N
Ned Turnbull
Guest
Can any of you tell from whence this caller came from, based on his
English accent (as he attempts to 'repair' my home Windows PC)?
Here is a 3MB 30-minute MP4 recording of an unsolicited call today that I
received from the âMicrosoft ITâ department, telling me my computer was
"sending reports" to them (this file kindly uploaded by Marek):
https://app.box.com/s/0yluyszg1qj2l83ynbm2
I realized it was a scam within the first seconds, but I was surprised,
that, at the 21:30 mark, the increasingly frustrated caller threatens to
f* up my entire family (explicitly threatening my sister, my mother, my
daughter, etc.).
That first tirade lasted more than two minutes, from 21:30 to 23:50.
Miraculously, the caller calmly resumes his attempt to get me to execute
the Microsoft file, even going so far as to attempt to remotely log into
my computer!
Despite the fact the caller calms down after the first set of invectives,
within 10 minutes, the caller repeats the threats against me and my
family at the 32:24 mark to about 33:29, which is essentially the end of
the recording.
Here is a truncated 400KB 5-minute recording with chirps inserted into
the removed (boring) sections:
https://app.box.com/s/czwpmr905zxqfk92rgxx
The first web site they had me go to was the following:
- http:// www (dot) windowscare (dot) us
Which brought me to:
- http:// www (dot) windowscare (dot) us/microsoft.com/
(Calling the listed phone number, +1-845-241-1234, just gets a computer-
generated recording identifying itself as "Thank you for calling Windows
Support ... please leave a message").
The domain is registered to "windows tech support" (all lower-case),
which has a New York, NY, postal address.
The caller then directed me to click on the green "Get Support" button at
that web page, which downloaded a Windows executable file (into my Linux /
tmp directory), which actually came from:
- http:// www (dot) ammyy (dot) com
The postal address for the ammyy domain is in Panama.
The downloaded file was 764KB file, named:
- 764184 Aug 26 09:28 AA_v3.exe
$ md5sum AA_v3.exe
- f8cd52b70a11a1fb3f29c6f89ff971ec AA_v3.exe
$ sha1sum AA_v3.exe
- 6a0c46818a6a10c2c5a98a0cce65fbaf95caa344 AA_v3.exe
The caller repeatedly asked me to execute that AA_v3.exe file, which, of
course, I wasn't going to do, so I had to fish for what he was looking
for as a result.
After quite a few false starts where I made up numbers, and many excuses,
I belatedly learned he was looking for an 8-digit number that starts with
39 just below the "client wait for session" text that said "Your ID".
Of course, I never came up with a valid number, which apparently
frustrated the caller, who probably thought, at first anyway, that he had
a fish hooked on his line from the very start.
At the 16:00 time point, he tried his second tack, which was to have me
boot my Windows XP pc to Safe Mode, so, I stalled until I could find a
Windows machine, and then booted it to "Safe Mode with Networking", where
he told me "it's totally safe now". At 18:12, he had me go to the same
web site above (you can hear me breathing heavily as I climb the stairs
from Windows to Linux).
The caller used the "broken record" approach, to get me to repeatedly run
the AA_v3.exe file, but I was guessing wrong as to what he had wanted me
to report back to him (having never executed the file).
Finally, at the 26:40 time point, the caller tried a third, and totally
new approach, which was for him to take over my machine so that he could
(presumably) download the file himself.
In order to take over my machine, he instructed me to go to:
http://www (dot) support (dot) me
Which took me to:
https://secure (dot) logmeinrescue (dot) com /Customer/Code.aspx
The postal address for the above domain is in Boston, MA.
Then he gave me the 6-digit logmeinrescue authorization code:
https://secure (dot) logmeinrescue (dot) com/Customer/TrialWarning.aspx?
code=106536
Entering that 6-digit code downloaded the Windows executable file into my
Linux /tmp directory:
1529152 Aug 26 09:51 Support-LogMeInRescue.exe
Which the Linux âfileâ command reports as:
Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS
Windows
Afterward, I called LogMeInRescue at 1-877-337-2102, and at
1-866-478-1805 and provided them with the 6-digit number, for which they
thanked me, saying they will cancel the account, but that it could be a
trial account, and therefore, it would have little real impact.
They did say that the Support-LogMeInRescue.exe file allows the attacker
remote access to your Windows PC, but, since I was on Linux, they say
nothing would happen.
Where, probably in India?, do you think this accent came from?
I'm guessing somewhere in the middle or eastern India.
English accent (as he attempts to 'repair' my home Windows PC)?
Here is a 3MB 30-minute MP4 recording of an unsolicited call today that I
received from the âMicrosoft ITâ department, telling me my computer was
"sending reports" to them (this file kindly uploaded by Marek):
https://app.box.com/s/0yluyszg1qj2l83ynbm2
I realized it was a scam within the first seconds, but I was surprised,
that, at the 21:30 mark, the increasingly frustrated caller threatens to
f* up my entire family (explicitly threatening my sister, my mother, my
daughter, etc.).
That first tirade lasted more than two minutes, from 21:30 to 23:50.
Miraculously, the caller calmly resumes his attempt to get me to execute
the Microsoft file, even going so far as to attempt to remotely log into
my computer!
Despite the fact the caller calms down after the first set of invectives,
within 10 minutes, the caller repeats the threats against me and my
family at the 32:24 mark to about 33:29, which is essentially the end of
the recording.
Here is a truncated 400KB 5-minute recording with chirps inserted into
the removed (boring) sections:
https://app.box.com/s/czwpmr905zxqfk92rgxx
The first web site they had me go to was the following:
- http:// www (dot) windowscare (dot) us
Which brought me to:
- http:// www (dot) windowscare (dot) us/microsoft.com/
(Calling the listed phone number, +1-845-241-1234, just gets a computer-
generated recording identifying itself as "Thank you for calling Windows
Support ... please leave a message").
The domain is registered to "windows tech support" (all lower-case),
which has a New York, NY, postal address.
The caller then directed me to click on the green "Get Support" button at
that web page, which downloaded a Windows executable file (into my Linux /
tmp directory), which actually came from:
- http:// www (dot) ammyy (dot) com
The postal address for the ammyy domain is in Panama.
The downloaded file was 764KB file, named:
- 764184 Aug 26 09:28 AA_v3.exe
$ md5sum AA_v3.exe
- f8cd52b70a11a1fb3f29c6f89ff971ec AA_v3.exe
$ sha1sum AA_v3.exe
- 6a0c46818a6a10c2c5a98a0cce65fbaf95caa344 AA_v3.exe
The caller repeatedly asked me to execute that AA_v3.exe file, which, of
course, I wasn't going to do, so I had to fish for what he was looking
for as a result.
After quite a few false starts where I made up numbers, and many excuses,
I belatedly learned he was looking for an 8-digit number that starts with
39 just below the "client wait for session" text that said "Your ID".
Of course, I never came up with a valid number, which apparently
frustrated the caller, who probably thought, at first anyway, that he had
a fish hooked on his line from the very start.
At the 16:00 time point, he tried his second tack, which was to have me
boot my Windows XP pc to Safe Mode, so, I stalled until I could find a
Windows machine, and then booted it to "Safe Mode with Networking", where
he told me "it's totally safe now". At 18:12, he had me go to the same
web site above (you can hear me breathing heavily as I climb the stairs
from Windows to Linux).
The caller used the "broken record" approach, to get me to repeatedly run
the AA_v3.exe file, but I was guessing wrong as to what he had wanted me
to report back to him (having never executed the file).
Finally, at the 26:40 time point, the caller tried a third, and totally
new approach, which was for him to take over my machine so that he could
(presumably) download the file himself.
In order to take over my machine, he instructed me to go to:
http://www (dot) support (dot) me
Which took me to:
https://secure (dot) logmeinrescue (dot) com /Customer/Code.aspx
The postal address for the above domain is in Boston, MA.
Then he gave me the 6-digit logmeinrescue authorization code:
https://secure (dot) logmeinrescue (dot) com/Customer/TrialWarning.aspx?
code=106536
Entering that 6-digit code downloaded the Windows executable file into my
Linux /tmp directory:
1529152 Aug 26 09:51 Support-LogMeInRescue.exe
Which the Linux âfileâ command reports as:
Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS
Windows
Afterward, I called LogMeInRescue at 1-877-337-2102, and at
1-866-478-1805 and provided them with the 6-digit number, for which they
thanked me, saying they will cancel the account, but that it could be a
trial account, and therefore, it would have little real impact.
They did say that the Support-LogMeInRescue.exe file allows the attacker
remote access to your Windows PC, but, since I was on Linux, they say
nothing would happen.
Where, probably in India?, do you think this accent came from?
I'm guessing somewhere in the middle or eastern India.
