point 21minutes and 30 seconds, and they continue,
unabated, until time point 23:50.

Miraculously, I am able to calm the guy down, and, I guess, since he
had already spent more than 20 minutes trying to reel me in, he
continued, calmly at first, to try to get me to allow him to log
into my machine remotely.

I couldn't hold him off with my lies (about what the numbers were that
were showing up on the screen, because I never executed his file and
never left Linux except to find a Windows machine to make the rebooting
sounds), so, finally, at almost the end of the 30 minute call, he
renewed his threats against me and my entire family at time point 32:24,
to time 33:29, at which time, he apparently hung up on me.

I never hung up until I got the dial tone, but, I sincerely believe
he was threatening me, as his voice level was so high that his middle
Indian accent even cracked a bit, and he uttered something in a foreign
language around the 32-minute time point.

I think he was frustrated that he *thought* he had a fish, but the
fish just wouldn't cooperate. :)

Please keep my email and name private when you post the audio, but,
let us know here what the URL is when you do post it.

Thanks,
Ned
Ned Turnbull
2014-08-27 01:12:27 UTC
Permalink
On Wed, 27 Aug 2014 00:08:32 +0000, Ned Turnbull wrote:

> Hi Marek,
> I have emailed you the 33-minute 3GB file in M4a format (aka MP4).
> The only edits were to tone out my name and address near the beginning.

Hi Marek,
The email to you bounced.

Delivery to the following recipient failed permanently:
***@marspolar.com
Technical details of permanent failure:
Message rejected.
.................

I will try just sending you an email, without an attachment.
Please reply back, and we can figure out why your mail bounced.

Otherwise, if someone can give me an address where I can upload
it using Tor, I will try that.

Most sites hate Tor, and all the Tor exit nodes are well known,
so, it needs to be a site that *works* with Tor though.

Ned
Edmund
2014-08-27 08:06:08 UTC
Permalink
On Tue, 26 Aug 2014 17:15:29 +0000, Ned Turnbull wrote:

> Today, I got the second of my "official" Windows Support Calls,
> from an Indian-accented guy wanting me to download software because my
> machine has been 'sending them messages'.
>
> So, I went onto Linux (for safety), and did everything he asked.
> I kept him going for 33 minutes, until he finally started swearing at me
> (actually using the f word and saying he was going to f my mother,
> daughter, etc.).
>
> On Android, I recorded the entire call, from when he asked my name and
> address (yes, it was correct, so, we need to find out *where* they are
> getting that info) down to the names of the machines and files.

Well, that is an easy one, Android/google is fact the 1000 times worse in
terms of spyware and big brother activity.
That starts with buying an android phone, at least my one -Samsung- is
packed with spyware crap I cannot even remove from MY phone!
1000 times it "ASK" my if it may record and use ALL my movements (GPS)
see and link ALL my contacts and the contacts of my contacts, my phone
number and the state of my phone on certain moments.
In Play/google the vast majority of apps, REQUIRE access to all kind of
things which is of no concern for such app at all.
Note that these are apps validated by google! Even if you may find one or
two apps that do not immediately require your credit card data and so on,
IT CAN CHANGE THAT WITHOUT ASKING YOU ANYTHING IN THE FIRST AUTOMATED
UPDATE!.
So much for privacy in combination with android, now you know why you
must not be surprised all your privet -android- data is available many.
I recently bought my first android phone and was shocked to see the
"requirements" of all those app that everyone seems to use without
reading anything and even more that I could not even remove software that
I do not want!

Maybe it is just me.

Edmund
Dave
2014-08-27 20:08:38 UTC
Permalink
On Tue, 26 Aug 2014 17:15:29 +0000, Ned Turnbull wrote:

> Today, I got the second of my "official" Windows Support Calls,
> from an Indian-accented guy wanting me to download software because my
> machine has been 'sending them messages'.
>
This scam is well known and I had to deal with it on someone's machine. In
that case they had installed software requiring a password to log on. The
person had previously been getting phone calls asking for money. She swore
she hadn't done anything to let them get access to her machine but she had
to have done something. Password crackers didn't work so after recovering
the few personal files she had using my trusty Puppy Linux boot stick, I
reinstalled her system.

I assume the phone call is random but I'm not sure what they do after
that, have the victim type in a url. Problem with that is a lot of the
people I deal with would have trouble doing that. Anyway, I'm sure like
any scam, they get enough victims to make it worth while.
Continue reading on narkive:
Loading...